National Strategy for Trusted Identities in Cyberspace David Sinclair

What is NSTIC? Called for in President’s Cyberspace Policy Review (May 2009): a “cybersecurity focused identity management vision and strategy…that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation.” Guiding Principles Privacy-Enhancing and Voluntary Secure and Resilient Interoperable Cost-Effective and Easy To Use NSTIC calls for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.” 7/3/2019

Fraud Statistics Identity Theft / Fraud Statistics Data Average number of U.S. identity fraud victims annually 11,571,900 Percent of U.S. households that reported some type of identity fraud 7 % Average financial loss per identity theft incident $4,930 Total financial loss attributed to identity theft in 2013 $21 billion Total financial loss attributed to identity theft in 2010 $13.2 billion Percent of Reported Identity Thefts by Type of Fraud Percent Reported Misuse of Existing Credit Card 64.1 % Misuse of Other Existing Bank Account 35 % Misuse of Personal Information 14.2 %

Head of Household Characteristic that Experienced Identity Theft Percent in Category The following represents the demographic of the head of household for which the fraud was reported. The corresponding percent is the total percent that reported a fraud inside the specific category. Age   18 – 24 8.5 % 25 – 34 7.6 % 35 – 49 7.9 % 50 – 64 7.3 % 65 + 4.3 % Race White Black / African American 5.2 % Hispanic 5.8 % American Indian / Alaska Native 6.1 % Asian / Hawaiian / Pacific Islander Two or More Races 11.6 % Marital Status Married 8 % Not Married 6 % Household Income - $7,500 5.3 % $7,500 – $14,999 4.8 % $15,000 – $24,999 4.6 % $25,000 – $34,999 6.0 % $35,000 – $49,999 6.6 % $50,000 – $74,999 $75,000 + 12.3 %

The Problem Today Usernames and passwords are broken Most people have 25 different passwords, or use the same one over and over Even strong passwords are vulnerable…criminals have many paths to easily capture “keys to the kingdom” Rising costs of identity theft 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion 67% increase in # of Americans impacted by data breaches in 2011 (Source: Javelin Strategy & Research) A common vector of attack Sony Playstation, Zappos, Lulzsec, LinkedIn, among dozens of 2011-12 breaches tied to passwords. 7/3/2019

The Problem Today Identities are difficult to verify over the internet Numerous government services still must be conducted in person or by mail, leading to continual rising costs for state, local and federal governments Electronic health records could save billions, but can’t move forward without solving authentication challenge for providers and individuals Many transactions, such as signing an auto loan or a mortgage, are still considered too risky to conduct online due to liability risks 7/3/2019

The Problem Today Privacy remains a challenge Individuals often must provide more personally identifiable information (PII) than necessary for a particular transaction This data is often stored, creating “honey pots” of information for cybercriminals to pursue Individuals have few practical means to control use of their information 7/3/2019

Trusted Identities Provide a Foundation Economic benefits Improved privacy standards Enhanced security TRUSTED IDENTITIES Enable new types of transactions online Reduce costs for sensitive transactions Improve customer experiences Offer citizens more control over when and how data is revealed Share minimal amount of information Fight cybercrime and identity theft Increased consumer confidence 7/3/2019

January 1, 2016 Privacy-enhancing Secure Interoperable The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials for convenient, secure, and privacy-enhancing transactions anywhere, anytime. Privacy-enhancing Secure Interoperable Cost-effective and easy to use Apply for mortgage online with e-signature Online shopping with minimal sharing of PII Trustworthy critical service delivery Secure Sign-On to state website Security ‘built-into’ system to reduce user error Privately post location to her friends 7/3/2019

What Does NSTIC Call For? Private sector will lead the effort Federal government will provide support Not a government-run identity program Private sector is in the best position to drive technologies and solutions… …and ensure the Identity Ecosystem offers improved online trust and better customer experiences Help develop a private-sector led governance model Facilitate and lead development of interoperable standards Provide clarity on national policy and legal framework around liability and privacy Fund pilots to stimulate the marketplace Act as an early adopter to stimulate demand 7/3/2019

Key Implementation Steps Created an Identity Ecosystem Steering Group: Summer 2012 http://www.idecosystem.org/ NIST awarded 2-year grant to fund a privately-led Steering Group to convene stakeholders and craft standards and policies to create an Identity Ecosystem Framework Convene the Private Sector 5 pilots totaling $9.2M awarded September, 2012 Challenge-based approach focused on addressing barriers the marketplace has not yet overcome New FFO for 2013 pilots has 13 finalists; second FFO focused on states and government services Continued Support for Pilots Ensure government-wide alignment with the Federal Identity, Credential, and Access Management (FICAM) Roadmap New White House initiated effort to create a Federal Cloud Credential Exchange (FCCX) Government as an early adopter to stimulate demand 7/3/2019

FFO 2013-NIST-NSTIC-03 Purpose To support the study, evaluation, and increase in public knowledge about the pilots awarded through Federal Funding Opportunity 2013-NIST-NSTIC-02 NSTIC Pilots: Trusted Online Credentials for Accessing Government Services Cooperative Agreement Program. (More information on this FFO is available at http://www.nist.gov/nstic/20130415-20130411-2013-NIST-NSTIC-02FFO.pdf ). 7/3/2019

Partnership Fund for Program Integrity Innovation The Partnership Fund seeks innovative ideas for improving the stewardship of federal dollars to create an efficient, effective government model for the 21st century. Using funds appropriated by Congress, the Partnership Fund funds pilot projects and evaluations that test ideas for improving Federal Assistance Programs (e.g., SNAP, Medicaid) that are administered in cooperation with the states, or where Federal- state cooperation could otherwise be beneficial. Website: http://www.partner4solutions.gov/ 7/3/2019

Partnership Fund Success Measures Reducing improper payments Improving administrative efficiency Improving service delivery Protecting and improving program access for eligible beneficiaries 7/3/2019

References 2013-NIST-NSTIC-03: National Strategy for Trusted Identities in Cyberspace (NSTIC) Cooperative Agreement Program for the Evaluation of Pilots Using Trusted Online Credentials for Accessing Government Services Applicant's Webinar, Thursday, June 6, 2013, PowerPoint Presentation (PPTX) http://www.statisticbrain.com/identity-theft-fraud-statistics/

Thoughts / Questions Questions ???