the actual individual is likely to answer correctly — is also a dicey strategy.
“With the advent of social media and the new generation of folks who just put everything online, it’s not as secure as we hoped,” Kerber said. “That’s why we’re having to move beyond that.”
If there is a silver lining, it is that most government websites do not need to collect personal information, said Michael Garcia, acting director of the National Strategy for Trusted Identities in Cyberspace (NSTIC) at the National Institute of Standards and Technology.
“As much as we think about gov- ernment needing to know your true identity, the reality is that for most government services that are constit- uent-facing, you really don’t,” he said. Visitors who come to a site to look up statistics, download forms or subscribe
to newsletters, for example, need not be asked to authenticate their identities.
Key hurdles
Nevertheless, many agencies do require personal information, and people increasingly expect government ser- vices to be available online. Authen- ticating identities and safeguarding authentication information are difficult for several reasons, including the chal- lenge of educating people to behave smartly online.
And unfortunately, problems never stay solved, Kerber said. As fast as solutions are launched, adversaries start finding ways around and through them. “The hackers are always trying to get the information you have,” she said. “In today’s society, data is value. That’s what everybody wants.”
Garcia said there is a tension between security and access. When security measures are strengthened, “you’re going to have more individu- als who are the rightful owners of that information who are rejected,” he said. “It’s unfortunate. We wish it weren’t the case, but if that’s the price we pay to prevent adversaries from getting access, it might be an acceptable cost.”
The government needs to recognize the importance of authenticating and protecting people’s identities, Kerber said. Recent efforts, including NSTIC’s work and GSA’s Connect.gov and Login.gov, are examples of the kinds of sustained efforts that are needed, she added.
“It’s complex, and I think it’s suf- fered from a lack of consistent invest- ment,” she said. “When they look at
DOD looks beyond Common Access Cards
The Defense Department embraced enterprisewide identity management and authentication long before most civilian agencies
did, with Common Access Cards serving as keys to both digital and physical access. So it caused quite a stir in June when DOD CIO Terry Halvorsen announced that the Pentagon was “embarking on a two-year plan to remove CAC cards from our information systems.”
CACs are impractical for mobile device access and can be dangerously inef-
ficient for authenticating identities on the battlefield. So DOD plans to continue with public-key infrastruc- ture encryption via other means and incor-
porate true multi- factor authenti- cation to allow users to access networks.
Halvorsen
elaborated on those plans at a Nov. 1 event hosted by FCW’s sister publication Defense Systems. Ideally, he said, the U.S. military and its allies will move to a system that incorporates
as many as “15 factors that we would actually check for identity...and any given day, randomized, we would be using five or six of
them.”
Those factors
would include bio- metrics, behavior metrics and prob- ably some data met- rics, Halvorsen said.
And no one would know which factors were being authenticated for a given login; algorithms would automate the ever-changing combinations.
The department is delib-
erately not specifying exact- ly what comes after CACs, however. “Instead of doing a big spec,” Halvorsen said, “we basically said, ‘Listen, we want to maintain this level of security without a CAC card requirement.That is the only requirement.’“
And the early results are promising. “It has been amazing the type of technology that industry brought us...stuff that we would never have thought of,” Halvorsen said. “I think that is proving to us inter- nally that this works.”
—Troy K. Schneider
November/December 2016 FCW.COM 27