As promised, this is the first in a series of posts about particular proposals in the recent US cybersecurity report.
The first item of major interest to private companies is Recommendation 1.3, which focuses on strengthening authentication procedures:
"The next Administration should launch a national public-private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management."
This is low-hanging fruit—weak authentication is still a persistent weak spot in cybersecurity. But one challenge will be making sure any recommendations and legal requirements have been validated empirically. Case in point: For years, everyone assumed that forcing users to change passwords frequently would improve security. It was only more recently that researchers (and then employees at the FTC) began to doubt conventional wisdom and consider whether forcing frequent password changes is counterproductive. The lesson learned is that whoever comes up with stronger authentication standards needs to ensure that they really are stronger.
As part of this initiative, Action Item 1.3.2 recommends that the next administration should direct contractors and anyone using federal systems to use strong authentication systems. Such a simple goal, but such a huge undertaking: The portion of the economy attributable to government contracts is enormous. This will be a major project for companies.
But it's really Action Item 1.3.3 that piqued our interest. It suggests that the federal and state governments should play a role in validating identity for the private sector:
"The government should serve as a source to validate identity attributes to address online identity challenges...
The next Administration should create an interagency task force directed to find secure, user-friendly, privacy-centric ways in which agencies can serve as one authoritative source to validate identity attributes in the broader identity market. This action would enable government agencies and the private sector to drive significant risk out of new account openings and other high-risk, high-value online services, and it would help all citizens more easily and securely engage in transactions online."
If we're reading this right, this would mean that government entities would start taking responsibility for things like user-logins for private websites. It could be similar to the way that many websites and internet services let users log-in using their Facebook credentials rather than forcing users to create a unique digital identity for each website or service.
This would of course mean shifting the legal and economic burden of cybersecurity “upstream.” That's something we identified as an interesting theme of the report in our opening post.
Adopting a centralized, government-run authentication system would also raise novel legal questions. Would the government be liable if things went wrong? Or would it enjoy sovereign immunity? Would the government waive the immunity? And will private entities be willing to outsource their security to the government if the government doesn't waive immunity? It’s hard to say how these issues will play out, so private companies will need to watch this space carefully.