NIST's Jeremy Grant addresses attendees at 10th annual Smart Card Alliance Government Conference

Experts discuss NSTIC, moving away from 'broken passwords' at event


WASHINGTON, DC, NOVEMBER 3, 2011 – 10TH ANNUAL SMART CARD ALLIANCE GOVERNMENT CONFERENCE – Passwords are broken, and key logging, man-in-the-middle, phishing, and malware attacks have made the industry's reliance on passwords the soft underbelly of the Internet, according to Jeremy Grant, senior executive adviser for identity management at NIST and the manager responsible for creating the national program office for the National Strategy for Trusted Identities in Cyberspace (NSTIC).

Addressing attendees at the 10th Annual Smart Card Alliance Government Conference, taking place this week through November 4th at the Ronald Reagan International Trade Center in Washington, DC, Grant cited two examples of how smart card technology can help to solve the problems the NSTIC intends to address. Several years ago, network intrusions at the Department of Defense (DoD) fell 46 percent almost overnight when the agency mandated that passwords could no longer be used and smart cards were required to access all systems. More recently, the U.S. Army cut classified leaks by 85 percent using a software program tied to their smart card-based Common Access Card (CAC).

Passwords are the most common vector for attacks that lead to data breaches, with four out of seven attacks linked to weak passwords, according to a Secret Service study conducted by Verizon that Grant cited.

"The online industry is stunned by the lack of security," said Don Thibeau, executive director of the OpenID foundation and chairman of the board of the Open Identity Exchange (OIX). "Well over 100,000 identities are stolen every day in America."

A panel of identity security experts came up with a list of ways to evaluate whether the NSTIC is successful. Gartner's Ian Glazer suggested that having a set of technical norms and established trust patterns that the industry can follow would be a good metric of success.

Mike Wyatt of Deloitte suggested that getting industries aligned around a standard approach would be a measure of success, citing SAFE-BioPharma as an example.

Joni Brennan of the Kantara Initiative said that the NSTIC would be effective when identity becomes embedded in people's lives and as normal as using a driver’s license or passport.

Aaron Brauer-Rieke of the Center for Democracy and Technology set a more practical measure for the program’s early stages, stating, "If someone would get excited and do something – that would be a success."

Thibeau sees the NSTIC as a forcing function that will get security specialists in the smart card community talking to the online community. "There's no question the Alliance has a seat at the table. The question is where is the table and who