White House to unveil revised ID management plan Friday

"We should not have to dramatically change the way we do business," cyber chief Howard Schmidt said. Flickr user hubertk

The White House on Friday will release the second draft of a plan for managing identities in cyberspace, President Obama's cyber chief said during a conference in Washington.

The latest version of the National Strategy for Trusted Identities in Cyberspace will build on existing efforts to ensure people, organizations and computers are who they claim to be on the Internet, according to Howard Schmidt, White House cyber coordinator. Those include the George W. Bush administration's Homeland Security Presidential Directive 12, which established a common identification standard for federal employees and contractors to access government buildings and computers, and a requirement to add authentication tools to federal websites to prevent hackers from hijacking Internet traffic and redirecting it to bogus sites.

"We should not have to dramatically change the way we do business," Schmidt said in a keynote address at the Symantec Government Symposium on Tuesday. "This should be a natural path forward."

The plan will focus on identity management at the transaction level -- for instance, when people access electronic health records, conduct online banking, purchase items over the Internet, or send an e-mail.

"Everyone in my office digitally signs e-mail," Schmidt noted. "How does that help? If I see 110 e-mails with a digital signature attached, I know they're trusted. I can then focus on those other 10 e-mails [to figure out], 'Is this who it says it is?' It narrows the scope."

One hurdle will be ensuring existing policies are implemented properly. Established by President Bush in 2004, HSPD-12 experienced numerous logistical and technological challenges that led to significant delays. The Obama administration has barely mentioned the initiative.

"When I ask people about their card, they say, 'Yes I got it,' " Schmidt said. "And then I ask the question, 'Do you use it?' And they say that they don't know what to do with it, or [their agency] has not been issued a smart card reader" for scanning credentials when they enter federal buildings or log on to networks.

"We need to figure out how we get those things to work at the national level," he added.

The national plan will seek tested solutions that are interoperable, cost effective and enhance privacy by limiting the amount of personal information needed to complete transactions online.

To do that, Schmidt said the plan will require what he called an "identity ecosystem" that brings together government, industry and academia to design and build a solution that uses both new and existing infrastructure, and then to establish processes for effectively managing the solution.

"This strategy cannot exist in isolation; it's going to take a commitment," Schmidt said, noting that it is one piece of a much bigger strategy to enhance the security of computer networks and systems.

"I'm very positive about where we're going," he said. "I think we are better. If we weren't, it means all the work is for naught, and I don't believe that for a moment."

The administration will use Web 2.0 technologies to enable online feedback on the latest draft of the plan, according to Schmidt.