Forum on National Strategy for Trusted Identities in Cyberspace, Transcript

Good morning, everyone. It's nice to see everyone here this morning. A number of familiar faces and I hope you're all enthusiastic about the program we're about to hear. My name is John Mitchell. I teach in the computer science department. My colleague Dan Bonae and I direct the computer security lab here. We're also participants in the NSF's Trust Science and Technology Center, which is a co-sponsor of this event. You can easily find us online, and we'd welcome you to our future events, including an industry and government-oriented program in March and our research-oriented workshops and so on throughout the year.

I'd like to introduce my friend, Ward Hanson, who is our host here at SIEPR at this beautiful facility, and he's going to introduce Secretary Locke. Thank you.

Greetings as well. I'm Ward Hanson, as John said, of the Stanford Institute for Economic Policy Research. You may not know SIEPR is a non-partisan hub of economics and economic policy here at Stanford, and we're very pleased to host this event. This is our new building, we moved in less than a year ago. It's exactly for this kind of event which you can go on our website and see other policy areas that we do research on both in-depth and policy pieces. And while we are sure this event will create news, it might not create a headline quite as, as happy for the Stanford community and as pithy as "Luck to Stay at Standford."

So now it's my pleasure to introduce Secretary Gary Locke, who was appointed by President Obama, as the 36th Secretary of Commerce and sworn into office on March 26, 2009. At the Department of Commerce, Secretary Locke is charged with helping implement President Obama's ambitious agenda to turn around the economy and put people back to work. Many of us on the West Coast, we're well aware of Secretary Locke as the popular two-term governor of Washington state, and like Silicon Valley, Washington is highly oriented toward trade and high technology. As Governor, Secretary Locke helped open doors for Washington state businesses by leading 10 productive trade missions to Asia, Mexico and Europe, significantly expanding the sale of Washington products and services. He also successfully strengthened economic ties between China and Washington state, more than doubling the state's exports to China to over $5 billion per year and during his administration, the state gained 280,000 jobs, something of course, we're very interested in doing now. Secretary Locke has a bachelor's degree in political science from Yale University, a law degree from Boston University, and we at Stanford are honored to have him here today, Secretary Locke.

Well, thank you very much, Ward, for the introduction, and I don't know if it's going to help the Huskies if Andrew stays at Stanford next year, but it's an incredible feat what Stanford did at the Orange Bowl just a week or so ago. It's really a pleasure to be here, and I'm sorry that I cannot stay. There's been a death in the family and so I've got to rush up to Seattle as soon as I conclude my remarks here. But I know that you have a really great agenda set forth with interesting panels and other speakers, and I'm sorry that I really cannot stay and participate and take in all the observations and comments and wisdom that resides this room. I do want to thank our host for convening today's forum, TechAmerica, TechNet, the Churchill Club, Stanford University, of course, this center, and I want to thank all of you for joining us this morning.

You know, there may some people here in the room who, like me, remember the Time magazine's man of the year, some time ago, was a personal computer. And according to reports most of that story was actually composed on a typewriter. That was 1982. That was 1982. Well before terms like cyberspace and virtual reality, social networking would ever enter the popular lexicon, and there were precious few cell phones. I think, I remember when I first started seeing people with those cell phones, they were like bricks, you know huge bricks tied to their waists, certainly nothing called a blog. And the Internet was the private preserve of the defense department, federal researchers and a few universities.

Fifteen years ago we actually saw the dawn of the commercial Internet. But let's flash forward to today to 2011. Nowadays the world does an estimated $10 trillion of business online. Nearly every transaction you can think of is being done over the Internet. Consumers paying their utility bills even from smartphones. People downloading music, movies and books online. Companies from the smallest local store to a bed and breakfast, to multi-national corporations, ordering goods, paying vendors, selling to customers, all around the world. All over the Internet. E-commerce sales for the third quarter of 2010 were estimated at over $41 billion. Up almost 14 percent over last year. And early reports indicate that the recent holiday buying season saw similar growth with year over year sales up by over 13 percent.

But despite these ongoing successes, the reality is that the Internet still faces something of a trust issue. And it will not reach its full potential until users and consumers feel more secure than they do today when they go online. The threats on the Internet seem to be proliferating just as fast as the opportunities. Data breaches, malware, ID theft and spam are just some of the most commonly known invasions of a user's privacy and security. And people are worried about their personal information going out, and parents, like me, are worried about unwanted sexually explicit material coming in before their children. And the landscape is getting more complex as dedicated hackers undertake persistent targeted attacks and develop ever more sophisticated frauds. Dealing with these evolving threats has been an issue of high priority for President Obama since the earliest days of his administration. It was back in May 2009 when he said, quote, "America's economic prosperity in the 21st century will depend on cybersecurity," end quote. And he went onto declare that quote, "this cyber threat is one of the most serious economic and national security challenges we face as a nation." End quote.

To help meet these challenges, the Obama administration recently released a comprehensive cyberspace policy review outlining a series of necessary actions by the public and private sector including improving identity solutions, identity management services, and privacy enhancing technologies. This review has helped to lay the groundwork for the administration's forthcoming National Strategy for Trusted Identities in Cyberspace, or NSTIC. The final version of this strategy will be signed by the president in the coming months, and Howard Schmidt from the White House will be talking more about this in just a few minutes. And many of you are familiar with the public draft release this past summer, and many of you participated in the open public process with comments on the strategy, and we very much want to thank you for your thoughts and your recommendations.

The end game, of course, is to create an identity ecosystem where individuals and organizations can complete online transactions with greater confidence. Putting greater trust in the online identities of each other, and greater trust in the infrastructure that the transactions run over.

Let's be clear, we're not talking about a national ID card. We're not talking about a government-controlled system. But what we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords through the creation and use of more trusted digital identities. To accomplish this, we're going to need your help. And we need the private sector's expertise and involvement in designing, building and implementing this identity ecosystem. To succeed we'll also need a National Program Office at the Department of Commerce focused on implementing our trusted identities strategy.

The Commerce Department already has extensive experience in this realm. Last April, for instance, we launched an Internet Policy Task Force to address the most pressing Internet issues of the day. The task force was made up of experts from across the department, experts in trade policy, intellectual property, information policy, cybersecurity, and standards. And the task force is working on developing cybersecurity policy recommendations for the commercial sector, as well as policy recommendations on other Internet issues like privacy, copyright protection, and international e-commerce. We've reached out extensively for public comments on all these topics, and the task force just last month released initial recommendation for strengthening online privacy protection.

The Commerce Department has the National Institute of Standards and Technology, one of the preeminent laboratories within the federal government, that's part of the Commerce Department. But NIST or the National Institute of Standards and Technology, also has significant, long-standing investments in cybersecurity R&D and in standardization programs. And all of this experience can help a new program office be effective facilitators for both government and private sector engagement and indeed private sector leadership.

In the end, we want to build consensus on legal and policy frameworks necessary to make the trusted identities strategy successful, including ways to enhance privacy, free expression and open markets. We want to work with industry to identify where new standards or collaborative efforts may be needed, and we want to support intergovernmental collaboration, and we want to support important pilot projects.

These are important undertakings. And today's symposium and today's announcement is just an early step in a much longer journey. Of course, we all know that these pilot projects, any follow-on commercial deployments and the emergence of an identity ecosystem itself will not be a panacea. There is no magic bullet to solve all the cybersecurity issues out there. However we do know that robust identity solutions can substantially enhance the trustworthiness of online transactions. And they not only can improve security, but if done properly, can enhance privacy as well. Such an identity ecosystem must be led by the same people who have made the Internet the incredible engine of communication and commerce that it is today. That's why Howard and I along with Pat Gallagher our director of our National Institute of Standards and Technology, have come to Silicon Valley, which remains an epicenter of American innovation and entrepreneurship. And Pat's going to be here for the rest of the day to talk more about our efforts but also to gather input from all of you.

The President's goal is to foster an identity ecosystem where Internet users can use strong, interoperable credentials from public and private sector providers to authenticate themselves online for a whole host of transactions. But the solutions allowing us to actually achieve that goal are very likely to emanate from your firms and the players and the organizations here in Silicon Valley. We know that you understand the basic equation. The greater the trust, the more often people will rely on the Internet for even more sophisticated applications and services. We look forward to working with you to build that trust. Thank you very much.

Thank you very much. I'm hoping that Karen Tucker is here?

Yes. So I'm happy to welcome Karen Tucker from the Churchill Club to introduce Howard Schmidt. Thank you.

Thank you, John. I'm the CEO of the Churchill Club. We are a 25-year-old, 7,000-member business and technology forum located in the Silicon Valley region. We are a non-profit, of course, and we are dedicated to encouraging innovation and economic growth. If you'd like to learn more about us you can visit our website at I'm most privileged indeed to introduce Mr. Howard A. Schmidt. Howard's distinguished career spans more than 40 years in the fields of defense, law enforcement, and corporate security. And today of course, he works as special assistant to the President and as Cybersecurity Coordinator for the federal government.

Now, reading through his bio, you'd think that surely is refers to the accomplishments of more than just one person. He previously had other important security-related posts at the White House and for the Department of Homeland Security just to name a few. He worked in the private sector as chief information security officer and chief security strategist for eBay and also as chief security officer at Microsoft. All of this amazing work and many contributions put him squarely at the top of his field as one of the world's foremost security experts. And before all of this, he directed the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare Division. And before that, the FBI had a hold of him, and he was housed at the head of the Computer Exploitation Team and the National Drug Intelligence center. He is recognized as one of the pioneers in the fields of computer forensics and computer evidence collection and indeed we should be very grateful that he is on our side. Please welcome Howard Schmidt.

Thank you very much, Karen, for that kind introduction, and I'm really glad you were here as well. Thank you all for, all of you for attending, special thanks of course, to Phil Bond at TechAmerica, our friends at TechNet, Churchill Club, and especially Trust here for hosting this event and giving us an opportunity to really talk about some things that really are going to be game changing relative to cybersecurity and, more importantly, trusted identities online.

You know, when Secretary Locke talked about the continued job growth and innovation, the President's efforts behind that, I'm sure everybody here today would probably understand this is a national top priority that we're looking at. So I'm particularly pleased that you would join us to be part of this dialogue as we look for ways as business leaders, at academia, as government officials to make sure that online commerce continues to be a trusted, growing, economic engine of our economy.

You know as the Secretary mentioned this past holiday season consumers spent an estimated $30.81 billion in online retail spending, which was an increase of over 13 percent over what it was in the previous year. I mean, there's no testament to say what an engine this is, more than taking a look at those specific data points that come out these things. But as indeed we depend more on this online world, as we do more shopping, entertainment, travel, all the things we use the online world for, we also fully recognize that there are those out there that basically are looking to disrupt that. Whether it's through disruptions as we've seen in the past with distributed denial of service attacks, or we see which speaks specifically to the area we're going to be talking about today, and that's online fraud, identity theft, credit card fraud. These things are also on the rise.

When the president released the cyberspace policy review, one of the things that he was really very specific on was the partnership that we need in the public and private sector. And that's one of the things we're working on now is to redefine what exactly that means. How can we truly be partners in areas such as information sharing? As we look at the innovation engine that drives many of the things we're doing, what does it mean to sit there as we've come together today, bring these things together to overcome some of these risks associated with the technology we've deployed over the past 20 some odd years.

Also in one of the short-term actions was indeed the idea of creating a National Strategy for Trusted Identities in Cyberspace, or NSTIC, which is one of the 4 or 5, different N-something acronyms that we use in the government, but clearly the one that has the biggest impact on the many of the things we're doing. Over the past year we've pulled together a number of different groups. We've released a draft of the national strategy in July of last year online for public comment. And every day at the end of the day I would go back and read some of those comments. Some of them quite honestly were pretty silly. Other of them were very insightful and gave us some good thoughts about how can we do this right? How can we create a document that really does those things the Secretary mentioned, such as privacy enhancing, but also giving us better trust?

So I want to just give you a quick illustration about what I mean, when I talk about trusted identities in cyberspace. I've had the pleasure of working, knowing or being friends with some of you here in the audience, I think there's one thing that anyone was ever asked, I'm the consummate early adopter. I've got hardware sitting in my closet that I use for the first week and found out it was never going to be supported but, I had it, and I still have it. So when you look at the technology and the benefits we've got from that, think of what people like myself and others do in when just a normal day.

First, you go online and you buy something. Which is pretty well consistent. I enter my user ID, which for the sake of this discussion will be Howard. And the discussion point will be my password is 123456. Now, granted that's not my real password. Never has and never will be. But basically is you probably also know there are some people that have that as a password, and we all know that. But so not only do I do that online purchase, but I also log into my webmail account. Same user ID and password. I get an e-mail from my bank saying they need an update. We know where this is going, use that same user ID and password. Enter into bank's website. I decide I'm going to refinance a car. Even yet buy one online as we've done in the past. Sign it, print an online form, print it out, sign it and send it on. Those sound to a lot of people like just the normal way you do things online. But we know what the problems are in this audience.

First off is the having the weak password. And the reason most people do that is because we have to worry about remembering so many different passwords and then there's so many layers of complexity and, complexity that we have to worry about, we have different time frames. We replace them every 30 days, 60 days, 90 days, and it becomes really cumbersome.

And a recent survey found that 46 percent of the people surveyed never ever have changed their passwords, and 71 percent use the same password over and over and over again, from reading an online blog to doing sensitive financial transactions. But you also can imagine from the previous illustration that obviously the e-mail from the bank was actually a phishing e-mail. But most people have no way of knowing that. We've built some wonderful controls over the past few years to deal with some of these issues. We've done server side filtering so they never hit the mail server. We've built in some controls into the client side so it never hits your inbox, it hits the junk mailbox. But if it does hit the inbox, we've built browsing technology now that basically looks to eradicate some of the problems when you go to click a link it winds up and says wait a minute this is not a good idea. But basically not everybody understands that, uses it, in some cases we've even seen people just click through it and say "Yeah it's probably just something I didn't do right." And in reality it was.

So I want to sort of move away from that and talk about a potential future of one which multi-factor authentication is sort of the norm of doing business. I go to a store. I go to a grocery store in some cases. I do some level of proofing, whatever I want to wind up doing with whether it's the lowest level or the highest level to get an online identity stored on a token. A digital identity. Whether it's on a USB drive or whether it's on a smart card. I have the ability to do something beyond what I'm doing now. I go to log in to these accounts. I use the USB device, I use a smart card. I use a one-time password on my mobile device that no longer puts me in a position where I've been in the past where I can wind up making one small mistake and paying for it for years. But then I also get the login to my webmail account. That credential is passed on as well. So I have the ability to do these things seamlessly without all the baggage and overhead that goes with it.

But then here comes the true test this webmail, this phishing e-mail comes in and working together between the token and my digital identity and the browser, it stops me from doing things that are going to be harmful. And I have the ability to control that. I have the ability to set this up. And then it keeps me from becoming a victim of fraud.

So when we start looking at this, we have to understand as the Secretary said, this is not a panacea. This is one small piece of everything we're looking at. Many of you that have been in security for years understand that security is not a destination, it's a journey. So as a consequence this is one piece that we need to put together. We need to continue to reduce vulnerabilities. We need to continue the R&D to make sure we're building the digital infrastructure of the future that benefits us from the lessons we've learned to date.

Because I remember one time years ago somebody asked me about--I'm sorry for the geek speak for a moment--but someone, we were discussing buffer overruns, and someone said, well why would someone type in 257 characters and cause something to break? And my response was, because they can. And we have to understand that people will do that in the future and build the controls in place.

So we start looking at, you know, sort of the digital identity and the trusted identities in cyberspace, we have to build that taking into account the potential that somebody's computer system is going to be compromised and have a keystroke logger. There may be a man in the middle attack that we have to deal with. There may be issues on the website that we have to deal with. This gives us the opportunity to build into it this trusted identities from the outset. To make sure we minimize the risks from these things taking place in the future.

But so you think of the identity ecosystem that we're talking about, that hopefully many of you will be involved in creating and helping us bring this forward, it's a world that has options, and that's one the key pieces of this. I don't have to get a credential if I don't want to. I can, it's entirely voluntary. The range of identity providers and digital credentials available will basically ensure that no single identification will be the point of failure for us. Or a centralized database will emerge that creates problems for us. If I want to get a credential, I don't have to use it all the time. I can be selective where I use it and when I use it. It's an ecosystem that continues the Internet's existing support for anonymity and for you to be able to use a pseudonym as you choose. In other words, I can still post something on a blog or make a comment on someone else's story and do it anonymously. I also don't have to get a USB token, I don't have to get a smart card. There will be many different opportunities for us to look at various types of technology and though I've described a few of them, such as an OTP, or one-time password, on a mobile decide, or smart card, USB, hard token, whatever it may be. These are things we know of today, and we're hoping that what you and your colleagues will do is give us even more options. Make it even easier for us. I know some of you are working on that already.

But this is also a world that I'll have a better shot at privacy. Because NSTIC is not just about credentials and authentication, we also seek to limit through this ecosystem the amount of data that is collected and used for us to be able to conduct a transaction. There's a lot of things, I think many of us have lamented that, why do I need to give up all this information just to do this one small transaction? And why does this information need to be stored beyond those four milliseconds to conduct this transaction? That's part of this identity ecosystem we're looking at. We want to make sure that we build the privacy-enhancing technologies into it right from the very start.

You know, although I've talked a lot about people identifying themselves online and I've been focused on that, I also don't want to lose sight of the fact that we are talking about machine-to-machine authentication. You know, as the Secretary mentioned about the Person of Year being a PC. Clearly there are personal computers now in so many different form factors, but oftentimes these machines need to talk to other machines. We need to have the ability for them to validate and authenticate the things they're doing. So I also want to make sure we don't lose sight of that.

So the bottom line is, you can tell we're very excited about the NSTIC. We're very happy and pleased that we have an opportunity to build this ecosystem together. But we look at this in four major buckets. That's the first, the identity solutions will be voluntary and privacy enhancing. The identity solutions themselves will be secure and resilient. The third one is the identity solutions will be interoperable. And the fourth, and one of the more important ones as well, is it has to be cost effective and easy to use because people want and need that.

So in order to fulfill this vision, in order to meet some of the requirements the President has given us, we need the private sector to lead the implementation of this and we've got some great people in this room, gathered that are going to be talking about it after I finish up here to look for ways to do that. There's Pat Gallagher and Phil Bond and David DeWalt, all the folks that are going to be up here in a bit. These are the folks that can help us put this together and move forward.

So as we look at the role of Commerce, and Commerce is the absolute perfect spot in the U.S. Government to help run this National Program Office. We're looking at the issue about them hosting the National Program Office. Now, once, again, we have a lot of work to do. This is the beginning of the journey. We have to work out some budget issues. We have to make sure that we're working closely with Congress. We have to make sure that we get all these things packaged together properly to make sure that we're on the correct path to get this done. And speaking of Congress, a special thanks to many of the members of Congress because we are working very closely to the Congressional leaders on a bipartisan, bicameral way, to make sure this effort is successful. One of the leaders of this and a very, very close ally and strong supporter of NIST, is Senator Mikulski, who's been a supporter of Commerce, NIST, and the effort we're doing on cybersecurity, and she's been leading that. So we're very much appreciative for the Congress work on this as well.

So with the Commerce Department under the leadership of Secretary Gary Locke, the other federal government agencies that have been working with the private sector, this is really key to our success the the NSTIC implementation. It indeed will help us bring up and turn up the heat on the economic engine that we so desperately need to be working on. Online transactions are a part of our life. They're not going away. We're going to be doing them more and more. And U.S. Commerce has a key role in ensuring we have the confidence moving forward so that the online economy is not shaken by the fraudsters and the criminals that are out there. Because together we can build an interoperable, easy to use identity ecosystem in which users indeed have more privacy and better security.

So I look forward to putting this in your hands today. Thank you very much for everything that you've done to point. And I look forward to learning more from you as we do more to put this improved identity ecosystem in place. Thank you very much for the opportunity to be here.

Thank you very much for those thought provoking remarks on one of my favorite technical, sociological, and economic issues today. I'd like to introduce Larry Rohrbough from the Trust National Science Foundation Science and Technology Center.

Thank you very much. Good morning my name is Larry Rohrbough. I'm executive director of Trust, a National Science Foundation, Science and Technology Center.

It's my pleasure to introduce this distinguished panel. Moderating the panel from my left is Dr. Patrick Gallagher, director the National Institute of Standards and Technology. Dr. Gallagher provides high level oversight and direction to NIST in its mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. Prior to his appointment as director, Dr. Gallagher served as the NIST deputy director, as well as director of the NIST Center for Neutron Research. Dr. Gallagher has been active in the area of U.S. policy for scientific user facilities. He was chair of the interagency working group on neutron and light source facilities under the Office of Science and Technology Policy, and currently serves as co-chair of the Standards Subcommittee under the White House National Science and Technology Council.

To his left, James Dempsey, vice president for public policy at the Center for Democracy and Technology and head of CDT West here in San Francisco. Mr. Dempsey concentrates on Internet privacy, government surveillance, and national security issues. Widely quoted in the media, Mr. Dempsey has testified numerous times before Congressional committees and was identified by Ars Technica and TechPolicy Central as one the top names in technology policy for 2009. He's also a nominee to the U.S. Privacy and Civil Liberties Oversight Board.

To his left, Philip Kaplan, president and co-founder of Blippy. Prior to starting Blippy, Mr. Kaplan was entrepreneur in residence at Charles River Ventures. As a serial entrepreneur, Mr. Kaplan founded adBrite, one of the largest Internet advertising networks, as well as several other Internet companies. He also serves on the board of advisors of the Syracuse University School of Information Studies.

To his left, David DeWalt, president and chief executive officer of McAfee. Mr. DeWalt has more 20 years of experience building innovative, industry-leading technology companies. Since joining McAfee in 2007, he has guided the company through three consecutive years of double-digit growth with a record $1.9 billion of revenue in 2009. A recognized authority in cybersecurity, Mr. DeWalt appears regularly on nationally televised news program, has spoken at the World Economic Forum in Davos, participated in panel discussions alongside world leaders, and served as an advisor to the National Security Agency, the Central Intelligence Agency and others. He was named one the top five CEOs of publically traded software companies by Institutional Investor Magazine and one of the 25 most influential executives of 2009 by CRN.

Finally to his left. Philip Bond, president and chief executive officer of TechAmerica. Mr. Bond is a highly accomplished executive both in industry and government. He's served as senior vice president of government relations for Monster worldwide, director of federal public policy for Hewlett Packard, and senior vice president for government affairs and treasurer of the Information Technology Industry Council. In government Mr. Bond most notably served a Under Secretary for the U.S. Department of Commerce for Technology and was chief of staff to Commerce Secretary Donald Evans. During that time Mr. Bond was recognized in Scientific American magazine as one the top 50 technology leaders in 2003. With that I'll turn the floor over to you Dr. Gallagher.

Great. Thank you very much. Well before we begin, let me make take this moment as moderator to once again add my thanks as moderator for all of for coming and joining us today. I have the distinct pleasure of moderating a discussion with this esteemed panel here, so I have the easy task, and I'm looking forward to it, and what I'd like to do is, I have a series of what I hope are leading questions that I'll ask the group. It's a discussion, so I invite my panelists to jump in. Have a discussion, and when that plays out, I can move onto the next question. And if we have time, we have some microphones, and we'll ask you to ask some of the leading questions for this group.

So with that, let's start, and Dave, I wanted to start with you. We heard the Secretary and Howard talk about identity management and this ecosystem that we're talking about. Can you talk about the roles of identity management authentication and how it fits into this larger picture of cybersecurity solutions both now and also take a look forward for us?

Sure Pat, absolutely. Are you controlling the mute buttons for all of us too, is that the way it works.

No, we're all live.

Anyway first of all, thanks for having us up here. Hopefully we can make this very informative for everyone. It was great to see Howard and the Secretary again speak. First of all, I'm a huge fan and, you know, very much applaud the efforts that NSTIC, and NIST is doing and the Commerce Department is doing, and to me it's a little bit about time. We need to drive at this. I've been the CEO now of McAfee for almost four years and just to watch, just in that four-year period what we've seen. We've literally seen an exponential, literally an exponential increase in crime, in the amount of malware that we get, just the amount of insidious things that we receive, it's a major pandemic. I don't know even know what else to call it. We've seen an explosion of devices. We've seen Internet access reach, you know, almost every walk of life for consumers, for corporations, for governments, and we've really seen just a complete rise of crime.

We put out a number of reports, and in the bio it mentioned speaking at the World Economic Forum. The last two years we put out reports at McAfee around the state of crime and the state of terrorism and warfare and we've really seen this escalation. And for those in the room who follow security, you know that not only is it the volume of malware and the types of attacks on identity theft, but it's also the complexity of them as well. We need government to step up. We need public and private interlock to occur. And I really applaud the efforts that we're seeing at the United States level and the government level to step up and try to drive and eradicate some of these challenges because we need to.

I mean, every day at the McAfee Lab we get about 55,000, literally 55,000 net new pieces of malware. A piece of malware, think of it as a virus or a Trojan or a bad thing that can happen to your computer. Of that about 90 percent of those pieces of malware are designed for one thing, to steal. Basically, crime. They are there to steal your identity. They are basically there to steal money from consumers or corporations, and it's been rising dramatically. These are challenges for security companies clearly. We try to do the best we can, but about 50 percent of all consumers don't have any protection whatsoever. They don't have protection from identity theft from any sort of identity recognition or authentication. They have very little security software to protect them. Nor in some cases can they afford to have it, and we have a lot of challenges that are out there.

So in a macro picture the Internet knows no borders, and we've created an environment where we really have a low risk, high reward environment for crime. We've actually created now a low risk, high reward for terrorism as well. We've starting to see more nation state activities. We're starting to see more terrorist activities, that's just something where if we were nervous before about some attacks on our critical infrastructure or on our identities, it's going to only get worse, so we really think we need to step up and accelerate the pace of this, or we're going to see some disasters or challenges that we've may have never seen before.

And one last comment there. This past year we literally saw probably the three most complex attacks in the history of technology occur. And some of them were, ones that were in news all over the world. The first one we called Aurora. Which was, you know, kind of sensationalized by Google. It was sort of the Google China headlines. But these were very complex attacks on intellectual property, and it was all about stealing intellectual property. What wasn't known very much was how these attacks occurred. In this particular attack it was all about what's called spear phishing. And spear phishing is about how I can steal your identity, and how I can do it very uniquely targeted at you. Once we know how to steal your identify, we can steal the intellectual property that you have as well. This was a pretty widespread attack across commercial high tech. A lot of companies in Silicon Valley were affected. More than 150 companies, and we saw one after another like that. Some of you might have seen Stuxnet, which was another one attacking nuclear power plants around the world. Another very insidious attack at what's called skated devices, and these are analog/digital converter devices that run nuclear power plants. So one after another, and very complex, so we need to do more about this clearly, and I think the opportunity for public and private to work together is quintessential to make that happen.

Very good. Let me ask any of the other panelists to weigh in on this, this critical role, that managing trusted interactions on the Internet plays from a security context. Any thoughts anybody wants to add in?

Well, maybe to state a little bit of the obvious, but the good news in all of that is that the good guys are also getting together in communities like this and around the country innovating faster than ever before. Comparing notes. Huddling with policymakers at the White House and Capitol Hill. So this is one more important step in a good guy reaction that's also coming that includes a lot of innovation. I'll put one plug in and probably mention it again later that the fact that this strategy embraces and recognizes that innovation is driven by that crowd and not the government crowd is central to its success.

Let me move on then and, you know, we've talked about this trust ecosystem in the context of how it's a critical foundation for robust security. Jim, I'd like to turn to you now and basically view this from the consumer's perspective, and in terms of now privacy and civil liberties, in terms of the interests that consumers have, what do you see as the potential issues in authentication of online identities and what would you like specifically to see in this national strategy, in this approach that we take?

I was very pleased when the Secretary spoke and when Howard spoke to hear a number of the themes that I considered to be a very important from a privacy and consumer perspective. You know the problem here at some level is that the government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader cybersecurity problem as well as one of the foundations of e-commerce. But the government cannot create that identity infrastructure because if it tried to, it wouldn't be trusted. Not only doesn't it have the technological capability, but it doesn't have the trust, and this is about trust.

So the first principle that I would look for in an identity policy and in an identity framework is private sector led. Secondly, the system has to be voluntary, competitive, and diverse. That is you cannot have just one identity provider. That's why the Administration in this process consistently talked about creating an ecosystem. Not only depending upon the private sector, but depending upon diversity and competition, and choice is another element of this that I heard the Secretary and Howard mention. The third is that the creation and management and use of identity has to be based upon the concept of levels of assurance, that an identity ecosystem has to recognize a range, all the way from the unidentified and unauthenticated transactions, the anonymous and pseudonymous transactions, up to the highly identified, highly reliable transactions of identities or authentication processes for the functions that require that. And too much there's been, I think talk about sort of a one-size-fits-all kind of a solution or driver's license for the Internet or ubiquitous attribution etc., what I've heard consistently from the Administration as it's been working to put this together has been a recognition of the principle that there will be a range of transactions, some of which are completely anonymous up to the improvements that are needed on the high trust, high end side of the scale.

And fourth, the identity piece of the solution, is only a piece, it that has to be done within a broader framework. So you have an identity framework within a broader trust framework, which has to include something that we don't have in this country and which we desperately need I believe, which is a baseline federal consumer privacy bill.

I think this identity initiative of the Administration has to be viewed as one element of a broader set of initiatives by the Administration. The Department of Commerce issued a green paper last month, which to my reading came all the up to the point of calling for, or supporting Federal legislation, but did not reach that step. I hope the Administration does take that step. I hope that industry supports that step. There are those in industry who have long said that is necessary as part of the trust framework. I think we believe at CDT that it can be done in a way that provides both the assurance the customers need as well as the flexibility and support for innovation that industry needs, but that has to be part of the picture here.

I think it was the Secretary who said, but I think Howard re-emphasized it, that we don't want in this ecosystem a single entity provider, whether it's government or non-government, who has such a broad view of our online transactions and activities. But whoever are the multiple players in the identity space are going to be having some insight into a range of transactions or a range of relationships that people have and how that information is created, stored, shared, use, etc., has to be addressed and should be addressed legislatively.

So I think, you know, the Administration to my view has, has conducted a very open process here. A consultative process. They've put out for comment, one or more drafts of this NSTIC, which is going to be finalized soon, I understand. And I think that there's a model here perhaps for the broader question of cybersecurity. Because if identity is a piece of the cybersecurity problem, there's a broader debate ongoing in our society, in Congress, on Capitol Hill, about the broader cybersecurity problem, and what I see here in terms of private sector led, voluntary, standards-based, competitive-based, recognizing the needs of industry, based upon levels of assurance, and developed within a broader privacy framework, to me those are the same criteria which should guide the broader development of a national cybersecurity strategy that I think will build upon the expertise, the knowledge, the incentives of the private sector instead of a top-down approach.

I think this, kind of nuanced strategy of recognition of appropriate roles and so forth is a pretty rare thing from government. Because the temptation to go to tech mandates or enforcing what you already know is pretty high.

And, you know, Dave is 100 percent right. The threats here are enormous. But we can't let the enormity of the threat drive us in the wrong direction in terms of how we formulate the policy for responding to those threats. And absolutely, I think that what we're seeing, that's why I do site this as a potential model because it's relatively new or at least we haven't seen something like this in a while in terms of the consultation and, it's not like there's no role for the government, that's the important thing here. But it is not the role of regulator, it's a market driver, after all even on the identity space the government is going to be a user of identity services, which it needs for online tax payment and a whole host of other online services. And I also think that there could be the potential for global leadership here as well. Because every country in the world is grappling with this. Not to cite the ITU, but I'll cite the ITU. You know talk about a top-down approach, a government-dominated approach. So I think that it's good to see the U.S., you know, Secretary Clinton gave her speech on global Internet freedom just about a year ago, now with this initiative I think it's good to see the U.S. government playing that kind of global, setting a global model because other countries are looking at this clearly and they're looking at it in a significantly more regulatory approach.

If I can make just a quick comment, too. Think both Jim and Howard alluded to something that's critical here. The private sector needs to step up too. I mean, the industries need to step up. If you really look over the last 10 years or so we've seen very little standards form in the word of security. Look at how much online transactions we now have, almost $14 billion worth in the holiday period. We need more security standardization to occur. It's taking the private sector and the public sector to work together. One example that's come out, which has been recently effective, can be criticized from varying degrees is what the payment card industry did. Some of you might know PCI. I know everybody here does. But Visa and MasterCard and some of the credit card companies got together to create some initiatives where if you were to use their credit card, you had to adhere to certain security standards. And you had to come up with ways in which, if you were to lose consumer information, privacy information, it was under penalty. What's called DSS or data services that had to be notified publicly. So in this particular case, we watched industry drive almost the standardization across everyone who used credit cards. It was a wonderful example of an initiative that came from industry. We need to continue that kind of initiative. Both from the security industries, from the banking industries, from the transportation industries, to embrace this model that the public sector and the government is also doing. So how do we come together a little bit more as consortiums and groups but recognize that capitalism is hearing, too, and we need to have that ingredient in the process as well much it's very tricky and very challenging we've seen examples that do work and are effective and are driving standards for architecture decisions in all companies such as PCI.

Two things on that real fast, Pat. Standards unlock innovation. So absolutely. Standards can sometimes be very tough to do too for a whole host of business and other reasons, so the tough job here for government in this strategy I think is to understand that you want to strive for standards, try to catalyze standards, obviously being involved in SDOs with the government directly but also realize there may be times in this strategy when innovation is moving fast enough you say okay a best practice here is something we should catalyze because the standard fight is going to drag on for a while. So I'm of two minds on the standards, they unlock innovation, but sometimes if they take too long, we don't want to wait for the standard to catalyze.

With regard to the standards like PCI compliance and even best practices, those typically are, are things that, just speaking as like a Silicon Valley entrepreneur, things that you deal with when you're big. So you know, I'll just give you typical things that have happened to me twice and how a lot of, how a lot of companies bring up their, you toil away on a website that you build, like in your living room, right? And you spend like a couple weeks building it. You launch it of course, and two months later you have 5 million users. You have 10 million credit cards in your system. You have 5 million passwords and, and it's like, I'm a good guy, I want everybody to be secure. They don't really care. Like, at this point, my concern is like keeping the server on. You know what I mean? Keeping it running. I think that this is something that didn't used to happen. This sort of overnight site like really getting big. I think that there's a lot of technologies that, that we as start-up entrepreneurs flock to. Anything that makes it easier and faster to do anything and cheaper. So like Amazon easy to do. So everybody hosts there now. So whoever's working on this, you know, idea and security issue, if there were a system that were something that I could just plug into my website when I'm building it, so I just don't have to worry about it, and I can work on other things that would probably be successful. The closest example to that now is Facebook Connect. A lot of entrepreneur's will look at that is because okay Facebook will deal with that stuff. They make sure the passwords are secure and the people are who they say they are. And they worry about it. That doesn't seem like the right solution for everybody. I'm probably not going to pay my taxes on Facebook Connect, unless I might at one time. But even that it's not really connected to, I can say I am whoever I want to say I am on Facebook. And last on that. I think that there's, the more that you ask a user to give up about themselves, in many cases, the fewer users you have. Obviously a site that does not require registration, will have a lot more users than a site that does require registration. There's various levels of registration. Do I require that you confirm your e-mail address. That's like just one tiny step above totally anonymous because you can obviously create fake e-mail addresses. Or do I implement something like Facebook Connect? Which is a little more of a pain in the ass for the user. In fact when you implement Facebook Connect, you have to have fewer registrations for various reasons, but one of them is because the person, they're like well I'm just trying to site for the first time I don't want to connect to my whole online identity this may not be the thing for me. But I will say there's probably a solution to that problem, which is, there's a theory that goes, if you take, some of you may have heard this, if you take a normal person, and you provide them with anonymity and an audience they will likely turn into a total douchebag online.

Is that a technical term?

That's a technical term. The Greater Internet (inaudible) Theory is what it's called. And the point is, the more anonymous your site is the more insane your users are. You look at the behaviors of users on YouTube, which is like semi anonymous, and they're all jerks. And you look at Facebook, where there's like a little more, there's reputation involved and probably your real name and things like that so they act a little better. So if somebody were coming to me saying hey this thing is going to make your site a local more secure. I'm like okay, yes, security is really important to me. It will make your users less insane or more insane like where's that level where you want it to be like okay, that sort of ties in with security. I hope it will be successful.

Howard, you didn't cover the fact that identity management affects human behavior in this direction. I found one striking theme in listening to this discussion, which Howard touched on in his remarks, which is the usability of this ecosystem, because it is, it sounds to me that it's essential for enabling consumers to protect themselves. It has to be something that lets them scale the identity infrastructure. It's critical to developers. They have to have something that's usable. Where they can lean on it, the infrastructure, to quickly put in and the correct amount of, you know, this infrastructure they need. And it's critical for security. It has to be put into meaningful use if we're going to establish these trusted transactions across here. So it's, it's an interesting point that the efficiency and the usability of this infrastructure is really essential to it being turned into a meaningfully usable infrastructure.

And that people are going to want different layers or levels of, of how much information they're sharing. How much revelation they're sharing so that for different experiences, they'll have different needs.

I think there's another, I'm not a technologist at all, I do technology policy I always say, but I understand that there's a law of computer science similar to the douchebag law, which says that the more complex a system becomes the less secure it is. And the harder it is to authenticate yourself, the more likely it is that people are going to develop some kind of a work around, which opens up another avenue of vulnerability. So you know, again, I think both of the government speakers, the Secretary and Howard said essentially the same thing, which is they are not looking upon any of this as a silver bullet, but I've become convinced, you know there's a clear trade off, I think from a privacy perspective between centralization versus multiple identities. There is a risk associated with centralization, but I've become convinced that on balance, reducing the number of identities that people have online will definitely improve security and could also if properly done improve privacy. If properly done is a bit of a significant caveat. But right now you have a, I think an unworkable situation where people do do lazy things and that's fundamentally insecure and even people who know better do insecure things and even people with significant responsibilities, we're not only talking about consumers, but people with systems administrative responsibility, practice poor password habits, so this process of beginning to create a federated identity system makes it easier, makes it more likely that people will use it, helps the entrepreneur by saying, okay, fine, I can now focus on my value added, not on re-inventing the identity piece.

Let me, there were two other themes that I really want to come back and touch on. And the first of these that was also discussed in the earlier comments has to do the fact that we're moving forward in this strategy in a public/private way. And Phil, I can't think of a better question for you. You've been really on both sides of this. The Secretary, Howard both emphasized that this is not just a partnership, but they defined some of the roles in the partnership. This is a private sector-led activity. Private sector-driven. How do we get there?

Yeah, I think a great point. Great theme. It's one the reasons to be excited about the strategy. I think the two most critical hurdles have been cleared. Which is first acknowledging the appropriate roles, and it should be private sector-led in many of these aspects and then secondly, it is very important that Commerce was selected as the place to centralize this. Commerce is essentially the private sector's voice in the council of government at the federal level, so I think those are the two most critical hurdles. From there, listen, learn, help lead. Listen to the private sector, listen to the kinds of folks we've have here, we've got bankers and VCs. Companies large and small. Phil Dunkleberger is launching one, we've got integrators like Raytheon and Northrup Grumman here, I think. We've got smart grid leaders like Infineon here. So listen to the industry. The sector coordinating council model that the government uses is a good model. I would encourage this partnership to not just be limited to those who are large enough to send folks to participate in sector coordinating councils, but let's move out around the country in settings like this to listen.

At TechAmerica we've been doing identity technology events for the last six years, so I know there's a lot to listen to out there in emerging technology, so second step is to learn. Part of that learning would be more federal R&D in this space, so that everybody can learn and move forward there. In terms of helping, I think it will be in policy matters, but also international trade matters where we're going to have others, we're going to want to block databases or access to databases, or are going to require kernels or all kinds of things where again Commerce is positioned to be an advocate in international things. We have Europe looking at their definition of the Internet of things in terms of machine-to-machine connections, Howard, so Commerce will be well positioned there to help, and then positioned really to lead, co-lead that public/private partnership, I think after listening, learning, helping a little bit.

Just add on a little bit to what Phil's saying. I would encourage us as well, I think it's a great step in the right direction, we need to go global as well. We know that, Howard knows this as well as anyone. We see the Internet as a very global, global aspect and of course, we need, as a country, and the United States to take a leadership role. I think this is a great opportunity for us to do that. I think it's a needed requirement. We may have a very strong identity ecosystem built out of this country, but if we don't go global with that kind of concept, it's not going to ever really go mainstream just because, again, we see such tremendous commerce being done all over the world in every country in every type of fabric, you know we need to take this and continue to drive it across the world.

So to the extent this partnership works and policy positions and an Administration view emerge on some of these things. They can take that and advocate with the EU, with China, wherever it may be, that's how you get to global, I think that's exactly right.

So as the government official I hear a couple of, of, you know, activities that the government needs to do. It can be the convener, basically a catalyst for action, you know, working on bringing folks together. It can be the champion and advocate particularly in international and other arenas where it has a particular role. It can also be government as adopter. This same ecosystem we're talking about that's so critical, the government needs itself for both government-to-government and also government-to-citizen interactions and how do you do that? But how do we make that government role work most even effectively in a private sector-led, it was the leadership activity, any thoughts on how, from anybody on the panel, how we make sure that we, we do this in the most productive way?

Well, one quick thought. I'm sure others have better thoughts, but I think you have to adopt an aggressive schedule of interaction because the innovation pace is so rapid. New ideas, new companies coming so quickly to get to that full ecosystem with many choices that, I think there really has to be aggressive schedule from the government side of things. We're committed, and we're going to have regular interactions not just in Washington D.C., but you know, around the country to really make sure that we're kind of joined at the hip with industry and abreast of what's going on out there.

Excellent. So yeah, if we're the catalysts, we'll be turning to all of you for help if one of the requirements is to move quickly, and I think you're right, and I think that actually leverages our international advantage as well if we can really be a first mover in this, a real innovator in these technologies that would be really be critical. One other comment I was going to make, and I would be interested if there was any reaction to this the issue of standardization came up. Standards certainly set a foundation for innovation. They enable interoperability and may of the other goals area central to standardization. They've also been accused of hindering innovation if they're set too early it seems to me a private, a private sector-led approach can really help us walk that line very carefully. Any thoughts on that from anybody here?

Well, I'll use the example I said earlier, which was the payment card industry was able to accomplish at least some degree of success already. I certainly see a framework that they've used to go in and recommend security architectures for anyone using their credit cards. Actually enforcing it with fines and other types of audits that required all, pretty much entirely driven from the private sector, but only uniquely done for a certain range of credit card holders or credit card institutions, so if we even take some of that example and, you know, begin to engage it in other industries or other types of public sectors or more globally, we can even make a dent even further, and not even advocating PCI as a framework as it was the concept of it. While it was somewhat laborious to implement initially for companies, and especially for entrepreneurs, it least made some traction over time. We have to continue to start somewhere and continue to move the ball forward, but there is some examples out there.

I think that would be huge. It's not that I want more like policies and rules and fines and, you know, stuff like that. Like if I felt I would get in trouble if I did it this way, I might not do it that way. Also just the fact is, you know you mentioned best practices. There really just are none. There's not like one way that that everybody implements security. I mean there's a million ways, and so maybe, you know, I'm thinking start with the farm leagues. My companies when they start, they're small, and, and maybe that means just like education like to computer science students or to software makers and, you know, development environments, just people being like here's how to do security and how to do it properly, and this is like whoever's working on this, decided this is the best way. We all kind of sign on and everybody just, if I just knew what was the best way, that's the way I would do it.

One of the keys too, to add on Jim for a second, is we see at the time of domain registration is a very unique time too. So when you first set up your website and you're home and you're designing your site, how do we authenticate you as a good citizen who was creating that website? And I know some of the folks from ICANN and others are here in the audience, what we see is now a pretty easy way to register domains from McAfee's standpoint, we'll see somewhere in the neighborhood of 2 million bad websites created every month. Two million of them every month. So, if we could do a better job with domain registrations early, authenticating who it is that's creating them. Making sure they're good people to start with, and maybe even making sure they have a base level of security identity reputation to start, you know, that, that is just another step in the right direction. If we leave it to the point where you can register 10,000 new domains and cause a phishing attack, 10,000 times in a course of an hour, all because we weren't able to police the domain names themselves, we've created an atmosphere where bad people in their homes can create websites and do bad things with identity. So there's almost a need to go all the way upstream from the time you register a domain and then have monitoring processes all the way down through. You have to hit it from both ends. Create unique tools that developers can plug into their servers and plug into their websites but also att the time they start commerce from the very beginning, drive a process that controls who they are and what they're doing and monitoring them throughout the process we've got to hit on both sides.

Like domain keys for e-mail. The way people fight spam by proving who you are by saying who you are.

One the benefits of this strategy is going to be that the government is bringing its own people together and comparing notes perhaps more than they have. Especially in the areas of standards, where I think, the federal government in form or another is probably represented in a huge number of standards development organization that would touch this issue. But how much are you just comparing notes to find out hey this one worked over here in this venue. This one didn't. You know just that comparing notes alone I think could be a big payoff.

We didn't talk much about the interagency aspect of the National Program Office. I certainly agree with you that would be a key piece. Before we run out of time I really want to come back to Philip. You're our voice of entrepreneurship here I wanted you to have a chance to comment on it, from the perspective of an entrepreneur. Because the ability to, one of the other things that the Internet provides for us is this rich environment for innovation and creativity, and we want to enable entrepreneurship. So from your perspective, as an entrepreneur, how does it look today? How much time is spent and effort in doing identity management and to what extent is this a barrier or a disadvantage in being as creative as we can?

Well to use the example I gave before, you have you know you're in your living room and you're making a website. I ran one example this, some of you it if you were in the Internet business in 2000, did you ever hear of (expletive deleted) Which is a site that I ran back then. You probably didn't know that.

It wasn't on my search list back then.

Maybe you guys probably blocked it. [ LAUGHING ]

But that was, that was a good example literally a site I put up in one day. That had 5 million users within a month. Certainly when I built that site and later, then I started a network called adBrite, which was a similar story, to help people buy ads on websites, which has done $100 million, did a $100 million in revenue in the first few years. All just from credit cards and you know, I can say it now, you know for those who are listening we are totally PCI compliant. But we totally were not. You know we just built the site and we just took off the question is, you can spend a week making it so if somebody is doing a brute force on the password, like you lock the account for the 10 minutes, and then you require a captcha, there's simple things you can do, but do I want to spend my time doing that? Do I want to get TechCrunch to write about us. Or actually build the site, so the answer is not a lot. But that said, I used to spend a ton of time racking servers and crawling around floors and plugging in wires, I have not done that in 100 years, because there's now services that just do that out of the box. I mentioned Facebook Connect is a good example I can put in one line of java script and I've got a login, I've got a whole identity link system. That's cool. I'll use that. For me it's about, and I think for a lot of entrepreneur it's about saving time and giving them something that you think is not going to turn your users away. The total anonymity, the fact that most of the Internet is anonymous is one of the things that makes it go around. I think it is not a lost cause, there's a huge opportunity. And I think that will happen.

Somebody just needs to make it super easy. And they need to appeal to the human psyche, how it works. If I know that you know when I am. I'm going to use your website differently and somebody sort of goes after that, I think they can be successful.

I'm glad you came back to that point, because I think, you know we've got to keep that innovator in mind. This is the kind of the great threading of the needle of this strategy is to say we're going to increase trust and security while also keeping our eye on innovation because at the end of the day we're talking about jobs.

That's right.

So again, think the strategy is threading that needle.

Yeah. If that is about a trust ecosystem, an identity ecosystem, the other ecosystem we talk a lot about is the innovation ecosystem and the environment for creative individuals to take their idea and be commercially successful and create jobs and for the country to reap all that economic benefit. So let me ask the panel generally, any thoughts on as we move forward on this strategy, how do we as we, you know, start this machinery of working together, this public private partnership, how do we ensure that we don't lose that?

Well, I would hazard to guess that if you have an aggressive schedule, engage with the private sector, they won't let you lose that.


Any other thoughts?

We have a few moments, if there's some key questions from the audience, we have some roving microphones, so allow time for the microphone to get to you. Since you're standing right near the microphone, why don't we start there and then we'll come over here.

If you can introduce yourself, and let us know if there's anybody in particular that the question is for.

My name is Mary Hoder I build software and I'm also a user advocate. My question is actually for you at the Department of Commerce. I'd like to get a concrete example from you about how you can fold in user concerns into your process for NSTIC and what you're doing here? I understand that companies and innovators, so I would put myself in the category of the Blippy guy, and you know, I'm thrilled that Jim Dempsey is here because I think he is a great user advocate, but I'd like to know who is, who, you know, are you putting someone on your, on your committee who is a true user advocate? Someone who isn't in an organization. Somebody who doesn't represent companies, because company interests are different? There's no way that I can build software and truly represent what users think about this stuff. You know, how are you going to build that in? Or will we get to the end of this process and say, wow, it was a tragedy of the commons because, you know, the company interests, the government interests, the credit card company interests, you know, check points interests got represented and wow, we just kind of lost the user, the users, in this process? The citizens. How are you going to do that in a concrete way? Not just talk about, like it would be nice, but how do you really make that happen?

So that's a fascinating question because one of the government roles is to protect the citizens, so the government has sort of this interesting perspective of multiple interests: create a strong economic environment, protect the interest of individual citizens and to, and I think there's a variety ways this specifically happens as we go forward. One of the ones Jim talked about is that this effort is going to touch specific policy, including potentially legislation where you're talking about how it touches privacy, how it touches other aspects. The question you're really asking in this governance, if we're going to move forward together? How do we specifically make sure that those interests are being addressed? And I would say we don't know that yet because there is no specific governance that's been put together yet. So what we're talking about today is the beginning of the beginning. We're saying, our intent is to move forward in this direction. I'm actually going to turn that request around to you, as we set up this public/private partnership, please tell me how we should do this in a way that ensures that those interests are fully met. And there's a wide variety of vehicles we can use to try to make sure that this is in place, but there is no plan in my hip pocket, in anyone's hip pocket that I know of, of how this is going to unfold, and I think one of the key things we'll be looking for is how do we make sure that we don't have that tragedy of the commons. I think that is an intrinsic government interest.

Just a quick thing there are a couple obviously of public participation structures already. I'm sorry, Ari what was the name? ISPAB.


Under NIST, there is an entity, the Information Security and Privacy Advisory Board, which is specifically intended to bring public advice. Ari Swartz, formerly of CDT, now at NIST, was on that board and there have been traditionally others on that with a public policy perspective. At CDT, at Center for Democracy and Technology, we've tried hard actually to participate in standards processes. The essence of many of the standards processes for the Internet is consensus-driven and relatively open. There are varieties of openness of the standards processes. From my perspective the more open and participatory it is, the better it is. We've worked hard to participate in that. It's incredibly time consuming, of course, and we just have not had the resources to be able to significantly bring the public voice and the sort of consumer perspective to bear, but, and now people are talking, just, just now talking about governance in the identity space, actually we're hosting a meeting in a couple weeks, co-hosting with others, the Open ID Exchange, etc. It's not too late that people are now beginning to ask that question of how do you govern this identity ecosystem.

With regard to representing users in these decisions, as policy, whoever makes the policies or the software or the entrepreneur who makes the website, I think in most cases, we have to do what's best for our users. I'll tell you what, if we ask them what they would want, now people 28 and above would say, oh, I want you to like protect all my stuff and I don't want, Roberts to know like when I'm on vacation, you know talk to anybody 28 below and 25 below they do not care. Like if you're just flip through like every Facebook user and close your eyes and pick one and what do you think about privacy and security on the Internet, you know people finding out your personal information. They're like I don't care. Like whatever. Like it doesn't matter.

I don't necessarily buy that, but.

I'll tell you what Blippy does, my current company. Blippy is a website where people hook up their credit card statements to their website and make them public essentially so their friends can see what they're buying. [laughter] There's more to it than that. You can choose what you want to show and what you don't, that kind of thing but the point is, it's one of those businesses that, you know, when we started it, grownups were like, "That's insane! Like who would ever do that?" Kids were like, "That's awesome, I would love to do that." You know it's like this total disparity. So like in some ways with regard to representing users, yes, obviously we want to know what users want and take their ideas into consideration. In many ways, you know I know what's best for you. I'm going to do all this security and make sure that you're safe. I know you don't really care, but you will care if something bad happens.

I think if you look Facebook. The younger the person gets on Facebook the more likely they are to use the privacy controls, not less likely.

That's not in my experience.

Let me, because I don't want to run out of time.

Last thing. You guys probably all can relate to this. When I was a kid my mother when we were going on vacation she was like don't tell anybody we're going on vacation. And we had these things that would turn the lights on and off when we were gone that it would look like somebody was home. My kids, will tweet the second the second they get to the airport. I don't have kids, but one day. [laughter] And I do. I say, "I just landed in Hawaii," as I was last week. And the reason you do that is because you get this huge benefit of doing that. My parents always told me, don't tell people when you're gone. Like somebody's going to like rob the house. The fact is like, you know, maybe it's happened here and there, I know that when I tell people I just landed in Hawaii and I happen to have three friends who were in Hawaii at the same time, "Yo, let's get together." I just have an enormous benefit of giving up, what would theoretically be a piece of personal information. This is what kids are experiencing over and over and over again. The benefit.

Let me get one last question.

Audience member: We're with Electronic Engineering Times. The question's about who's going to pay for this? One of the perennial questions, I think, in security, people like me have a couple passwords that we recycle because we're willing to spend about zero time and money on security. And yet you face real costs here in providing smart cards and USB sticks and doing standards and even if they're just done in software, so how is that going to get paid for?

Well you're paying already, of course.

Well let me ask the panel.

There's a cost of the fraud.

Let's touch on the economics on this on both on time and money. Time and treasure. How does this play out as we move forward do you think?

Well, one of the most obvious is the government as buyer is going to do things for their own security needs and both physical and cyber that they need to do, which are going to be market makers. HSPD-12 is an oft-cited case of that, where you've got to have a real secure smart card and so forth, that makes a market but that's the government spending public money to fulfill a mission which is going to spill over to other private sector and innovation benefits, so that's one which we're paying for it because we're pursuing other missions which serve as sort of an R&D program for the general economy.

Typically the private sector would pay for this in many cases when they see there's an advantage to doing so. I think Jim was alluding to it. Fraud reduction is a great driver for private sector to do it. We see that all the time where if there's a benefit for the private industry to cut down on the losses that they have, or the insurance claims they have or some sort of fraud attack that they have, they're going to design a better security model to prevent that if you were losing all the advertising revenues that you were gaining, you might come up with a more secure model for doing it. So capitalism has a way of driving this as well. I think we're continuing to see that, but how do we coalesce that together across a lot of the private sector and interlock it with the public is probably what's needed here and clearly what we talked about.

Good. I don't want to run over our allotted time. And unless I'm mistaken we are at the endpoint of our time, so with apologies, because I know there are a lot of questions in the audience, I want once again thank you all for attending and I particularly want to extend my sincere thanks to the panel. It is a great pleasure to be up here with you.

[ Applause ]

Let me thank again our distinguished speakers, panelists, sponsoring organizations, and people associated with them who put time into this activity, and we have this room vacant for a little while, if you want to meet and talk here, and I also want to point out for those of you who are not familiar with campus, if you head towards the parking lot, the next building has a little cafe and coffee shop and so on if you need to get something there. Thank you all for coming. It is great to see you here. Hope to see you again another time.