Naomi Lefkovitz is working toward better, simpler security. (Mike Morones)
A critical milestone of NSTIC is testing the concept in the federal space. The pilot launch of the Federal Cloud Credential Exchange is imminent and will eventually allow citizens to obtain usernames and passwords from trusted providers that would be accepted by other agencies.
ďYou can integrate privacy with security and have both at the same time,Ē Lefkovitz said in an interview from her NIST office in Gathersburg, Md.
Her past roles include director for privacy and civil liberties for the White House Cybersecurity Directorate and senior attorney in the Federal Trade Commissionís Division of Privacy and Identity Protection. Lefkovitz sat down with Federal Times Staff Writer Nicole Blake Johnson to discuss her privacy work at NIST. Following are edited excerpts.
What does your position at NIST entail, and how have your past roles prepared you?
I support the National Strategy for Trusted Identities in Cyberspace. Iíve been the privacy lead for NSTIC. Privacy is one of the four guiding principles. So, itís very critical that we get that right. As part of NSTIC we are trying to get the federal government to be an early adopter. An important part of that objective is getting the Federal Cloud Credential Exchange into a live pilot. The goal there is for federal agencies to be able to accept commercially issued credentials, or credentials issued outside the actual federal agency. We want a good citizen experience. We donít want citizens to get five different credentials to interact with five different agencies. We also want to save government resources.
Iíve also supported the work that we did on the cybersecurity framework under the executive order. We were directed to include a privacy methodology. I led that process. Now, we are working on building out a privacy engineering and research program in the Information Technology Lab.
How were you brought on to the NSTIC initiative?
I was brought on out of the work that I did with NSTIC at the White House, but they hoped I would be able to take a broader role. Itís the Information Technology Lab, and all of the initiatives around big data and biometrics and smart grid and NSTIC all sit in the lab, and every single one of them impacts privacy. So, they hoped that I would be able to provide policy advice on how best to integrate privacy as we build out technologies.
What is NSTIC, and how will this identity ecosystem work?
We envision this ecosystem where today you probably have passwords and user names at hundreds of places, and itís very likely that youíre actually reusing your passwords in many of those places because you canít remember that many passwords, which is not a good security practice. Really, NSTIC is about getting rid of the password and make it easier for people to do transactions online but in a way that is trusted and would eventually allow them to do more sensitive transactions around health care and financial services that is hard to do today because we donít have sufficient trust about who you are online. At the same time we want to be able to preserve places where it is appropriate to be anonymous online, we want to keep the best of the current system but bring more trust.
The idea is that you have choice in the kinds of digital credentials that you can present online. Instead of going to companies and them giving you a user name and password you might be able to go to your telcom or your bank or your insurance company of your state or government agency that you trust, and they would be able to give you a digital credential, which you would be able to present at other businesses of federal agencies.
What kinds of digital credentials could be used?
It can take many forms. It could be on your smartphone phone. It could be a card that you stick into the computer, like a [Personal Identity Verification card] or a [Common Access Card]. It could be getting a one-time password that you type in. It would be a unique code each time they send it and you would have it in your smartphone. One of the keys and guiding principles is that this needs to be usable.
What has come out of the NSTIC pilot programs and how does that fit into the larger vision?
We actually have a three-pronged strategy to help facilitate the development of this ecosystem. There is a federal side trying to get the federal government to be an early adopter. The pilots are the second prong of this strategy, and the goal there is to award grants that help to jumpstart pilots. Sometimes they are a component of what is needed to overcome a barrier in the ecosystem. The goal is to help to overcome some of the barriers. If this was so easy, it would have happened a long time ago.
Most of the pilots are still running, but they have turned out a lot of lessons learned. We do have some very interesting pilots running where they are testing different kinds of exchanges and user interfaces to help with privacy. Some pilots are focusing on trying to generate standards and policies so that other organizations donít have to keep reinventing the wheel. Others are trying out business models about how to exchange attributes and actually be able to make a profit. Generally we are not looking for a specific piece of technology. Technology has not really been the issue. There is a lot of pieces of technology out there. Itís putting them together in an interoperable way. Itís getting everybody to agree on the policies and make business contracts.
Similar to the cybersecurity framework developed by NIST and industry, there will be voluntary standards for industry under NSTIC. Are the pilots helping to generate those standards?
Eventually. In some cases [the pilots] are illuminating the gaps, which brings me to the third prong: the Identity Ecosystem Steering Group. Itís a key point around NSTIC. This needs to be led by industry. We can help facilitate, we can help convene as the government, but it needs to be industry led. To help promote that we actually funded through a grant to help this nonprofit organization to get off the ground.. Itís a multi-stakeholder organization. There are companies ranging from the big Fortune 500 companies, ACLU, Electronic Frontier Foundation to AARP and small businesses.
They are working to put together the polices and identity and adopt the standards and develop the requirements, eventually to be able to say who is going to be a participant in this identity ecosystem. Sort of the rules of the road. The government has a certification program to be qualified as an identity provider to be able to provide credentials that can be used at government websites. In some ways we are an early model for the [NSTIC] ecosystem, but the issue is we have this program but agencies werenít using the credentials from the identity providers. One of the reasons was because it was a little hard for agencies to integrate with multiple identity providers. Thatís where we got the idea of having this [Federal Cloud Credential] Exchange that would sit in the middle ... the exchange would manage all the relationships with the identity providers.
In the past youíve talked about privacy-enhancing solutions. How are you working to ensure privacy is built in solutions upfront?
Today our primary credential is a driverís license. When you show that at the bank or the movie theater or the airport, the (Department of Motor Vehicles) actually doesnít know where you went with that credential. So, there is a form of privacy, but in the online world ...the identity provider knows all of the places youíre showing that credential because of the electronic connection. We are concerned about that because now it lets identity providers build profiles and possibly track people around the Web. We didnít want to create an ecosystem where there is less privacy. There is a form of cryptography technology ... which would actually disconnect that link. You could truly assert your credential but the identity provider wouldnít know where you were asserting it. What happens when you show your drivers license? You show everything. Even if youíre just trying to get into the movie theater, and you want to prove that youíre over 17. You see everything. This technology can also assert a claim. Maybe the claim is ďIím over 17.Ē You donít even need to know a birth date. This technology can do that, and it can assert that you are over 17 without showing any other information about you.
Whatís happening with the Federal Cloud Credential Exchange?
The broker is going live very shortly. The first agencies that are working on integrating with it right now are VA, USDA, NIST and GSA. It will be a live test environment they can start integrating with. The next thing will be to actually integrate specific applications at the agencies. Now it will be fully available and we are working on the schedule for the first of the four agencies. They are still picking their applications.
Is there a timeline for NSTIC?
NSTIC is the broader initiative. I think this year weíre going to see a lot more substantive work around this identity ecosystem framework taking place. NSTIC calls for this process of being able to have certification and trust marks and that is one of the things to ultimately look for is how the steering group is going to implement the kind of system to get to the point where people know and realize that organization is part of the ecosystem, and I can trust them.
Has the Edward Snowden leaks about NSA impacted the work you do, or how you all approach your work?
NSTIC has had, as one of its core guiding principles, privacy. To that end, the issues around it we have long talked about preserving anonymity, actually allowing people to share less information. In many ways we have already been helping to limit tracking and profile-building around people. So, weíve already been doing many of the issues that have come up.
Can you provide an update on the privacy engineering and research program?
Some of the work we did under the framework, it became clear that on the cybersecurity side there are many standards, there are risk management models, there are all kinds of components of a mature way of looking at this space. On the privacy side, they have a lot of high-level principles...and not much underneath. They are great principles, but itís very hard for organizations to implement principles in a consistent and repeatable and measurable way to know whether you are getting effective privacy.