"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." - Albert Einstein
Have you heard? All of our security problems will be solved. Information Security breaches and hackers will be a thing of the past, anachronisms of a bygone age of wild and wicked lawlessness with no known parallel or precedent since the dark ages. At least according to the newly proposed “National Strategy for Trusted Identities in Cyberspace” and Obama’s Cyber Zsar, Howard Schmidt.
The idea is simple. Each and every citizen will be issued with a unique, secure online identity, so that the originator of any and all Internet transactions, connections and requests can be readily and easily identified. This ID will allow for authentication and identification of all Internet participants, and thus make it so much harder, nay, impossible even, for those dastardly hackers to use and abuse stolen identities and services.
Sounds too good to be true, right? And like so many other simple ideas, that at first seem to make perfect sense, it really is too good to be true.
I am not implying that it is not seriously being considered. Rather, I’m saying that it will not in any way offer the security advantages touted by its proponents and cheerleaders. The reasons for this are manifold, but the greatest, most obvious flaw in the approach is that it literally improves nothing at all. In theory, every single user on the Internet is identifiable somewhere-- at their ISP, University, employer, or just their friend’s house. There is no unauthenticated, anonymous access to the internet unless it is purposefully granted, like public hotspots and their ilk. For every other form of access though, someone, somewhere, has to authenticate and identify themselves to be able to use it. This, in addition with IP-Addresses, which are sent along with every packet and connection, should already allow for unique identification of all participants.
So why doesn’t it? Well, because those mean and cunning hackers don’t play by the rules. They will use and abuse other peoples’ connections, devices and identities against their owners’ will, permission, and knowledge.
Endpoint insecurity, application flaws, a lack of security awareness, or just plain stupidity are of course the ultimate root cause. None of which will in any sensible way be mitigated by an Internet ID. If a hacker hijacks a user’s computer or mobile device, he is masquerading as that user, with all of the implied permissions and access rights.
Of course, the government claims that their system will prevent this. It will be foolproof, impossible to abuse-- the hacker-killer. Technically and realistically, how they figure this strategy is more secure than our current one boggles me. If there is a way of providing this securely, then surely we should apply that know-how to what we already have in place and save ourselves a lot of money and trouble.
Sure, this tactic will hinder some hackers. Your Granny, your seven year-old, and your dog will find it next to impossible to bypass this. But then again, they aren’t really able to do much harm anyway. Whether any serious criminal or foreign entity will be negatively impacted is highly doubtful.
Quite the opposite. Last year’s Certificate Authority failures made it all too clear how overly relying on one supposed sure-fire security technology left in the hands of overly commercially conflicted parties can lead to disaster. This will be greatly amplified with such a wide-ranging, heavily impacting methodology. “For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login to various online services”, says Schmidt, which to a hacker reads as “For example, no longer should a hacker have to hack an ever-expanding and potentially difficult to obtain list of usernames and passwords to login into various online services”. Laying all of your eggs in one basket is still a bad idea, and as long as the Identity Management system is not 100% secure, it just adds further complexity and overheads with no benefit. The same has recently been said of passwords, and many of the same arguments apply here too.
The fact that this is not something that can be applied globally is also problematic. What good is it if only the U.S., or, in a best case scenario, a few other interested parties, participate? How will Chinese, Saudi Arabian, German and other trading and business parties fit into this scheme?
So what gives? Why this idea? Obama can’t be blamed. He is but a politician, and alas does not know any better on such speciality topics as Internet Security. He relies on his advisors to provide him with sensible ideas and guidance. So we have to wonder what Howard Schmidt and friends are really up to.
We can be sure that this will generate a lot of economic activity, on par with compliance, another massively expensive approach and overhead with dubious practical success. If made mandatory, it will be an industry bonanza.
It seems the only real beneficiaries then, would be the vendors and business involved in designing, deploying and selling the infrastructure and obligatory gadgets intended to provide this “identity ecosystem.” Marketers and Advertisers would undoubtedly also welcome the ability to be able to reliably track the online activity of consumers, especially using his real identity, and all the more now that there is such close scrutiny of illegal and unethical methods of doing this. In fact, it sounds exactly like the kind of crazy idea that those fun guys at Facebook would come up with, for all of the obvious business reasons cited above, and indeed, there is already internet scuttlebutt hinting at this.
The side benefit, especially for security agencies and the government in general, is to be able to track the populations’ every internet whim and move. I imagine this has attracted the attention of the most concerned privacy advocates attention.
Now don’t get me wrong. I work in this industry, so anything that generates new business and keeps me in a job is great and I welcome it. But at heart, and most of all, I am a security professional. I would probably do this even if I was not paid for it. I want to make things more secure. I want to provide a safer environment for internet users—it’s what makes me tick. And I am sure that I am not alone in that sentiment. However, I aspire to provide real solutions and improvements.
Somehow though, in the last decade, the Information Security Industry has been befallen by the same rot that infected the financial industry and brought us the current financial crisis. Unlike them though, we still have a chance at redeeming ourselves. We have not yet had our Bear Stearns event, even though we have gotten mighty close several times in 2011. The first step is introspection, and to admit that information security has been driven by purely commercial interests for too long. We need to revisit and assess why we have spent billions of dollars and many years of effort on what has amounted to lousy security, and here we have the perfect example to begin with. Let’s make sure this goes the way of the Dodo and SOPA.