Interesting People mailing list archives
an interesting analysis -- Panel Presses to Bolster Security in Cyberspace
From: David Farber <dave () farber net>
Date: Fri, 12 Dec 2008 02:48:17 -0500
Begin forwarded message: From: Date: December 12, 2008 2:35:44 AM EST To: dave () farber net (David Farber) Subject: Re: Panel Presses to Bolster Security in Cyberspace Well, I guess it's OK to send to IP if you anonymize > Can I send this to my IP list? On Dec 9, 2008, at 7:47 PM, wrote: FYI, the report is here: http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf In addition to the valid points that Xxxx raises, I think it might be valuable to discuss the privacy implications of the report's recommendations regarding strong authentication. The report recommends that government agencies adopt strong means of authentication online. They seem to be thinking of a smartcard, issued by the government, that attests to the identity of the holder. For instance, they mention the DOD CAC card positively, and and specifically mentions smartcard-based approach. The report makes two recommendations: (a) government agencies should use this form of authentication; (b) the government should issue these cards to everyone, and encourage online businesses and consumers to use them in the ordinary course of business (maybe not for all transactions, but for many transactions, particularly "high-risk transactions", whatever that means). Encouraging critical government agencies to adopt CAC-like cards seems unobjectionable and sensible, particularly for government agencies where penetration would have national security implications. So part (a) seems OK. It's not a silver bullet; it's only a small part of the security problem; it's not going to solve the security problems (for instance, a CAC card doesn't help when a foreign hacker is able to break into the computer of an authorized user), but it's a reasonable step. It does raise the question why the existing IT managers haven't already adopted this step (why does it take a huge panel of top policy advisors to come up with this?), but as we know, government IT management is troubled, so I guess there is nothing new there. However, I'm not so enthusiastic about part (b). I'm concerned by the prospect of the government issuing "online identity cards" and encouraging businesses and consumers to use them routinely for their online transactions. Will this end up helping companies and advertisers better track customers and link their activities online? Will this become yet another national identity card? It's not clear why the report wants to talk about securing e-commerce, anyway. The report claims to focus on national security; it's hard for me to see any national security implications if consumers use their credit cards to buy stuff from Amazon rather than using a government-issued CAC card. Why is this in scope for the report? I'm not convinced the government should be meddling in e-commerce. Don't the players already have plenty of incentive to provide the right level of security -- not too much, not too little? Currently the standard way of buying things online is to use a credit card. It's not that there's any shortage of more secure ways to purchase things; it's that credit cards provide the best mix of convenience and security. Merchants and credit card issuers have plenty of incentive to adopt stronger security, and they have tried a number of other alternatives, but they've found that the costs of those other approaches exceed the savings from better security. So why should the government be meddling with the market? Why do we think that government pressure here is going to be more efficient than letting market forces do their work? Seems like the market is working OK, when it comes to the level of authentication required for e-commerce online. Also it's not clear how strong authentication is supposed to help make online transactions more secure. Amazon needs to know that if it ships me the goods, it will get paid. As long as it is paid, it shouldn't really matter what my True Name is. So what problem is a identity card supposed to solve? And if my computer gets hacked, how does an identity card help? With current smartcards, it doesn't -- it's still vulnerable to man-in-the-middle attacks (e.g., where the attacker has compromised my browser or my machine). To the extent that there is a market failure in the e-commerce world, I'd point my fingers at identity fraud, rather than payment fraud. Identity fraud arises partly because of governmental subsidies for privacy- invasive and insecure authentication methods (the government issues everyone a SSN, subsidizing use of an insecure identifier; the government allows credit agencies to traffic in false or misleading information about individuals without fear of liability; and the government allows banks to take recourse against an individual for debts incurred by someone else, even when the banks use authentication methods with known flaws, like authenticating based on SSN: if someone else claims to be me and asks the bank to loan them $1000, and the bank agrees, why should I be liable? but the banks get away with claiming that it's my problem). But an identity smartcard isn't going to help with that, because the financial incentives are aligned against the consumer. And in any case, identity fraud is not a national security issue. Finally, I'm concerned about the second-order effects of widespread deployment of identity cards. I remember how when SSNs were initially deployed, the government issued them with a promise that they would only be used as an identifier for tax purposes, but now they have spread to all sorts of other purposes -- and in addition, many companies have taken advantage of universal governmental issuance of SSNs to require their customers to provide their SSN if they want service. For instance, try to open a bank account, get electric service from a utility company, or get cellphone service for the latest iPhone without showing your SSN. So function creep seems inevitable. If identity cards become widely deployed, I think there's a good chance that some companies will start to demand that all their customers provide an identity card, leaving customers with no choice. The report suggests that consumers ought to have a choice whether to use their identity card online, but how is the government going to enforce that if some companies start demanding an identity card? Why should the taxpayers subsidize deployment of an identity card if a potential consequence is a diminishment of privacy online? It seems to me there is a reasonable argument that the government ought to focus first on getting its own house in order: deploy identity cards throughout key government agencies, show that it works well, and then we can talk about whether it makes sense to issue them more broadly. It may make sense to push for adoption of identity cards in certain key industries (e.g., the power grid comes to mind), but not for everyday use by ordinary citizens. In summary, I would argue that more discussion is needed before the government adopts a policy of encouraging broader use of identity cards among the populace at large. Encouraging certain government agencies to deploy identity cards is one thing, but using the government to push this idea to the rest of the country is a bigger deal. -- P.S. I'll gripe about two other minor aspects of the report. The report claims that governmental regulation has spurred the use of stronger recommendation for online banking, but I dissent on that. The gov't regulations encouraged adoption of "two-factor authentication", but what banks actually deployed has serious flaws and is a far cry from true two-factor authentication. Basically, the banks found a loophole: they use passwords + a personalized image, or passwords + a cookie that is set after answering challenge questions. These methods are much cheaper than true two-factor authentication (like is used in Europe). However recent studies have shown that these methods have serious security flaws; neither method is substantially more secure against sophisticated phishing attacks than single-factor authentication. So to my thinking, this should not be cited as an example of a success for government; rather, to my mind, it's a failure that illustrates the difficulting of achieving strong security through regulation. Second, the report mentions the Council of Europe Convention on Cybercrime positively as an example of international cooperation on fighting cybercrime. However, it doesn't mention that civil liberties organizations strongly opposed that treaty, because its proposed implementation in the US appparently allowed foreign countries to compel US assistance in investigations, even when the "crime" is not a crime in the US; and because the treaty encouraged data retention policies that are deleterious to privacy. Overall, I thought there were many positive aspects to the report, but also some disappointments.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- an interesting analysis -- Panel Presses to Bolster Security in Cyberspace David Farber (Dec 11)
- <Possible follow-ups>
- Re: an interesting analysis -- Panel Presses to Bolster Security in Cyberspace David Farber (Dec 12)