• United States



Trusted Identities in Cyberspace: Why a New National Strategy is a Good Idea

May 01, 20117 mins
Identity Management SolutionsIT Leadership

Back on April 15, the Obama Administration released the National Strategy for Trusted Identities in Cyberspace (NSTIC). Unfortunately, most of the “outside the beltway” crowd, state and local government officials and citizens around the country paid minimal attention. The entire document is definitely worth reading, and I urge readers of this blog to take at least a few minutes and look through the executive summary.

My response to the lack of nationwide buzz: Too bad, because this plan (and improving the digital identity ecosystem) is critically important, whether the public understands it (yet) or not. Allow me to explain why.Microsoft’s Passport that even worked with other services such as AOL, but critics were plentiful and it didn’t catch-on as expected. Meanwhile, Microsoft Passport competitors, who called themselves the Liberty Alliance, failed to accomplish much more. And yet, the stage was set for further innovation regarding identities in cyberspace.Reduced Sign-on” with newer products that seemed more realistic (cheaper/faster) to implement. From there, we’ve watched new concepts be introduced such as enterprise ID management, provisioning profiles, Enterprise authentication and other terms.

But first, I must admit that our brief world history on this digital identity topic is not a pretty tale. Back in the late 90s, everyone was talking about the need for “Single Sign-on (SSO).”  Early solutions came out, such as

After becoming frustrated with early SSO implementations, many enterprises moved on to rename projects and reset expectations to “

Yes, I know that these components mean different things, but that is part of our industry problem when trying to explain trusted identity solutions to the non-technical world. We struggle with implementing: “Who are you and what are you allowed to do” in the multi-vendor world of cyberspace.

Now we have a new term to incorporate: “Identity ecosystem.” I really like the concept, because doing nothing is not an alternative which will improve things. Nevertheless, some critics are saying this is a bad idea or another new ID rabbit trail.

I recently decide to do my own (unscientific) survey on the topic. Because we (the computer industry) have “failed” regarding meaningful reductions in the number of digital identities for more than a decade, most of my (real-world) friends and relatives (when asked) were skeptical that this new plan will achieve anything like a single sign-on in their personal (online) lives. However, they still liked the concept. (One thought “ecosystem” brought visions of wetlands.)

No doubt, the simplest questions from family members are usually the toughest to answer. “Will Apple every trust Google – much less Facebook? How will this work between Gmail, my new iPad, my online Bank account and Facebook? Will it be easier for the bad guys to get my centralized data? Does the nation really need another new strategy?”

I stumbled: “Well, um, you see that’s too many specifics for a strategic plan. And, it’s a federated model, that … relies on … trust. And, yes, this plan is different, because … the stakes are higher…, and ….” (Not a very convincing story dad – as they walk away.)

No doubt, there is an uphill battle for “grass-roots outrage” on this digital ID issue and/or essential media coverage. The public loves new cool gadgets – even if they seem to break defacto industry standards. Meanwhile, although geeks can get just about anything to work with anything else, the consumerization of IT seems to be fighting single sign-on.

A Google search for “iPad launch” yields about 45.4 million page views; whereas googling “National Strategy for Trusted Identities in Cyberspace” yields about 102K page views. I hope these search results change, but we’ll need better marketing labels to make it happen. ). I encourage participation in the discussion. One article summarized a 40-page analysis of NSTIC from Aaron Titus, the founder of the privacy group Identity Finder. Here’s an excerpt:

Still, there are many hopeful signs that this plan will lead to meaningful action. A website has been established to foster industry dialog on the NSTIC (visit –

“Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC must call for regulation that will:

  • Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols.
  • Create incentives for businesses to not commoditize human identity.
  • Compensate for an individual’s unequal bargaining power when establishing privacy policies.
  • Subject Identity Providers to similar requirements to the Fair Credit Reporting Act.
  • Train individuals on how to properly safeguard their Identity Medium to avoid identity theft.
  • Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy.

If implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy. If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity Marketplace, and create the following risks:

  • Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
  • A false sense of control, privacy, and security among users
  • New ways to covertly collect users’ personal information
  • New markets in which to commoditize human identity
  • Few consumer protections against abuse or sharing personal information with third parties
  • No default legal recourse against participants who abuse personal information without consent”

The plan itself is impressive with fairly wide backing. Coverage from technology magazines and federal government watchers has been generally positive. An eWeek article said this,“The technologies described in NSTIC would allow online users to stop using unique passwords on each site and instead use a set of credentials that are accepted by multiple sites. The goal is to not have just one trusted identity technology or provider, but to have several and let users choose which ones to use….  

The fact is that the old password and username combination we often use to verify people is no longer good enough,” Commerce Secretary Gary Locke said at the event. The current system leaves ‘too many consumers, government agencies and businesses vulnerable to identity thieves and criminals intent on stealing information, Locke said.

The identity ecosystem would revolve around credentials stored outside of the actual Website, application or service, and would eliminate the need for unique passwords, Locke said.”we are actually in worse shape online for a variety of reasons. While there are ample ways to implement federated identity management systems today that work across businesses and governments, far too few people use these systems effectively or at home. In addition, new hot products and services are coming online all the time that seem to start over again regarding the collection of personal identity information or keep credentials inside their proprietary solutions.  

The sad truth is that we are not much further along today than we were a decade ago in this digital identity area. Some people say

So that’s why I join others in supporting this new National Strategy for Trusted Identities in Cyberspace. This issue is even more critical today than it was a dozen years ago when we first started implementing enterprise-wide single sign-on projects in Michigan.

I truly hope things are substantially better online a decade from now. I am passionate about helping end users and families build more integrity into their interactions in cyberspace. In fact, I’m hoping to see an Internet where individuals are enabled to “surf your values” in new ways. To do that, we need more online trust – and trusted identities.

Yes, we need this strategy to work.

What are your thoughts on NSTIC?


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author