The U.S. Chamber held another meeting in the very helpful series of exchanges between Business and Government. The event focused on the nascent strategy for securing online transactions and was sponsored by two of the Chamber’s internal organizations: the National Security Task Force and the Telecommunication and E-Commerce Committee. It was a useful and interesting event.
The government participants were Tom Donahue and Ely Kahn, the Directors for Cyber Policy on the National Security Staff. On the Business side, besides a good presence form the Chamber itself, there were representatives from Telecoms big and small: Software giants; small Tech firms; large Federal Integrators; boutique Tech Consultants; Industry Trade Associations; and Washington Law Firms. It was a wide array of participants.
The discussion began with a short brief from Donahue and Kahn. They emphasized that they were trying to eat the elephant one bite at a time (my metaphor, not theirs). They were not trying to solve all of the identity management issues now facing the government. They readily admitted that others (perhaps DoJ / DHS) were looking at the larger law enforcement-related aspects of this thorny problem. They wanted to begin with a way of establishing a valid online identity upon which commerce could be conducted with reasonable assurance of validity. It sounds a lot easier than it is. It is not establishing that Steven Bucci is Steven Bucci for legal purposes but only so online vendor “X” is comfortable doing business with me. As limited as this sounds, we really cannot yet do it sufficiently well.
There were lots of caveats about avoiding the “third rail” of a national ID card and not making anything “mandatory.” They also like to speak of “eco-systems,” by which they mean holistic solutions not solely technical in nature. Both the NSS folks walked very lightly and are clearly cognizant of not causing more problems than a solution will solve. Donahue used his self-described “bumper sticker” slogan as a method for establishing an ID for online activity, which must be “universal, usable, useful, secure, losable, privacy enhancing, voluntary, affordable, and irresistible.” All of this is compelling, but darned-near impossible to achieve. Again, attempting to bound their efforts, Kahn and Donahue re-emphasized that they only wanted to enhance the present system, not fix it completely.
Their main reason for wanting to speak with businesses was to find out how industry did this sort of thing (authentication) for our internal interactions. They seemed surprised at the multiple steps (anywhere from two to six) that most firms used to ensure their internal nets were protected. They next asked if we were “happy” with such a process. Most answered that it was a small inconvenience because we used it all the time and were, for the most part, pretty good at it. We all admitted that more needed to be done. No one had a real solution yet.
There were several aspects of the conversation that stuck out in my mind. The first was the NSS staffers’ insistence that they were not and would not produce a “road map” to achieve this goal. They were going to act as evangelists for the need and depend on industry to develop solutions. They would let the “market forces” determine the best way forward. I for one was quite surprised. We reminded them that it might be helpful if they could give us hints as to research areas that would be non-starters so we could focus on other directions. They were reluctant even to go that far.
The other area that stood out was that once a system that meets Donahue’s bumper sticker is developed, they do not want the effort to be controlled at the Federal level. They think States are probably the best place but that it could go to more local levels. I have a feeling that States may not like the extra expense and administration unless it comes to them funded.
At the end, it was agreed that Donahue and Kahn needed several subsequent meetings. We all admired their desire to be non-directive and their wish not to “offend” anyone. My feeling is that they will have a devil of a time getting anywhere unless they firm up their requirements.
There is an old saying: “If you don’t know where you are going, you’ll never get there.” They should plan out a road map but be ready to adjust or deviate from it if an innovation pops up. The generalities were far too loose for industry to help much. It seems that the Administration’s cyber efforts (even the limited ones) are still mired and producing little actionable leadership.