an interesting analysis -- Panel Presses to Bolster Security in Cyberspace

[David Farber <dave () farber net>]

Begin forwarded message:

From:
Date: December 12, 2008 2:35:44 AM EST
To: dave () farber net (David Farber)
Subject: Re: Panel Presses to Bolster Security in Cyberspace

Well, I guess it's OK to send to IP if you anonymize


> Can I send this to my IP list?


On Dec 9, 2008, at 7:47 PM,  wrote:

FYI, the report is here:
 http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf

In addition to the valid points that Xxxx  raises, I think it might
be valuable to discuss the privacy implications of the report's
recommendations regarding strong authentication.  The report recommends
that government agencies adopt strong means of authentication online.
They seem to be thinking of a smartcard, issued by the government, that
attests to the identity of the holder.  For instance, they mention the
DOD CAC card positively, and and specifically mentions smartcard-based
approach.

The report makes two recommendations: (a) government agencies should use
this form of authentication; (b) the government should issue these cards
to everyone, and encourage online businesses and consumers to use them
in the ordinary course of business (maybe not for all transactions, but
for many transactions, particularly "high-risk transactions", whatever
that means).

Encouraging critical government agencies to adopt CAC-like cards seems
unobjectionable and sensible, particularly for government agencies
where penetration would have national security implications.  So part
(a) seems OK.  It's not a silver bullet; it's only a small part of the
security problem; it's not going to solve the security problems (for
instance, a CAC card doesn't help when a foreign hacker is able to break
into the computer of an authorized user), but it's a reasonable step.
It does raise the question why the existing IT managers haven't already
adopted this step (why does it take a huge panel of top policy
advisors to
come up with this?), but as we know, government IT management is
troubled,
so I guess there is nothing new there.

However, I'm not so enthusiastic about part (b).  I'm concerned by
the prospect of the government issuing "online identity cards" and
encouraging businesses and consumers to use them routinely for their
online transactions.  Will this end up helping companies and advertisers
better track customers and link their activities online?  Will this
become yet another national identity card?

It's not clear why the report wants to talk about securing e-commerce,
anyway.  The report claims to focus on national security; it's hard
for me
to see any national security implications if consumers use their credit
cards to buy stuff from Amazon rather than using a government-issued
CAC card.  Why is this in scope for the report?

I'm not convinced the government should be meddling in e-commerce.
Don't the players already have plenty of incentive to provide the
right level of security -- not too much, not too little?  Currently the
standard way of buying things online is to use a credit card.  It's not
that there's any shortage of more secure ways to purchase things; it's
that credit cards provide the best mix of convenience and security.
Merchants and credit card issuers have plenty of incentive to adopt
stronger security, and they have tried a number of other alternatives,
but they've found that the costs of those other approaches exceed the
savings from better security.  So why should the government be meddling
with the market?  Why do we think that government pressure here is
going to be more efficient than letting market forces do their work?
Seems like the market is working OK, when it comes to the level of
authentication required for e-commerce online.

Also it's not clear how strong authentication is supposed to help make
online transactions more secure.  Amazon needs to know that if it ships
me the goods, it will get paid.  As long as it is paid, it shouldn't
really matter what my True Name is.  So what problem is a identity card
supposed to solve?  And if my computer gets hacked, how does an identity
card help?  With current smartcards, it doesn't -- it's still vulnerable
to man-in-the-middle attacks (e.g., where the attacker has compromised
my browser or my machine).

To the extent that there is a market failure in the e-commerce world,
I'd
point my fingers at identity fraud, rather than payment fraud.  Identity
fraud arises partly because of governmental subsidies for privacy-
invasive
and insecure authentication methods (the government issues everyone a
SSN, subsidizing use of an insecure identifier; the government allows
credit agencies to traffic in false or misleading information about
individuals without fear of liability; and the government allows banks
to take recourse against an individual for debts incurred by someone
else, even when the banks use authentication methods with known flaws,
like authenticating based on SSN: if someone else claims to be me and
asks the bank to loan them $1000, and the bank agrees, why should I
be liable?  but the banks get away with claiming that it's my problem).
But an identity smartcard isn't going to help with that, because the
financial incentives are aligned against the consumer.  And in any case,
identity fraud is not a national security issue.

Finally, I'm concerned about the second-order effects of widespread
deployment of identity cards.  I remember how when SSNs were initially
deployed, the government issued them with a promise that they would
only be used as an identifier for tax purposes, but now they have spread
to all sorts of other purposes -- and in addition, many companies have
taken advantage of universal governmental issuance of SSNs to require
their customers to provide their SSN if they want service.  For
instance,
try to open a bank account, get electric service from a utility company,
or get cellphone service for the latest iPhone without showing your SSN.
So function creep seems inevitable.  If identity cards become widely
deployed, I think there's a good chance that some companies will start
to demand that all their customers provide an identity card, leaving
customers with no choice.  The report suggests that consumers ought
to have a choice whether to use their identity card online, but how is
the government going to enforce that if some companies start demanding
an identity card?  Why should the taxpayers subsidize deployment of an
identity card if a potential consequence is a diminishment of privacy
online?

It seems to me there is a reasonable argument that the government ought
to focus first on getting its own house in order: deploy identity cards
throughout key government agencies, show that it works well, and then
we can talk about whether it makes sense to issue them more broadly.
It may make sense to push for adoption of identity cards in certain key
industries (e.g., the power grid comes to mind), but not for everyday
use by ordinary citizens.

In summary, I would argue that more discussion is needed before the
government adopts a policy of encouraging broader use of identity cards
among the populace at large.  Encouraging certain government agencies
to deploy identity cards is one thing, but using the government to push
this idea to the rest of the country is a bigger deal.

--

P.S. I'll gripe about two other minor aspects of the report.  The report
claims that governmental regulation has spurred the use of stronger
recommendation for online banking, but I dissent on that.  The gov't
regulations encouraged adoption of "two-factor authentication", but
what banks actually deployed has serious flaws and is a far cry from
true two-factor authentication.  Basically, the banks found a loophole:
they use passwords + a personalized image, or passwords + a cookie that
is set after answering challenge questions.  These methods are much
cheaper than true two-factor authentication (like is used in Europe).
However recent studies have shown that these methods have serious
security
flaws; neither method is substantially more secure against sophisticated
phishing attacks than single-factor authentication.  So to my thinking,
this should not be cited as an example of a success for government;
rather, to my mind, it's a failure that illustrates the difficulting of
achieving strong security through regulation.

Second, the report mentions the Council of Europe Convention on
Cybercrime positively as an example of international cooperation on
fighting cybercrime.  However, it doesn't mention that civil liberties
organizations strongly opposed that treaty, because its proposed
implementation in the US appparently allowed foreign countries to compel
US assistance in investigations, even when the "crime" is not a crime
in the US; and because the treaty encouraged data retention policies
that are deleterious to privacy.

Overall, I thought there were many positive aspects to the report,
but also some disappointments.

>



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com