ISSUE 18.31.F • 2021-08-16

If you purchase after clicking this ad, AskWoody may receive a small commission.

PUBLIC DEFENDER

By Brian Livingston

Crime on the Internet has gotten ridiculous.

In 2020, the Federal Trade Commission received 4.8 million complaints of identity theft (and many others go unreported). At least 37% of businesses around the globe experienced a ransomware attack last year, according to security firm Sophos. And for six days in May, hackers were even able to shut down a pipeline that supplies 45% of the US East Coast’s fuel.

President Joe Biden issued an executive order on July 28, instructing the Secretary of Homeland Security to issue “critical infrastructure cybersecurity performance goals within 1 year.” But the problem is way out of hand. Law enforcement will never be able to prioritize nonviolent computer crimes over high-profile cases that involve dead bodies.

The root cause of cyber fraud is that we can never really be sure who — specifically — is behind a website we’re viewing, an email we’re reading, or a phone call we’re receiving. Any of these things might be legitimate, or they could be scams that look and sound exactly as though they came from a respected organization. Criminals can conceal their identities all too easily.

Various attempts to rein in the madness have emerged over the years. Unfortunately, they’ve been watered down or ignored rather than giving us all some much-needed safety.

In 2010, US Cybersecurity Coordinator Howard Schmidt (Wikimedia photo, left) issued a report called National Strategy for Trusted Identities in Cyberspace. Supported by numerous federal agencies, the report called for an “identity ecosystem,” including the development of small devices — such as a thumb drive or a smartphone app — that could help users positively identify themselves to others on the Web without requiring multiple devices or hard-to-remember passwords.

Full disclosure: In 2001, I met several times with Schmidt in his home and at various cafés in the Redmond, Washington, area. He had moved there after Microsoft hired him in 1997 as its chief information security officer.

At the time of those discussions, I had written the Window Manager column in InfoWorld magazine for a decade, giving me contacts in the tech industry. Schmidt and I thought computer publications could simultaneously announce a plan that would allow individuals to securely identify themselves and others on the Web. We sketched out the following thought experiment:

The authentication system would be completely voluntary. (An RSA Security key fob and a smartphone app are pictured at left.) Anyone who wanted to make up a fanciful username for an online forum, a video-game tournament, or a virtual art exhibition would be free to do so. But transactions involving banking, communications, server sign-ins, and other important relationships would increasingly require positive identity verification.

Best of all, users would no longer need to carry around multiple ATM cards, keep numerous ID badges, or remember complex passwords. Ideally, a single secure device could positively identify you to a greater and greater number of businesses and organizations as the system caught on.

This wouldn’t be a mythical arrangement that “everyone would have to use” for it to work. If even just two people adopted it, the pair could securely communicate, each receiving positive identity verification of the other.

Thanks to standardization, we all can send an email, place a phone call, or send a letter to any country in the world. The next great standard we need is a universal way to identify ourselves and prevent crooks from posing as us or pretending to be someone we know.

When Schmidt and I were meeting, he was remarkably modest. I had no idea he had headed the Computer Exploitation Team of the National Drug Intelligence Center, nor that he had helped form the Defense Computer Forensic Laboratory for the US Air Force.

All that didn’t ensure success, however. We contacted a few tech journalists, but they weren’t overly interested in the idea. They probably assumed that it would be a hard sell to get the computer industry to agree on anything related to the boring topic of security.

I lost touch with Schmidt, but he kept himself busy. In December 2001, President George W. Bush appointed him as special adviser for cyberspace security. He served the Republican administration until May 2003. In December 2009, Schmidt was named national cybersecurity coordinator by President Barack Obama. Working in the Executive Office of the President, Schmidt conferred with 140 different agencies to come up with the Trusted Identities report in June 2010.

The report contained several improvements to the old, coffee shop–inspired model. For example, in addition to merely verifying one’s identity, a digital device would be required to confirm to a website that the user was over 21 — for a user to order wine online, say — without revealing the user’s actual date of birth, which can lead to identity theft.

Other aspects were familiar. The US Postal Service was delegated in November 2012 to create a Federal Cloud Credential Exchange. This resulted in a website called Connect.gov, which launched in December 2014. The first two vendors to generate digital credentials compatible with Connect.gov were Verizon and ID.me, according to a Federal News Network blog post.

Perhaps inevitably, turf battles arose. The General Services Administration terminated Connect.gov in August 2016, promising to replace it with an all-new service called Login.gov, according to a SecureIDNews article. The new website went live in April 2017, but its primary function was “the public’s one account for government,” allowing people to access different US agencies with a single username and password. That’s nice, but it’s a far cry from an identity verification system that people around the world would use.

Schmidt resigned as the White House’s cybersecurity coordinator in May 2012. I tried to contact him for this column, but he had tragically succumbed to brain cancer in 2017.

His role was filled from 2012 to 2017 by Michael Daniel, formerly head of the intelligence branch of the Office of Management and Budget. He was followed by Rob Joyce, previously with the National Security Agency. Joyce decided to return in May 2018 to Fort Meade, home of the NSA. The White House promptly abolished the cybersecurity position at the urging of John Bolton, security adviser to President Donald J. Trump, according to a Politico analysis.

On April 12, 2021, President Biden nominated former NSA Deputy Director Chris Inglis to the new post of national cyber director. The office had been created in a defense bill that Congress enacted in 2020 over a veto by Trump. The position has Congressional oversight and requires Senate approval. That confirmation occurred in a rare unanimous vote on June 17, so Inglis has officially started work, Politico says.

In a recent Zoom interview, the senior systems engineer of RSA’s SecurID, Steve Schmalz, expressed optimism, telling me: “There could be a consortium between government and private industry to make sure you are who you say you are.”

Schmalz is confident that a unified security approach can slash crime on the Net. “If you use strong two-factor authentication, you would reduce the incidence of hacking.”

RSA is seeing people move toward smartphones as their favorite identity device. No, physical security fobs won’t disappear. “You wouldn’t want to take a smartphone onto a battlefield,” as Schmalz describes it. “But outside of government, a smartphone will be the preferred form factor of authentication.”

To satisfy this preference, RSA announced on June 21 a new SecurID app for Android and iOS devices. The firm is also excited about Solid, a new, decentralized network designed by Tim Berners-Lee, who is widely acknowledged to be the inventor of the World Wide Web. Solid uses a concept known as verifiable credentials, as described in a July 15 article.

Secure digital identities are often called an Internet driver’s license. But I feel that’s the wrong metaphor. No one needs a driver’s license to use the Web — it’s one click away on any smartphone.

An Internet passport is a better concept. It helps prove that you are who you say you are, and makes it hard for anyone else to impersonate you.

It’s widely understood that you need a national passport to travel across borders. Internet passports could let you safely surf all the way around the World Wide Web.

In a follow-up to this column, I’ll report on the latest efforts to create an Internet passport or something like it.

For more information, see Schmidt’s original Trusted Identities paper, which is available as a White House archives PDF. Also, Wikipedia contains Schmidt’s life story and a history of Trusted Identities implementation — or the lack thereof.

Do you know something that we all should know? Tell me about it! I’ll keep your identity totally confidential or give you credit, as you prefer. Send your story via the Public Defender tips page.

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in the AskWoody Lounge!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new book Muscular Portfolios. Get his free monthly newsletter.

If you purchase after clicking this ad, AskWoody may receive a small commission.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!

Like what you see in the AskWoody FREE newsletter? Become a PLUS member! As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters. Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums. The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.  Join AskWoody PLUS Today!