Why no one wants DHS to play cyber mall cop

Mike Spinney is a senior privacy analyst at the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy.

The Homeland Security Department recently announced an initiative aimed at creating a more secure system of online identification. According to its Web site, the National Strategy for Trusted Identities in Cyberspace seeks to “improve cyberspace for everyone — individuals, private sector and governments — who conducts business online.”

That's certainly a noble goal. But the very existence of NSTIC begs two very important questions: Does protecting me and my fellow citizens while we transact business online fall within the department’s areas of responsibility? And does DHS truly believe it can do what the private sector, driven by a clear and compelling profit motive, has yet to successfully accomplish?

The answer to both questions is a resounding no. DHS should focus on doing what its name implies — protecting the homeland — and resist the urge to demote itself into the role of national cyber mall cop.

I say this not to demean the department, which shoulders a weighty load in addressing the manifold threats to our shores in this age of terrorism, but because any effort by DHS to create a voluntary trusted identity program is doomed to fail.

The recent experience and backlash associated with Real ID — rebuffed by the general public and legislatively rejected by 11 states before being scrapped — and high-tech passports — subject to ongoing criticism for their security vulnerabilities — demonstrate that the public is uneasy at best and at worst dead set against any attempts by the federal government to centralize identification in any form. Another national identification storm cloud is gathering on the horizon in the form of the Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment provision of pending immigration reform. With every attempt at using technology to track citizens, George Orwell’s shadow grows longer.

Conspiracy theories aside, lessons learned from the evolution of Social Security numbers into a de facto national financial credential — in spite of being prohibited by the law that created them for any use other than the management of Social Security benefits — should be enough to remind us of what can happen with a national identification program even when it is conceived with the best of intentions.

Of course, DHS would not be the first organization to fail at creating a broadly successful universal digital identifier. Devices such as smart cards and tokens have been in use for years and are effective for managing identity-based access to secure enterprise systems. But such technology works best in a single organization because cost and management issues temper their advantages in broader applications.

At the consumer level, where individuals might be using multiple identities for a broad range of applications, any secure identity system would need to take into account the highly complex vagaries of human behavior. Doing so successfully in the private sector would be a feat with a multibillion-dollar payday — and there’s plenty of money and brainpower being spent on that effort already.

Consider, too, the challenges DHS faces in successfully launching a trusted identity program when the agency lacks the trust of the general public. In the Ponemon Institute’s annual Privacy Trust Study of the United States Government, DHS ranked 70th among the 75 federal agencies studied. The Citizenship and Immigration Services agency and Customs and Border Protection agency, both of which are part of DHS, ranked 74th and 75th, respectively.

If DHS believes that a more secure online experience will enhance homeland defense, that goal would be better served by the creation of an educational program that makes people more aware of how to safely conduct online activities. When you get beyond the Beltway, you find that too many people are making unsafe decisions online not because the technologies and techniques are lacking but because they simply don’t know any better. If left to persist, public ignorance will be the downfall of any trusted identity strategy.