Friday, 22 May 2015

Reiniger: New Virginia Law Launches Citizen-focused Cybersecurity Strategy

On May 6, Gov. Terry McAuliffe ceremoniously signed a first-in-the-nation digital identity law that, by promoting a strategy of arming the average citizen with strong means of proving identity online, represents a new direction in cybersecurity strategy and will supplement the current enterprise and network focus. Sponsored by state Sen. John Watkins and House Del. Thomas Rust and endorsed by the Virginia Joint Commission on Technology and Science, the law incentivizes market choices for citizens to have trusted digital identities for use in online transactions, social media and accessing e-government services.

The law reflects McAuliffe’s economic growth strategy for Virginia, which is centered in part on leveraging Virginia’s large commercial base of cybersecurity-related companies. In fact, Virginia is already home to digital identity leaders such as CertiPath (for the defense industry) and the Kantara Initiative (for the health-care industry). And the Virginia government itself has already been developing a nationally recognized privacy enhancing digital identity capability with which citizens may access e-government services. The Virginia strategy rejects a centralized database approach in favor of citizen-controlled identity.

Citizen-controlled identity based on a marketplace of strong, affordable, easy-to-use and privacy-enhancing digital credentials will provide an essential foundation for fighting cybercriminals and identity thieves. In 2009, the president’s Cyberspace Policy Review determined that trusted digital identities are necessary to improving cybersecurity. And for years, noted security expert Bruce Schneier has been saying that frontline cybersecurity is best built around humans, not technology. We know that trusted digital identities minimally require secure credentials and strong two-factor authentication. But the average person currently does not have easy and affordable access to such secure credentials. A digital identity credential provider market needs to be brought into existence.

In the physical world, we typically rely on government entities such as the DMV and Passport offices to manage the identity credentialing process. The digital world, though, is serviced through both commercial and governmental entities. However, commercial digital identity credential providers face an exorbitant amount of risk based on their broker-like position for which insurance is not currently available. The identity credential market has reached a point at which legal liability uncertainty is itself a barrier to potentially beneficial progress. Because of unpredictable liability, risks associated with the commercial digital identity credential are currently treated as uninsurable. And previous efforts to address this insurance gap through solely commercial means have been unsuccessful.

There are a number of common liability concerns that, as of now, remain ill-defined and uncertain with respect to court treatment. Should identity providers have legal protection if they have complied with the defined standards and credentials are nonetheless issued or used incorrectly? What is the liability of an identity provider for an identity credential that is issued incorrectly when following the Commonwealth of Virginia approved standard or when in breach of the standard? Who has the liability when a relying party disseminates or provides access to valuable or protected data based on a false identity assertion?

The law resolves this uncertainty by, for the first time, creating a common legal framework for the digital identity industry along the lines of that which is afforded in other industries such as credit cards and shipping. It is not designed to remove liability, but to make liability predictable and manageable through voluntary compliance with state minimum standards to be developed by the secretary of technology with assistance from a public/private advisory council.

The new law has profound implications for individuals. Instead of merely focusing on cybersecurity as network security, now Virginia wants to arm the citizens with secure digital identities that the individual has the freedom to choose. In addition to traditional governmental identity providers, such as the DMV, the availability of insurable digital credentials opens the possibility of choosing trusted identity credentials from banks, social media and even faith-based institutions. And residents of other states as well will be able to benefit from in the digital identity credential marketplace made possible by this law.

View the original content and more from this author here: http://ift.tt/1IPaXwB



from cyber security caucus http://ift.tt/1IPaXwx
via IFTTT

No comments:

Post a Comment