NSTIC 101 (wtf?)

Issue/Topic: NSTIC 101 (wtf?) (F1D)

Convener: Heather West & Jay Unger

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Notes-taker(s): Joshua Gruenspecht

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Initial Discussion: Heather, Jay, Aaron Titus describe the process of the creation of the document to date. Created out of a White House policy review, intended to have the force of an executive directive. Authority derives from the executive order that created the review.



What is the content?

Heather/Jay: Unclear. May include government access using third-party credentials, may include third-party access using government credentials. It’s a very objectives-level document.

Will they be continuing to revise the document?

Aaron/Jim/Heather: Yes, although continued comment may not be welcome. They’ve been burned by the first round of comments through Ideascale. A lot of useless feedback, plus a lot of pushback from civil liberties groups.

Who’s responsible for this document (and why aren’t they here)?

Aaron/Heather: The Cybersecurity Office in the White House (and we tried!).

What changes can we expect?

Heather/Aaron: Probably fewer questionable examples full of hand-waving. Everything else is unclear.

What agency is likely to end up with the responsibility for this?

 Jens: I hear three possibilities: Homeland Security, GSA, Commerce (NIST). Third parties and their responsibility

Aaron: Problem with third-party IdPs and data custodians as well – namely, ensuring that if third parties are used as parties in the transactions between citizens and government, that they don’t then sell that data to others. Jim/Heather: According to NSTIC, players in the ecosystem will be responsible for ensuring some (presumably low) level of privacy protection.

Is this a useful thing? What one change could make this more successful?

Nathan: There isn’t one! Jay: If this is a step toward the government taking an “encouragement” role, then that, at least, is a positive thing. Heather: If the government is agreeing to be a relying party in transactions, that may be the very best thing that it can do. Myisha: Just agreeing upon rules of the road to satisfy all the lawyers everywhere would be a big step.  Jim: Liability doesn’t need to be limited, it needs to be allocated in the first place. 

More about liability

Jens: One real problem that this doesn’t address is reputation loss – FDIC model for identity may not cut it.  Myisha: We may need multiple levels of reliability in ID provision so that we can have multiple levels of reliance, risk, and liability.   Jay: In order for this to work, there must be a business model that does not rely on the resale of people’s information. 

Where is the money going to come from?

Nathan/Myisha/Jim/etc.: The key questions for government money are – Will this get into the 2012 budget? Will all, some, or none of the money requested make it in? Jim/Jay: Then, we’d need to get into the business model questions – Can we tier by LOA?

What changes should we, the identity-interested community, request?

Jay: A clearer, shorter document with more participation. Barb: Why don’t we act as an advisory group? Heather/Aaron: We can’t, because of ethics rules, and they’re receiving so much information anyway that they can’t distinguish signal and noise. Plus, we’re rushing toward their October deadline.