Senior Executive Advisor for Identity Management
National Institute of Standards and Technology
Transcript: Chamber of Commerce, April 15, 2011, Launch of the National Strategy for Trusted Identities in Cyberspace
The National Strategy for Trusted Identities in Cyberspace is an important outgrowth of the Obama administration’s cyberspace policy review and its pursuit of a smart and practical approach to securing America's economic and national security.
What underpins the Chamber’s enthusiasm for today's event? Well, we recognize that the strength of our free enterprise system is directly tied to the prosperity and security of the Internet. The Internet, a global engine of creativity and economic growth, is responsible for roughly $10 trillion in annual online transactions. Thank you to Secretary Locke for that figure. However, passwords—basically our tickets to the web—can be inconvenient and very insecure. As you know, ID thieves can guess or steal your passwords or pretend to be you online. Online fraud and identity theft put economic growth and job creation at risk and creates problems for businesses and consumers alike. As more and more of our daily activities, from paying bills, to shopping, to texting your friends, communicating with colleagues, all of that is moving online and we want those activities to be safe, secure and trustworthy. In a nutshell, we want that sum of $10 trillion to continue to grow.
The Strategy proposes building a voluntary system, an identity ecosystem, if you will, where consumers and businesses conduct transactions with greater confidence in each other and the infrastructure that the transactions take place on. Though there's still much work to be done, the NSTIC excites me and others because one, it will be driven by the private sector with collaboration with our government partners. It will be voluntary. The focus will be on providing consumers and businesses choice in how they authenticate online. It recognizes that numerous cybersecurity efforts impact the security of online transactions and trusted digital identities are only one part of a smart and layered approach to security in cyberspace. So today, this morning, first we'll hear from Commerce Secretary Locke and then Homeland Security Deputy Secretary Lute. Director Sperling of the NEC, contrary to what your agenda says, will be joining us a bit later this morning, so we may need to improvise a little bit, so bear with us. We'll have a panel and NIST’s Jeremy Grant will lead that discussion on the NSTIC with colleagues from CDT, Harvard, Pay Pal and Google. Thank you for being here. They'll take questions from the audience and the media, so get those questions ready. And following the panel we'll hear from Howard Schmidt, the White House’s cybersecurity coordinator, as well as Senator Mikulski. We encourage you to stay and mingle for a few minutes after the presentations. It is Friday, after all, so check out the great exhibits at the back of the room.
Without further ado, I'm very pleased to introduce our first speaker, Commerce Secretary Locke. Secretary Locke, as you know, joined the Administration in March of 2009 after serving as Washington State’s governor. He's been President Obama's point person for advancing the Administration's efforts to double U.S. exports. The Chamber wants to recognize your leadership on export control modernization as well as your efforts to boost U.S. trade in emerging markets such as China, India and Brazil. The Chamber appreciates your efforts to hear from U.S. business leaders on a regular basis. Thank you, Secretary. From a cybersecurity standpoint, we appreciate the Internet Policy Task Force's outreach to the private sector on cybersecurity, innovation and the Internet economy as well. Unfortunately, Secretary Locke won't be with us for very long. As all of you probably know, President Obama has nominated him to be our next ambassador to China and I understand that you have joined us on a break from ambassador school, so thank you very much. We're very pleased to have you here with us this morning. Please give a warm welcome to Secretary Locke. [Applause]
Well, thank you very much, Ann, for the introduction. Wow, it's really great to see so many people here, and I want to thank the U.S. Chamber for hosting this very important event and this discussion. I also want to welcome the many innovators, the trade associations, the companies, the consumer advocates that are represented here as we mark another important milestone on our mission to build a more secure online environment.
President Obama has made innovation a centerpiece of his economic agenda and there is perhaps no segment of the economy that has seen more innovation than IT and the Internet. Fifteen years ago, we saw the dawn of the commercial Internet. Flash forward to the year 2011 today. Nowadays, the world does an estimated, as Ann indicated, $10 trillion of business online and nearly every transaction you can think of can be done over the Internet.
Consumers paying their utility bills from smart phones; people downloading movies, music and books online; companies from the smallest local store to the largest multi-national corporation ordering goods, paying vendors and selling to customers all around the world over the Internet. U.S. companies have led every stage of the Internet revolution, from web browsing and e-commerce technology, to search and social networking.
But at critical junctures, the U.S. government has helped enable and support private-sector innovation in the Internet space. In the early 1990s, the government opened the door for commercialization of the net. In the late 1990s, the government's promotion of an open and public approach to Internet policy helped ensure that the net could grow organically and that companies could innovate freely. Recently, we've promoted the roll out of broadband facilities and new wireless connections in remote parts of the country.
Today we take another major step, this one to ensure that the Internet's security features keep up with the many different types of online transactions that people are engaged in. The fact is that the old user name and password combination that we often use to verify people is no longer good enough. And, in fact, it's so cumbersome, constantly having to change these passwords and having to keep so many somewhere stored that you often times forget, misplace them, and maybe lose them and make it vulnerable to theft. It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft.
And this is why the Internet still faces something of a trust issue and why it cannot and will not reach its full potential, commercial or otherwise, until users and consumers feel more secure than they do today when they go online.
President Obama recognized this problem long ago, which is why the Administration's cyberspace policy review called for the creation of an identity ecosystem. An identity ecosystem where individuals and organizations can complete online transactions with greater confidence and where they can trust the identities of each other and the integrity of the systems that process those transactions. And I'm proud to announce that the President has signed, and that today we are publishing, the National Strategy for Trusted Identities in Cyberspace, or NSTIC.
The strategy is the result of many months of consultation with the public, including innovators and private-sector representatives like you in the audience right now. I'm optimistic that NSTIC will jumpstart a range of private-sector initiatives to enhance the security of online transactions.
This strategy will leverage the power and the imagination of entrepreneurs in the private sector to find uniquely American solutions. Because other countries have chosen to rely on government-led initiatives to essentially create national ID cards, we don't think that's a good model. And despite what you might have read on blogs frequented by the conspiracy theory set, to the contrary, we expect the private sector to lead the way in fulfilling the goals of NSTIC.
Having a single user of identities creates unacceptable privacy and civil liberties issues. We also want to spur innovation, not limit it. And we want to set a floor for privacy protection that is higher than we see today, without placing a ceiling on the potential of American innovators to make additional improvements over time. Behind you are a number of firms exhibiting technologies and applications that can make a real difference in our future, and some are already out in the market already. At the end of today's event, I just really hope that you'll take an opportunity to see all of them, but let me take a minute to highlight two in particular.
You know, each year, medical researchers make discoveries that save lives and improve the well-being of those afflicted with disease. Part of this rigorous scientific research is the review and approval of clinical trials, such as the cancer therapy evaluation program run by the National Institutes of Health. To conclude these trials, paper signatures are needed for approvals at every turn. And this adds hundreds of dollars of cost and, more importantly, weeks of time that could be better spent getting patients into treatments more quickly.
But the system has been stuck in paper, as the world moves digital, for a very simple reason, because there has been no reliable way to verify identity online. Passwords just won't cut it here, and they are too insecure and the stakes too high to risk fraud. The good news is that today NIH has come together with private-sector groups, including patient advocates, researchers and pharmaceutical firms, to eliminate this inefficient paper system through a new identity technology that enables all sides to trust the transaction.
With trusted identities, patients can be enrolled more quickly in potentially lifesaving therapy programs, saving hundreds of dollars per transaction and trusted identities enable trials to run faster, researchers to spend more time in the lab and a faster and cheaper way to move new therapies from the lab to treating cancer patients.
At the other end of the identity spectrum, we have the scourge of ID and data theft, with phishing schemes being among the most prevalent. Every second, phishing e-mails show up in people's inboxes asking unwitting consumers to type their user name and password into a fraudulent site. Kimberly Bonnie of Bethesda, who planned on being here today, was victimized by one of those schemes last year. She received an e-mail that she thought was from her Internet service provider telling her that her account was in danger of being closed. And the e-mail asked her to provide her password, which she did.
Then her coworkers, fellow members of her church and her landlord began receiving e-mails that appeared to be from her, stating that she was stuck overseas and needed a $2,800 loan to fly back home. It was, of course, a fraudulent e-mail. Kimberly had become one of the 8.1 million Americans who were victims of identity theft or fraud last year. And these crimes cost us some $37 billion a year. But companies are introducing technologies that can help us turn the tide.
At least one leader in the U.S. technology sector has come up with a simple solution to stop scammers from accessing their customers' accounts with just a stolen password. They've recently rolled out a simple tool where verification codes are sent over mobile phone networks to a user's smart phone or wirelessly connected computer and when they want to access their online accounts, they have this additional and incredibly simple layer of protection. I urge you to take a walk around and see these displays and see for yourself how stronger identification technology can protect against identity theft and cyber crime.
This is a difficult challenge. We're trying to improve security and convenience and privacy all at once. That's why it's so important that we're leveraging the power and the imagination of private-sector entrepreneurs. And the Commerce Department, led by Jeremy Grant at our National Institute of Standards and Technology, is staffing up to facilitate and encourage these private-sector efforts. And I'm looking forward to learning of your future successes. Our family is eager to use your technologies as consumers and as private individuals. And perhaps you can send me an e-mail, an authenticated e-mail, describing those successes to my new e-mail address at the U. S. embassy in China. That is, Senate willing.
But thank you again for your support. Keep up the great work. There is an urgent need for what you're all engaged in. And we look forward to your quick results and quick progress. Now let me turn it over to Jane Lute who is our Deputy Secretary at the Department of Homeland Security. Jane has over 30 years of military and senior executive experience, having served at the United Nations, on the National Security Council and in the U.S. Army. She understands how integral cybersecurity is to our national security as well as to our economic security. Now let's bring her up, for her, to hear some thoughts from Jane. Thank you very much. [Applause]
Well, Secretary Locke has given us an awful lot to think about, and I know you have a lot you want to talk about. And Homeland Security is extremely pleased and privileged to be joining with the Department of Commerce and the U.S. Chamber and the vendors that you see here and many of the agency's offices and enterprises that are represented in this room.
Two years ago when we began the Administration and began our work in homeland security, we knew we were not beginning the nation's work on cybersecurity. One of the things that we wanted to do at DHS was to integrate the work on cybersecurity with the overall effort to help build a safe, secure, resilient place where the American way of life can thrive and so two of the missions of preventing terrorism: securing our borders, enforcing our immigration laws and building national resilience, we established a mission and called out the importance of ensuring the nation's cybersecurity and we're here all today because of the critical importance of this mission.
We see cybersecurity is an important aspect of a safe and secure homeland where our way of life can thrive. The Internet is an engine of immense wealth creation, a force for openness, transparency, innovation and freedom. It is, in essence, a civilian space, if not always to each of us every day quite a civil space. It is, nevertheless, a civilian space. It is the very endoskeleton of modern life, and no single actor has the capability to secure this distributed and largely privately owned space. Nor would that be desirable.
Government, the private sector and individuals all share in the responsibility for keeping cyberspace secure. We have to work towards that security with solutions that enable innovation and prosperity, as Secretary Locke has said, and that are designed from the start to protect openness, enhance privacy and protect civil liberties. Indeed, few changes would be more profound than the broad adoption of voluntary, interoperable, privacy-enhancing authentication. The NSTIC is a cornerstone of this approach. It has the potential to change the game and how we authenticate ourselves and when we need to.
We know that the challenge of security in cyberspace really only requires that we do two things: secure our information and secure our identities. The rest, as a great voice of another time and another age for another reason said, “the rest is commentary.” We only need to secure our information and our identities, reliably every time. The NSTIC underscores this tenant and another fundamental tenant of our approach at Homeland Security, which is, where the market is capable of acting more speedily and effectively, it should be empowered to do so.
As you may be aware, we've recently published a paper on this point called “Enabling Distributed Security in Cyberspace,” which looks at how prevention and defense can be enhanced through three security building blocks: automation, interoperability and authentication. We really are aiming for a broadly distributed system of automated self help where smart users and smart machines supported by smart networks and reinforced with the kind of enabling standards and capabilities allow that to happen, as we say, at network speed.
This is an aspect of cyberspace where industry will continue to build the tools. The challenge and the role of government is to bring players together. At its broadest, the NSTIC asks: In cyberspace, can we still rely on our trust in each other? The goal here is confidence, not centralized control. It's about enabling trust. We have the ability to do this in cyberspace, we just need to put it together And again, this is a shared responsibility. We need strong, functional partnerships between governments, industry, advocacy groups, including those for privacy, security and broadly we must include the public.
We must also support strong relationships between federal agencies like the Department of Homeland Security and the Department of Commerce, including the Department of Defense. We each have a role in cybersecurity and in this case, enabling the role of government here, rightfully sits in the Department of Commerce. Together, we must focus on innovating solutions to combat identity theft and online fraud. We know in this area where the private sector can and should lead, and we know that we have to raise the bar on privacy and security from where they are today.
That's what the President has called on us to do with NSTIC and that's why we all are here, you and I, and that's why we do what we do in Homeland Security every day, because it is impossible to imagine a safe, secure, resilient homeland without a safe, secure and resilient cyberspace where the American way of life can thrive. Thank you. [Applause]
Thank you, Secretary Lute. And thank you, Secretary Locke. We appreciate you being here today. Now I'd like to ask our panel to come up and get miked up and let me introduce to you Jeremy Grant. I'm very pleased to introduce Jeremy. We've had the good fortune to work with him over the past several months. He's the Senior Executive Advisor for ID Management at the National Institute for Standards and Technology. As many of you know, Jeremy was tapped to manage the establishment of a national program office for National Strategy for Trusted Identities in Cyberspace, the NSTIC. He has been in his new role only for a few weeks and has certainly hit the ground running. Jeremy comes to NIST with a background in identity and cybersecurity issues, having served in a range of leadership positions spanning government and industry. So we are in good hands with him. And at this point I will turn it over to you, Jeremy, thank you.
Thank you, Ann, and thanks very much to the Chamber for the support that they've provided today in hosting this event for us. It's very exciting for us to be able to be here today. As the strategy which we have just released makes clear, the leadership of the private sector is going to be incredibly important in helping to fulfill the vision of an identity ecosystem where all Americans can engage in transactions online that are safer, more privacy-enhancing and adding more convenience. And we'll look forward to working with the Chamber a lot of its members as we try to move that vision forward.
With us today, and I’ll do some quick introductions while everybody’s getting miked up, are a couple of folks who do come from industry, along with a couple of folks who have long been very effective advocates in the privacy community. I’ll start with the industry folks. To my right is Eric Sachs who is the product manager for Google security team, the counterpart to Google CIO. He's helped build a number of major systems at Google, including Google accounts, Google Health, orca.com. He also provides a lot of leadership in the standards community for standards like Open ID and OAuth.
Just next to him is Andrew Nash who is the Senior Director of Identity Services at Pay Pal. He'd previously been CTO at Senoa Systems and Reactivity. In a prior life he was director of technologies at RSA security, worked on a wide range of identity systems, including with the Liberty Alliance, a strong authentication expert group, and we're pleased to have him here today.
Next to me here is Susan Landau who is currently a fellow at the Radcliff Institute for Advanced Study at Harvard University. Her new book, Surveillance or Security? The Risks Posed by New Wiretapping Technologies, has just been published by MIT press. Susan serves on the Computer Science and Telecommunications Board of the National Research Council, as well as the Advisory Committee for NSF’s Directorate for Computer and Information Science and Engineering. She also is a member on the Commission of Cybersecurity for the 44th presidency.
And finally, Leslie Harris is president and CEO for the Center for Democracy and Technology where she is responsible for the overall vision and direction of the organization and serves as its chief strategist and spokesperson. Leslie’s known widely for her work on policy issues related to civil liberties, new technologies and the Internet, including free expression, government consumer privacy, cybersecurity and global Internet freedom. So, thank you, all of you, for being here today.
I do want to start with a question--I have a couple of questions to get things started off and then we will open things up to the audience, and I will be the moderator. So a question for both Leslie and Susan. You’ve both been working at the intersection of technology security and privacy for a long time. Both working to ensure privacy is not an afterthought as the other two advance. I wonder if each of you, starting with Leslie, could give some opening thoughts as to how well NSTIC balances each of these three.
Thank you, Jeremy. I think NSTIC certainly sets out--it’s funny, I'm usually too quiet; that sounds very loud. It definitely sets out the right vision here because it gives consumers more control and more choice on their online identities. It makes clear that it's voluntary. It makes clear that consumers can have one or more choices. It leaves a strong space for anonymous speech, which I think is critical. And it puts the private sector rather than the government in the driver's seat for developing this. So, you know, as the Secretary said, this meme about, about somehow, some kind of a government ID, NSTIC is, in my view, exactly the opposite of that. From a consumer perspective, when we're juggling all of these IDs and online passwords, at the same time we're giving more and more information to more and more sites. We're using some of these passwords on multiple sites, and we really have sort of no framework, no trust framework for those transactions. So I think that there's no doubt that the vision is right. You look around the room at these technologies and others that I'm familiar with and you understand the innovation in the ID space is extraordinary. I think what this really is it's a question of whether or not industry can step up now and do the two things that are critical. One is clearly a serious governance model that has a trust framework in it that, you know, is going to bind all the parties in a way that's protective of privacy. I think that is absolutely critical, and I think that the government's role in that is also to have sort of the convening power and bully pulpit to make sure that we can stand something up here that consumers can trust.
So, I want to start by saying I'm delighted that NIST is the one that’s responsible for identity management. I was in the crypto wars in the 1990s and it took a long time before it actually really happened that NIST was in charge and we ended up with the advanced encryption standard and other standards that have seen worldwide adoption. NIST knows how to work with industry and NIST knows how to work internationally and that's really important in this domain. So I'm really pleased by that. I'm really pleased by the emphasis, as Leslie is, on privacy and the explicit call out to anonymity because there are many instances on the network where people sort of want to be anonymous. We know that any time you have to register to see something, all you have to do is type your name and your e-mail, registration viewing drops by half, immediately. So that support for anonymity is really good to see from the government.
I thought the NSTIC was a little enthusiastic and rosy about how easy it was going to be to secure browsers. There've been events in the last few weeks that made me doubt this even more. But there were two things that I wanted to push on within the NSTIC. There are hints of it, but I want to see it much more strongly. The first is identity management federation, which is the idea that, you know, the NSTIC is very clear, there will be different levels of authentication, and you'll have perhaps different identity providers for the different levels of authentication. But what you also want is potentially several identity providers within a level. Maybe I want to collect, you know, United points when I use the United identity provider at level two and I want to get free shipping when I’m using the Beans provider. Of course, we’re not actually going to use beans and united, but you understand the analogies. And I want to see much more support for identity federation. It’s better for privacy, it’s better for security if you have multiple identity providers even within a level, and they federate with each other. Sometimes I want to do my business over here and sometimes I want to do it over here, but I want to be able for these two to communicate about me, but pseudo anonymously at times. So I'd like to see more support there, and that can be in terms of how the federal government actually chooses to deploy things and push on identity federation.
And what has happened is that companies are actually racing to the top. They see somebody get in trouble with the FTC and they say, uh-oh, I better do not what they do, but the FTC next time is going to move to here, I better move over there first. And so I would like to see more push from the FTC and more push from the government. That's slightly hinted in the document, but I'd certainly like to see that policy move forward that way.
Thanks, Susan. I appreciate the comments and we definitely look forward to working with you and Leslie as we move forward on the implementation side. Now I want to turn to folks on the other side of me. Eric Sachs with Google and Andrew Nash with Pay Pal. Each of you come at identity from a slightly different angle, since each of your companies have their own business models, but with a real common focus on how to ensure trusted transactions for your customers. What are the biggest challenges, if you could talk for a couple of minutes about that you each face in this task, and how do you think the NSTIC could help.
[Sachs] So we gave the example before of the poor lady Secretary Locke mentioned whose account was phished and other e-mail was sent out from her. Well, we're an email provider; those emails went out from our account. Not only was this user's friends impacted, but imagine that lady was storing all of her photos in a Google photo service and her password was changed. How does she get access to them. We frequently get people who call up Google, “My account has been hacked. Please help me get back in. You have a lifetime worth of my photos.” How do you put a value on that? We want to make sure that doesn’t happen to people. And over the last few years, we've tried to put all of the work honestly on the users. Users don't get phished, users don’t, you know, type your passwords in the wrong place. Users don’t type the same passwords on multiple websites.
I can't tell that to my family with a straight face. So what we're now working on as an industry to do is go to website operators and say, Website operators, you know what? Get out of the business of asking users for their passwords. There are other options. We can give users the option. Pick an identity provider when you go and visit an e-commerce site, whether it’s a Google, a Pay Pal, a Facebook, etc. Have them go to these identity providers where we, you know, use certification mechanisms. NIST has reviewed some of the techniques we have used. We have trust frameworks so website operators know what identity providers to trust, and we can stop putting all of this work on the users and provide them the more safe services. Andrew?
So Pay Pal’s been in existence now for around about 12 years—surprisingly short period of time. The principle value proposition, or at least one of several, was allowing you to transact without having to share your information, and so conceptually, from the perspective of how we wanted to engage with consumers in the world of creating transactions, right from the very beginning, this concept of allowing you to be identified, to transact in a way that allowed you to get what you needed, but also to control how much information was being shared about you, was really fundamental.
Somebody mentioned to me just before we started off here that today is a little bit like Woodstock for the identity geeks.[laughter] I'm not quite sure I'd go exactly that far. However, I think what really is interesting is that NSTIC is a fabulous jumping off point for the next phase of what we're doing. But honestly, we've been hard at work wrestling with these issues in the identity community around the concepts of consumer identity for well over five years now. The concept of ecosystem, the various players that are here, this is not something we're trying to create overnight. There's been a huge amount of very hard work by a whole range of companies, technologists, very smart people, particularly in the areas struggling with concepts like pseudo anonymity—how do you share your information in ways that allow you to track it and then turn off access to it, for example. These are a whole range of challenges that we’ve been working with for some time now. The neat thing about NSTIC is that we now have an engagement where we have a much broader set of opportunities and working groups and contexts, which we can actually drive forward to begin to actually make this work. It's very, very significant. A very large challenge. But honestly, if we don't work out how to move forward from here, the potential of having an Internet that we feel comfortable about using is diminishing rapidly, and that's bad for all of us.
So, we regard this as being a great opportunity for us as Pay Pal, working with Google, working with government and certainly working with privacy folks to understand how to do this more effectively so we all get to win in this space.
Well, thank you. I appreciate that. Well, now this is a part of the panel where we open it up to each of you in the audience. I believe there's a couple of folks that are walking around with wireless microphones. I've asked that each of you please when you do stand up, identify yourself and who you're with and we'll go forward from there.
Good morning. I'm Randy Sabot from SNR Denton. I'd like to comment about Woodstock for identity geeks. I view it as if you remember the “Devil's Advocate” movie, this is our time for those of us in the identity space. My question for the panel would be: a lot of focus in the identity space is around personal identity, you know, I am Randy, you are whoever you are, etc. But I think there's a whole other area that the NSTIC touches on and I'd like to hear what the panel has to say about device authentication and the notion of not only having people identify themselves and authenticate, but also having devices authenticate. Thank you.
I can take that one if you all like.
So, as an example that at least my family members can understand, many of you all may subscribe to a NetFlix-type service, and NetFlix is doing a very good job these days with having users authenticate individual devices where they want to stream their videos, whether it’s their play station, their NetFlix, their smart phone, etc. And so we've actually started to move to the point of, you know, not everything has to be a web browser. We actually want to take all these other physical devices out there in the world and actually start connecting them to the Internet as well to create this smart net that we've talked about. And so, to Andrew’s point, in the last five years the industry has been trying to work on industry standard techniques—OAuth is one of the technology we geeks talk about, to actually enable us to make this happen. And we've actually made good progress there. NetFlix is a good example. We're hoping to see more innovation and there are certainly other vendors here who are even providing stronger authentication of devices to help us move forward.
[Nash] So, one of the interesting questions here is, is my device the same as me or different and, and you know, does—I'm Australian, you can take me out for beer afterwards, we can debate this at length. What's clear, however, is that the—as you rightly pointed out, there are just a whole range of new devices, new engagement models. My TV is an Internet browser and allows me to watch movies with nothing else. It's just a process that allows me to download the LNA files and allows me to play them directly. So I interact with a whole range of interesting devices, and they need to know it's me interacting with them so that I can get access to content or control how they’re interacting on my behalf.
And we're beginning to move into a world where devices begin to do things for us even when we're not actually there. So this concept is actually really important. NSTIC does rightly address the concept of identity for devices. I think one of the interesting challenges that we'd love your help on is how do we relate the device identity to who you are and what does it do under various circumstances.
[Landau] And, of course, there's a huge privacy issue there because there are times when you want the device to tie to the identity and then there are times when you don't want the device to tie to the identity. And on the industry side, it's very nice to tie the device to the identity because you learn an awful lot about the user, but I can see Leslie’s hair and mine standing all the way up. [laughter] So those policy issues are not addressed in the document and certainly are not yet being discussed except in academic papers. And need to be.
[Harris] I completely agree. From a civil liberties perspective, I think when you start talking about the devices and tying them to an identity, you're not only sort of raising the question about, sort of you know, how much more industry might see or be able to collect, but you're also sort of changing the whole concept of sort of how, you know, government surveillance might work. So I think it's a, you know, it's in the document, but it doesn't feel like the key issues that moving to devices are teed up in NSTIC and I think we really have to do that before we move too far along. It's going to be hard enough to work out the other.
[Nash] Let me just throw something in as part of that. One of the, we, there’s a huge number of very bright people, not only in this room, but in the wider community. We lack the definition of terms and contexts and a whole range of things lead us toward a huge amount of cycle time lost I find often. I think one of the great opportunities we have here is to really carefully distinguish between real world identity, who am I in flesh and blood, versus the persona or various instances of myself that I'd like to have represented, maybe on my mobile phone or elsewhere, and the degree of separation, tracking and linkage that may be appropriate there. And we certainly have the seeds for it here. I think the opportunity for us is to work out how to put those tools in the hands of everyone, hopefully in a way that we can actually understand as mere mortals and interact with because there’s a huge user experience challenge that particularly Google has done some fabulous work with in terms of leading forward here. But I think there really is this interesting concept that we need to keep very straight, which is the real world you doesn't necessarily have to be the digital you, or only at some level of association. And I'd really like to see that strengthened and more effectively defined from a policy perspective as part of this.
[Grant] Thanks. And before we move on, I'll say on our side we clearly recognize as NIST that a lot of the issues that we want to tackle in the Strategy are going to be difficult ones. We're going to need more forums like this where we can actually bring different stakeholders together to tackle what are difficult, vexing issues and try and figure out where there's consensus to actually move things forward. I do want to try and keep the panel discussion going. I know there are some other folks that might have questions. Yes sir.
Thank you. I'm Dazza Greenwood with E-Citizen Foundation and also collaborating with NSTIC.US Partners. We've heard you talk just now about some of the business and the technology problems and prospects that NSTIC is bringing up. I was wondering if you could speak to at the governance layer, how that might support and reflect the kinds of solutions that you're seeking and how, you know, just from an e-citizen perspective, we always wonder how the end users potentially play within this governance vision that you have.
I think that one's yours.
[Grant] Sure. So thanks, Dazza, for the question. I think we'll be talking about it a little later, but one of the things that we will be doing in the next few months is hosting several workshops through NIST. The very first one will be coming up in June, a date to be announced very shortly as soon as we can settle on the facility and location, looking at the governance issue. And it is arguably the longest pole in the tent to making the NSTIC vision a reality. And well I wouldn't want to say too much before we really have a chance to hear from each of you as to how we should best go about that topic. I'm not sure if others would like to weigh in.
[Landau] On the topic of governance?
[Harris] Yeah. Well, I just think that it's the next conversation, and from the perspective of civil liberties, privacy and consumer advocates, how that conversation goes completely determines whether this vision is one that we're going to support and we're going to get value from. So…
[Grant] So, the strategy is very clear that we want all of you at the table, it’s not just these guys, although we need them too.
[Landau] The Strategy is right, and the Strategy acknowledges the privacy and all the questions. It's when you get everybody in the room that we're going to have a good time. [Laughter]
Excellent. Thanks. Next question. Yes, sir.
Hello. It's Rodney Peterson from Educause. There's been discussion about a national ID and trying to distill that myth that that's not the intention. But can you talk about how state governments and local governments and even schools and colleges might emerge as identity providers and what are both the opportunities as well as the threats that that might represent?
[Landau] So, I would love to take that one because there's a wonderful example that really explains how federated identity really protects privacy and security. Which is the whole [inaudible] of enterprise that has existed now for some time, which uses protocols where you might identify as a U Michigan student and be using resources at University of Illinois. But when you're using the resources at University of Illinois, you're not Leslie Harris at U Michigan, you're just a user at Michigan. And only if the University of Illinois is unhappy with how you're doing something does it actually go to Michigan and say you need to do something about this user that we know in an anonymous fashion. Similarly, University of Illinois can act as your identity provider if you have— maybe you do an adjunct at both places and sometimes you are using the Michigan identity and sometimes you are using the Illinois identity. The result is that Michigan has some information about you, Illinois has other information about you. It's not centralized, which is good from both a privacy and a security viewpoint. So that I'm telling you on the federated side about why educational institutions have already contributed to this conversation in an extremely healthy way.
[Nash] State governments particularly are really the root of how we identify who we are when you get right down to it. You are born in a state that records who you are, you get your driver's license there. A lot of the core kinds of concepts associated with our real-world identity are very much related to the way that a state government and its various other local other forms interact. We use those documents to establish who we are for the purposes that we would hopefully like to engage with. We get a bank account, we deal with our health care records, and we would like to make sure that we are the real person that's actually getting access to those accounts, so there's a huge opportunity there, if we could actually ensure that when someone represents themselves based on their information, that it's actually strongly likely or more strongly likely than at the moment that that's actually the person we're dealing with. That would be a great start. It would help us, for example, ensure that when someone tries to set up an account, that they really are validly who they say they are, not a terrorist trying to actually spoof the system in some way, or someone who’s trying to get access to your account in some way that allows them to extract your value.
There are obviously huge challenges around how that information gets shared, where it gets protected, how it gets used. But certainly at least from a perspective of registration, establishing who you are, if we could do that much more quickly, and with a higher level of certainly, under our controls, we decide that’s an appropriate thing to do. That's a huge opportunity that’s here that we've yet to explore and execute on a more effective way.
[Landau] But to follow up on Andrew's point just a bit, that's where the governance issues really become key because for renting a free camp site at a state park, you don't need your state identity. And if the state hasn't set up identities in a way that you can actually go to the state and identify yourself just as—just by your ZIP code or whatever, then there's a problem, and so we really do want to see the governance issues worked out because otherwise there is no anonymity, there is no privacy.
[Nash} Yea, so I'd like to be very clear. What I described was registration, not transactional usage of those identities.
[Nash] And so first there's a very large separation there, but I fully agree with you about appropriate and limited use of information as it's appropriate for those transactions moving forward.
[Harris] I think Susan's point was: in a lot of transactions with the government, you don't really need to be providing an identity, and so we have to be really careful as we sort of put these structures together. I think with government more than—you've got inappropriate data collection on the sort of commercial side in demanding identity or more credentials than are necessary for a transaction. You have a lot of other issues at play when the government gets into identity.
[Grant] But I think for all of those transactions we want to…
[Harris] …poor access to information question. That’s why I think we really have to—that's why governance here is just going to be critical.
[Grant] It's very clear in the NSTIC, for every transaction, whether it's with the government, a commercial entity, a nonprofit, it's important that when you can be anonymous or pseudo anonymous, you can be, and when there's a real need to actually authenticate yourself and verify your identity, there's also solutions to support that as well. This is not a one-size-fits-all solution and a lot of the—where the NSTIC is rooted is focused down on a level of consumer choice.
[Harris] Which as a vision matter is exactly right. As a in-practice matter, depends entirely on governance and whether or not we're binding these parties, the relying parties not to ask for more than they need, the identity providers, what's appropriate in terms of their other uses of the information they have because they're going to have a view of all of your activities. And then from a consumer perspective, some way for redress when this system doesn't work.
Thanks. Other questions from the audience? Yes, ma'am.
Deborah Lafky from the Department of Health and Human Services, and one of the issues that we have in HHS is trying to manage identities for patients in a privacy protective way, but also trying to adhere to standards for identity management. And one of the issues that we've faced is some lack of clarity and maybe less flexibility than we really need in standards. So I wondered if you could talk about the role of standards going forward, and if there's a road map for further development of standards, particularly with respect to some of the innovative identity provision techniques that are out there today.
[Nash] Let me take the first crack at this because I've spent more time in standards than I care to recall. I'm actually only 23 years old. I just look like this because of the standards involvement. [Laughter] What's pretty clear, we've developed a huge range of really interesting standards over the last 25 years in the identity space, and there've been lots that we could have done better with—you know, we had attribute certificates and X.509, for example. What is interesting though is that the focus in the identity space, up until relatively recently has actually been primarily around enterprise use of identity or the use of identity for a group that's bound in some form. It's government employees or a whole range of bounded kind of contexts. What we've begun to move into in the last four or five years particularly has been this concept of consumer identity. These aren't people that are bounded or controlled by you, they're us, they're individuals that I care about.
So we've made huge strides. Eric referred to OAuth. We've got various other forms of protocols that we've been working with over time—Open ID and others—that have actually changed the grounds. I mean all crypto looks the same, that's not really different. We've been doing that for a long while. But some of the fundamental assumptions and principles that we began to build in around let users make decisions or have an opportunity to track and decide how their information gets used are fundamental. How we actually share your information without having to give away primary keys like authenticators or passwords so that you open the doors and everything is available to you. Now, with OAuth, you have the opportunity for someone who wants to share information to look at a subset, report to you that that's what they're going to do, and describe the agreement or length of time that that's going to happen over. Five years ago we had nothing like that. We’ve made huge strides over the last few years. And a lot of this has been oriented around these new concepts, folks. We didn't need them before in an enterprise rather kind of context. Lots and lots of identity management technology and work that we can stand on top of. We really are moving into some different opportunities and engagements with some fundamentally different starting points and philosophies as it deals with very large populations—the consumers, the citizenry, etc. So, I'm actually very encouraged that we've done some good work, but we're still just at the very beginning, I think, in a lot of these.
[Landau] So, let me echo it in a slightly different way, which is the examples 10 years ago, eight years ago, were about a company outsourcing its HR to another company or dealing with a partner in how would they share information completely enterprise-based. And now the use cases I see are how do you share information when there's a first responder, how do you share information on the smart grid. And those are the use cases much more akin to what you need. And so as we…so I'm really seeing the standards groups looking at that now as opposed to what they were looking at five years ago. So, I think what I'm saying is: have hope.
[Harris] I think the challenge for health care is that in the last couple of years through meaningful use and a lot of things that have happened as a matter of policy, we're asking for a very quick escalation of exchange between entities and exchange with consumers, and we actually have put some timelines around those things that don't necessarily measure up with completely where we are yet on some of these questions. So yes, there's hope, but it's hard.
[Grant] Molly? Is there a microphone? We have somebody in the front row had a question, but as of yesterday, I know she had laryngitis, so she could probably use some assistance.
Thank you. I'm Mollie Shields-Uehling with SAFE BioPharma Association. Certainly many activities—commercial, business, increasingly government activities—take place in an international context where the privacy laws are different, the identity proofing requirements are different. How is NSTIC incorporating the international aspects into the strategy?
[Grant] Sure. Well, the, I’ll let the panel talk about it as well, but since it was that specifically focused on the NSTIC, international coordination is going to be very important. Clearly, talking, I mean, whether it's from a privacy angle, where you want to have some consistent privacy standards that can apply when you're suddenly dealing with a transaction with a company that’s not based in the U.S., to companies over here who want to make sure they have some consistency as well in terms of security and technology standards or privacy standards that are in place for all the markets that they're engaged in around the world, there needs to be some coordination. But I think a lot of the specific activities, again NSTIC being the strategy where we're being left with the implementation. And again, as we embark on a series of workshops this summer and other activities to start to bring stakeholders together, we really want to hear from you and others as to the best way to ensure that that's taken care of.
[Landau] So I know that both Oasis and the Kantara Initiative, for example, in their privacy groups are really looking at the privacy standards fully internationally. It's not a domestic issue.
[Nash] The challenges here are huge. I mean, anyone that's tried to deal as an international company, we operate in something over a hundred, well over 190 countries now, I think. Hopefully the PR people don't beat me up. And so we deal with lots of different regimes with lots of requirements. Pay Pal and eBay, in fact, in the context of the EU had taken a set of steps that was quite unique. That is, there was a provision that I believe we were one of the first to execute on, which is you could actually define a regime which defined how you would interact with privacy, and it could actually be more encompassing or greater than EU's definition, and you could actually utilize that internationally as a way to actually define in many countries how you operated. So there are beginning to emerge some policy and governance kind of frameworks that allow us to actually work in that way. I know this. As a large international company, we are very interested in getting this right. I mean, we live every day as needing to deal with the compliance kind of aspects of this. We're certainly interested in helping feed that into the working group process, etc., to try to line this up.
[Harris] This is a bigger issue than just identity. It’s the whole question of moving, moving to the cloud. And the fact that we haven’t come up, we have some initial ways of dealing with the EU, be we haven’t completely settled on those. We’re going to, you know, there are thoughts that this is going to wind up in larger treaties and agreements because of how data is flowing. And identity is really, it’s a key piece, but it’s only one piece of those questions.
[Sachs] When NSTIC has talked about trying to read out to private industry, as Andrew mentioned, industry has been working, especially in the last five years, on this consumer identity space, many of the players involved in that, like Nat Sakimura who I believe is the chairman of the OpenID Foundation from Japan, one of the reasons for that is many U.S. citizens are engaging with international services that operate under different laws, but we still want to try to bring some of the same privacy controls, security controls to enable them to actually operate with these other companies.
[Grant] Trying to keep things moving along, we have time for one last question, which I’m actually going to take. It’s lightening round. What’s the one piece of advice you would give to the government, and I guess by extension to me as the person leading NSTIC implementation. What’s the one thing the government most needs to remember as we’re moving forward? Who wants to go first?
[Sachs] I’ll go first. As I mentioned before, I think some of this is, we’ve talked about raising awareness among, in users about security, now a large part [inaudible] of this is actually going to be raising awareness for as I mentioned before, website owners that, please stop asking users for passwords, the short version. And we have other approaches, OpenID and etc., so help us raise awareness as we actually do find these find these approaches.
[Nash] What’s becoming clear in some of the privacy conversations is that we may have been too grandfatherly sometimes, assuming that our users actually don't know what’s going on and can’t assume responsibility. We have an opportunity for people to be given choice and understand what is happening. We actually need to help empower them as it makes sense, as well as safeguarding them.
[Landau] The governance issue is key here. And you better have all the stakeholders in, all the time, because the technology is going to keep moving forward. You’re not going to solve it once and then you can get rid of everybody. The governance issue is going to be key.
[Harris] So, I was going to say the same thing, but instead I’m going to say a spray bottle of water and a big thing of catnip because this is going to require a level of cat herding and staying on it for the government. And, you know, I think that’s your role in here besides a bully pulpit. It’s to keep everybody in the room. So get that catnip ready.
[Grant] Well, thank you. Leslie, Susan, Andrew, Eric, I appreciate all the advice. I appreciate your participation and the questions from the audience. At this point, I am going to turn it over to Gene Sperling, who is President Obama’s Director of the National Economic Council and also Assistant to the President for Economic Policy. As I think most of you know, Mr. Sperling has had a distinguished career as a public servant, having served as a key economic adviser to President Clinton. Most recently he was the lead policy advisor to Secretary Geitner at the Treasury Department. In his new role with President Obama, he is focused intently on kick starting American innovation, and he’s got plenty of ideas on how a more secure and robust Internet will help the cause. So let me bring him up here to offer a few thoughts.
[Sperling] Thank you, Jeremy, and for your leadership and implementation of this measure. I also want to thank, obviously, Secretary Locke for his leadership in this area. I want to particularly thank Howard Schmidt and his team, including Andy Ozment and Sameer Bhalotra for their work inside the White House. Howard is our nation's first cybersecurity coordinator, and he’s done a terrific job. And, what I want everyone to know is that he is considered a part of both the National Security Team and the National Economic Council, and I think that’s very important and it reflects the fact that you have the type of idea coming forward. I also want to acknowledge Senator Barbara Mikulski, who is such a great leader on so many issues in the United States Senate, and I’ve had the pleasure of working with her in two different administrations and she is among many other things, a leader on cyber issues and you know, the expression Willie Sutton, where the money is? Well, she’s a kindhearted Willie Sutton [Laughter] who makes sure–she just went like that [hand gesture] on the kindhearted. But really without her leadership and support, none of this would really be possible. So we thank the senator for being with us, but more importantly, for her leadership in making all of this happen.
I will be very honest and say the following: It is not always the case, well let me put it this way, there are times where there can be tensions between security and intelligence issues and what you would ideally do from an economic perspective. This is not one of them. This is a place where we see a very broad and nearly complete intersection between what is best for cybersecurity and what is best for economic growth.
I don't need to tell this group what has happened on the Internet over the last decade. That global online transactions are estimated at 10 trillion, that’s with a “T,” and that the number of Internet users increased from 360 million when I left government under President Clinton, to about 2 billion currently. So, e-commerce is obviously just a critical critical part of the U.S. economy and the global economy. And, but we recognize, and this is not something you read about, most of us have experienced it, that one of the inhibitions is issues on cybersecurity. I have personally been a victim at least twice. And, there is no question that that, that fear inhibits economic transactions, economic efficiency, and economic growth. Two years ago thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities in just 30 minutes. That is not the type of efficiency we want in our economy. The Department of Justice estimates that over 10 million Americans are victims of identity theft each year. Jeez. That means I am pretty unlucky. But, it sure feels, there are few families, few times I am sitting around a conversation with people where someone in their family has not been touched in some ways or affected by this.
So example, if a consumer wants to apply for a car loan at a bank where he doesn’t have an account, then he will probably have to print some forms, sign his name, possibly photocopy his driver’s license, and fax the forms in. He has to do all that because the bank doesn’t have confidence that it knows who that consumer really is. Again, not to be really personal, but that is exactly what I went through just six months ago buying an American-made car.
The National Strategy for Trusted Identities in Cyberspace, or NSTIC, which President Obama has signed and is being released today, is the strategy for creating an online environment where we can complete online transactions with confidence. It is also—I mean, let me just say—this is an area where public-private partnership can help address real problems and allow for future economic growth by enabling more industry and government to move services online.
What does NSTIC do? Its goal is to create a privacy credential—a credential that works across different public and private service providers and transactions to authenticate your identity. It could be a smart identity card, a digital certificate on your cell phone. It could work for online banking, accessing health records, sending e-mails. This can improve security in online commerce. It can save money for the government. The Department of Agriculture, for example, projects savings of $105 million over three years based on the use of technology and reduction in fraud and theft. It can improve privacy, efficiency, and convenience for consumers, and it is very much part of what this president believes is a strong privacy protection agenda that he supports, related more broadly to the Internet and commerce.
And it facilitates opportunities for innovation. And it really, you know the president gave a speech on the budget the other day in which he said, you know, quoted or referred to Abraham Lincoln essentially as saying you want government to do what is very difficult for any of us to do individually. Economists have more wonkier ways of putting that in terms of externalities, or other unintelligible terms. But, this is the totally right way of thinking about how government can help lay a foundation for economic growth.
Where the government brings together this type of standards, where they bring together and create something, you create a platform of confidence that no individual company could create for itself. No individual company can assure the economies of scale when each are operating on their own. It is by putting together these type of national standards exactly what NIST was always designed to do. That the government plays a role in facilitating a platform, creating a foundation for economic growth. And in the very same way that we have learned that the interstate highway system was something no one state could do on their own, no private person could do on their own, but together, it could allow for a greater degree of commerce that could be possible. It literally laid the foundation for economic growth in our country, creating the platforms, the trusted identities, the trusted credentials that will allow for companies, large and small, large and small, to have greater, to provide greater confidence to consumers is exactly the way we, government lays the foundation in a way the private sector couldn’t do alone.
Not intervening, not intruding but creating a platform that lays the foundation for greater private-sector growth, greater private-sector innovation, greater degree to do sales for not only the larger businesses, but for small businesses across our country. And with that, I will thank you for being here, for the Chamber of Commerce for hosting this, and I would like to introduce Howard, who I’ve already spoken about and Jane Lute who is the Deputy Secretary of Homeland Security. Thank you very much.
[Schmidt] Thank you very much Director Sperling, and as you can see, it’s easier moving electrons than it is molecules in some cases, getting up here. I’m particularly honored to be able to introduce somebody that means a lot to all of this in the area of cybersecurity, but also from a legislative perspective. Someone that, who has been a leader in this area and as director Sperling mentioned, having worked with her for two administrations now, fully recognized as the senior senator from Maryland, Barbara Mikulski has really been on the forefront of a lot of these issues that we really care about. As many of you probably know, she began her career with election to the Baltimore city council, then as a representative to the House, and she’s been a senator since 1986. She was also selected—and once again because of her expertise and the fact that she gets it—as a member of the bipartisan Cybersecurity Task Force to identify cybersecurity needs and maintain our nation’s technical, qualitative edge as well. She has also been extremely instrumental in securing the necessary funding for the FBI to combat both domestic and international cyber criminals—at the same time, fought for key funding for cybersecurity research—the National Science Foundation and the National Institute of Standards and Technology. And her role as the chairperson of the Commerce, Justice, and Science Appropriations Committee, she continues to be supportive of all this great work that NIST and the Commerce folks are doing.
But I think what I consider and many of us consider the crown jewel is her assistance in the creation of the National Cybersecurity Center of Excellence at NIST, at the technology center at Gaithersburg, Maryland. So please, join me in welcoming Senator Barbara Mikulski.
[Mikulski]Podium height adjusting
Given this is the Chamber, this podium was made for really big guys. First of all, good afternoon to everybody. I know I am one of the last speakers and you think you’ve heard everything, but I haven't said everything I wanted to say about it. I was invited to be here by the Chamber of Commerce and I want to thank Anne, and the leadership of the Chamber for hosting this. A few weeks ago, Barack Obama walked from the White House over here to meet with the leadership of America's business community. Some saw as a turning of the page, some saw it as treaty negotiations. Some saw it as a new day. I see it as all of that. And the relationship between the president and Mr. Donohue wanted to speak with the leadership of the American business community to say, America and its government wants to be a full partner in several-a few national goals. Let me tell you what they are. Number one, we want a safer country. Number two, we want to have a stronger economy and we want to achieve it by being a hell of a lot smarter about it. We know that we have two be a more frugal government, but what we need to be is frugal and make public investments that either help generated private sector jobs or facilitate the free flow of commerce in the United States of America.
And one of the first, specific, immediate and realizable initiatives to come out of that is the NSTIC project. Because, what a great example for that to be able to happen. This project will be federally supported but really private-sector led. And what will it do? It will make a safer country so that we can avoid cyber attacks on .com, .com. At the same time, while we do that, it is the United States government doing what it has done for more than 100 years, developing the standards so we can develop the products to get the job done. And, it will be an American standard. Working with American companies, to develop American jobs that protect, really in the long run international commerce, as our panel has so aptly talked about it. We are very proud of that.
You’ve heard the description of what NSTIC is, and I am not going to repeat it. It will help develop a card, a smart card or whatever, it will not be a national identity card, it will be a commerce facilitating card. And, in the development of that, it will develop the standards to do it and it will do it with the private sector. And, in doing that we do really want to protect .com. So much in the world of cyber and cyber crime is either protecting .mil against predatory attacks against the United States of America and its military networks. Right this minute, there are those nation states or those they hired to do their dirty work, are making predatory, cyber attacks either directly on the Pentagon as we speak today—there will be thousands of these. Or trying to penetrate .gov by going into the Patent Office to steal new ideas and new trade secrets. Why invent a cure for Alzheimer's if you can come into the Patent Office and steal the biotech idea that’s working on cognitive stretch out. .Mil comes in and we’re working on protecting .gov.
But where I feel that we are our slimmest, I won’t say our weakest, our thinnest, is in protecting .gov*. The panel spoke eloquently about the issues involved in the free flow of commerce and what we need to do, but at the same time they raised governance issues. We are concerned about the governance issues, and Howard Schmidt, working with the President and the full team is working on governance. But we've also got to also think about technology development. We’ve got to think about workforce development, and we certainly have to look at civil liberties. However, the first civil liberty is to be able to have a job, lead a life, and be able to buy what you want in the way we now buy it, which is through credit cards and other cards.
We love the FBI, but the FBI comes in after-the-fact. They come in after a crime has already been committed. And, we’re going to support the FBI. We’re going to support the growth of the FBI in becoming really cyber sleuths, cyber forensics, all the thing. But we don't want the bad guys to steal, and the bad guys are stealing. Why do I know this? And what is Barbara Mikulski talking about that? Wasn't she on the floor of defending Planned Parenthood the other day? Yeah, you got it, but just as I was defending that, because of a member being on the Intelligence Committee and being part of a bipartisan Cybersecurity Task Force with my colleague Senator Olympia Snow, and then on the Appropriations Committee, I chair the subcommittee that funds the FBI, funds NIST, funds the National Science Foundation, among others. So I’m in it up to my—I’m into cyber up to my earrings on this.
And I was shocked to feel—hear what is going on in cyber crime. The other day I found out that T.J. Maxx had over 40 million people who during the year of—during 2007, lost payment data. Forty-thousand people were attacked. There was a ski lodge in Vermont in over a two-week period—big snow but big crime—in this one area around the ski lodge, payment data of over 28,000 people was stolen. Now, who stole it? It was organized McMafia, the new McMafias, operating out of a non-NATO Eastern European country who could steal our Visa cards without even bothering to get a visa. Now I’m not here to be witty or funny—I’m actually quite dead serious about it. And I want to congratulate our executive branch, particularly Howard Schmidt, for leading the way on how we can put the best assets of the federal government, and they are located at the National Institutes of Standards to work with this private sector—this dynamic, energetic, entrepreneurial innovative private sector—on how we can work with you to protect .com. Whether it’s an individual citizen, whether it’s an individual company, that we can be able to do that.
Where I come in, is again, helping the Senate develop a body of expertise and ultimately working with the President on a more comprehensive legislation. But, as a grassroots organizer, I believe you have to be specific, immediate, and realizable. And this is where Howard Schmidt came in with working with our leadership and our science agencies, particularly with NIST, to come up with this idea of the NSTIC strategy. I think it’s going to be fantastic. And what has the president done? In this year's budget, and I want you to listen to this, he’s put in $25 million. In the scheme of federal budgets, $25 million is about like the spit off of the Bay Bridge. Okay? Nobody will notice it except where the wind blows. But I will notice it because I chair this subcommittee.
My ranking member is Senator Kay Bailey Hutchinson—known to you, certainly a promoter of jobs and economic development in our own country. You can really count on Senator Kay and Senator Barb to stand sentry over this $25 million as we work out how are we going to be more frugal, we also want to protect those public investments—really, in many ways quite modest—to achieve an unbelievable opportunity.
So, I am here today to say, you know what was begun by President Obama and Tom Donohue here at the Chamber, we’re going to continue it. And we’re going to continue it by looking at specific things. Where we can get the job done, we can get it done quickly if we’re smarter. Because I’m going to come back to where I began. I want to have a safer country. And the way we have a safer country is to have a stronger economy. And if we work together and are truly smarter at it, we can do it.
And again, I want to thank Howard Schmidt for taking up the goals of President Obama and turning them into such practical, achievable goals from the standpoint of both technology, the federal budget and this incredible, commercial private-sector know how. So let's get to work, and for God’s sake, may the force be with us. Thank you very much.
[Grant] I’ll do another podium adjustment. Thank you very much Senator Mikulski for your remarks, for your leadership, not just on cybersecurity issues and in the Senate overall but for your straightforwardness, your sense of humor. The Senate is clearly a more fantastic place with you in it. I wanted to take a brief moment, I don't think I can say nearly enough fine things about Howard as Senator Mikulski did, but I did want to give him a formal introduction. It’s my great pleasure to introduce Howard Schmidt, the White House Cybersecurity Coordinator. He’s led a distinguished career spanning more than 40 years in defense, law enforcement, and corporate security. He’s held executive roles in the private sector, including vice president and chief information security officer at eBay as well as chief security officer at Microsoft. His government service has included prestigious assignments at the White House, the FBI, and the Air Force Office of Special Investigations. Currently he serves as Special Assistant and Cybersecurity Coordinator to President Obama. Please join me very much in welcoming Howard Schmidt.
[Schmidt] Thank you very much, Jeremy, and I would like to add my thanks again to you for your leadership and your willingness to take on this task. As you heard from the panel and the discussion about how important this is, but how complicated it’s going to be with the spray bottle and the kitty litter or whatever it was, [Laughter], we will make sure that we herd all the cats as we should.
So thank you all very much for attending today . I think it’s vitally important and I think it shows the solidarity of where we are in coming together and looking at this issue, on dealing with identities in cyberspace and how we can move forward. You know, it took us some time to get here, but I think it's important to recognize that the President wanted to make sure, and the entire administration, that we got this right. That we brought everybody together to put us on a path moving forward, that this really does move beyond just having a strategy. I’d also like to thank our important speakers: Secretary Locke, Director Sperling, Senator Mikulski. Representative Lungren could not make it today. He was scheduled, but he is at a House vote, but I know he is very supportive, and especially Deputy Secretary Lute. I’d like to thank Anne and the Chamber for hosting this event and bringing us all together yet once again to move forward on this important issue.
Our panelists, Leslie, Susan, Andrew, Eric, and Jeremy, thanks so much for spending the time and sort of really framing the broad issues we are dealing with here because it's important to make sure that we all are speaking from the same page as we saw this morning.
I'd also like to thank the businesses, trade organizations, academia, the privacy and civil liberty groups that really made this possible. Because, it was all of us working together that brought us to where we are today. And with your help, and the thousands of comments, and I mean literally thousands of comments that have pulled this together, the countless meetings, the untold edits that we've had working on this over the past months, I think we got it right. And we do have a foundation.
And I’m not going to gloss over for a second that there is a lot of work to do. Those governance issues, technology issues, standard issues, that were discussed. Clearly that’s a path forward. But we need more than just the help to this point. We need your continued leadership.
We need to make sure as many of you heard me talk about before when we have a strategy, that’s almost the easy part of it. It’s execution of the strategy that we now have to focus on. It’s time to finish the job, and your leadership is going to get us there. But I'm happy to announce actually that some of the first proactive, practical steps to make sure that we can work together on the next version of NSTIC and how we execute on the strategy.
I am excited to announce that NIST will provide the leadership to implement the NSTIC and will be having a series of workshops around the country over the next several months to convene different stakeholders from industry, advocacy groups, nonprofits, academia, and others. And currently, three workshops are planned on the areas that you heard which, with any collaboration in advance, the governance, privacy, and the technology standards we are looking at just as the panel suggested. These workshops will be a starting point. They need to get the input from stakeholders and really start to forge the consensus on what are these issues we are looking at. NIST will have more information coming soon as far as the dates and locations and that will be released in the next couple of weeks. We ask that you participate and attend. As once again, we heard a little while ago, we all have to be at the table at the same time. That’s the way we move forward on this collectively.
We need to make sure that the privacy, civil liberties, and consumer advocates are at the table helping us ensure that consumers’ privacy is not just protected, but enhanced. Through many of the meetings we’ve had we've talked about where we are now and how we got here and what a challenge it was. We should not be two years down the road looking back and saying yes, we’re still , we’re not where we want to be.
This is our opportunity to rebuild what we care for and what we hold dear in our day-to-day lives as far as privacy and civil liberty goes. We need the industry to continue to innovate and to make sure we are looking at the technology, not only with the technology that exists today, as Senator Mikulski mentioned, the smart cards that many of us use within the government, USB devices, mobile devices, technology that hasn't even been developed yet. Not only making sure that they are available and that we have a choice using those things, but also some of the things that we’ve seen that have given us a good path, but yet that road has been bumpy because of criminals and hackers and people that have tried to thwart those activities, to make sure that we understand that they’re still out there. And we are building these new technologies to sort of take into account that somebody is going to try it and build that out of the system as opposed to fixing it later on. But we also need governments at all levels. Like the discussion was about the state level, the local and tribal governments, to make sure that we’re working collectively to develop these.
And very importantly so, our international partners, as I’ve had a meeting with my counterparts from the international community over the past month, looking specifically as how can we now take what will be standards and work together to make sure that when I get off the plane somewhere else, the identity and the trusted component I have of who I am, is transportable someplace else, is interoperable.
As we have seen all kinds of examples, when we see people on a global economic basis, where someone who currently can only sell to a local market, that can provide something that we normally would not have access to, be able to sit there and do it online through the Internet and really continue to foster that innovation and economic growth.
So, together we can do a better job of authenticating the things that we are doing while still preserving the anonymity that we’ve talked about earlier. We need to make sure there is less information exchanged and more control for us as individuals in what information is exchanged and how we control it. It means creating a baseline for that security, privacy, and interoperability in a world that gives us the freedom to innovate because that is the key of what we’re looking at. But also an experience for the individuals and the end users that are now dealing with a system that is cumbersome, fraught with challenges, fraught with a lack of understanding, to make sure it’s easier for them. And they also maintain those choices.
So in closing I’d like to now invite you to take some time, walk around the room, learn about what is already out there with some of the folks that have put up booths around the room. Look at the different technologies. Think about how you could use them. Think about how you could prove different types of technologies. But basically, make sure that we’re evolving this in a rapid manner so as we move forward, we can actually change how our economy functions when it comes to trusted identities and how our expectations in cyberspace change from being worried about something to having a better level of confidence in everything we do.
We’re not looking for one solution. We’re not looking for one database. We’re not looking for that national ID component that we’ve talked about. We’re looking for choice. Whether it’s a device, whether it’s a technology, whether it’s an interoperability solution, we want choices. And that’s the thing where we can come together to make sure that it’s cheaper, usable and more secure for our consumers and end users.
We’ll have plenty to discuss in the upcoming months. I think we all know that. But as we discuss the future, we have set a marker in the road today. We have clearly laid down a path for us to move forward and collectively, we feel that we are doing the right thing, and we are going to do it in a way that capitalizes on the way that America best works together. Competing towards a common goal, solve a problem, innovating and growing online services, thereby creating new job opportunities, and really winning the future for the technology that all the gifts that it’s given to us.
So, thank you very much for being here. I look forward to seeing you later on. Thank you.
*Corrected by speaker. Speaker said .gov during the event, but intended to say .com