NSTIC: Pretty in Theory, Problematic in Practice

The official vision of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a government-coordinated, private-sector initiative to increase the security of the Internet. In their words:

“Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation.”

In layman’s terms, it’s essentially giving everyone a digital certificate that proves they are who they are. It has a lot of merit, and many high-profile CTOs from places like PayPal and Microsoft have endorsed the concept. To read the entire NSTIC document in detail, click here.

Of course, it has its naysayers as well. Many privacy rights supporters feel there is a large risk in the system, others think it’s chock full of issues that could make the problem worse.

One thing that’s great about the current process the government has set up is that it’s designed to get input from everyone, industry and individuals alike, to try and build a framework that furthers security.

Valid Points

The main impetus for this is to stop the identity theft that affects millions of Americans every year and does billions of dollars in damages to our economy. At the launch event, many corollary points were drawn between this initiative and PCI. And in an ideal world, the two major financial concerns that face the internet — identity theft, which is spawning NSTIC, and credit card theft, which spawned PCI — would join forces.

Imagine that when you try and use your credit card for an online purchase, it is validated against a separate identity system, as such proposed by NSTIC, to validate that it is indeed you using the card and not someone who stole it. That’s pretty cool. Maybe one day it will happen. I don’t think it will in its current form. Why not? The bottom line to anything is money. Does this make me money, or increase my brand, or benefit my stock holders? What is my ROI?

Thanks, but No Thanks

These standards are neither welcome nor wanted by industry. They cost a lot of money to implement and maintain, and they generally have little positive benefit on the bottom line. Sure, it helps secure the end user, but it doesn’t increase Bob’s Widget sales.

Yes, you can argue that a breach or similar incident in the press like TJX is extremely bad for business, but PCI is as extensive as it is because it is FORCED onto merchants. If you gave merchants the option to walk away, 90 percent would, believing it an unneeded and unwanted expense despite the good it has done for their Internet security. Even though many disagree with PCI, and it has its flaws, I don’t think there is any denying that is has had a tangible benefit on the security of the industry, whether merchants like it or not.

But PCI was driven by the card brands. Why? Because at the end of the day a more secure Internet, or more secure cardholder data environment (CDE) means fewer breaches. Fewer breaches mean greater confidence in using credit cards. Greater confidence leads directly to greater usage of credit cards, which is good for business.

Here is the great thing about PCI: It really costs the card brands nothing (outside of maintaining the DSS standards). When there is an incident, the card brands fine the acquiring banks, which in turn fine the merchants. Merchants carry the brunt of the cost to get compliant. When millions of credit cards are lost, it doesn’t hurt the card brands, it hurts the merchants because it’s their brand in the media, and then the fines that may come after. Mastercard or Visa don’t lose anything when credit cards are stolen. The acquiring banks carry the brunt of unauthorized transactions. So card brands can force the adoption of their security standards because it’s their game and it costs them little to nothing since the acquiring bank and merchants bear the brunt of this movement.

So PCI works because the card brands can force everyone to play by their rules. Card brands directly mandate acquiring banks adopt PCI. They, in turn, then force their merchants to be PCI compliant.

Where’s the Driving Force?

What is going to be the driver for adoption of a system such as NSTIC? Who is going to be paying for and using a system as prescribed by NTSIC?

Unless PCI sees NSTIC as a way to further secure its own interests and wraps it into PCI, or someone establishes a clear financial model where companies make money via surcharges to implement and maintain such a system, few will adopt an added expense simply “for the good of their users.”

Merchant response will be, “Well, use a strong password, and if you can’t be bothered to even follow simple strong password practices, why should I spend thousands of real dollars to add more security into a system just to protect you from yourself?” Heck, many websites still today don’t even allow users to use complex passwords with special characters. It shocks me how often I get prompted with “Please create a password consisting of numbers and characters, specials not allowed!”

I, for one, would be more than willing to pay a nominal fee for a secure digital certificate if it was linked to my user access and credit cards. But even then, the problem with this is that it’s prescribed as a voluntary system. So if my credit card is stolen and not every vendor or every credit card mandates that transactions are validated by a secure personal digital certificate, then it has very limited value. Credit card and identify thieves will just go to merchants that don’t opt into the system to abuse your identity or credit card there. It doesn’t really matter where my credit card/identity is used if it’s stolen; unless everyone uses the same security controls, thieves will just go to someone who doesn’t opt in to this system.

That’s why while such a system is great in theory, it faces serious real-world adoption challenges. Unless card brands, PCI, banks or the government force widespread adoption of such a system, then I just don’t see companies willing to step up and take on the cost for the good of the end user. Limited adoption means limited value.