It’s hard today to find a major breach where weak identity solutions did not provide the vector of attack.
More than 21 million personnel records – including details of my background check and images of my fingerprints – were stolen last year from the Office of Personnel Management (OPM) because of passwords. More recently, passwords enabled a foreign power to hack into the Democratic National Committee (DNC) and attempt to influence the U.S. presidential campaign. Passwords were exploited over the last three years to perpetrate major attacks on Target, Anthem, JP Morgan Chase, and Sony, among others. As my colleague Michael Chertoff recently stated, “the password is by far the weakest link in cybersecurity today."
Beyond passwords, other weak identity solutions have been exploited to cause significant damage. Two of the most devastating breaches in U.S. history – those perpetrated by Edward Snowden and Chelsea Manning – were driven by individuals who had been given legitimate credentials, as well as access rights to data and systems that went far beyond what was appropriate. Here, it was not the use of passwords that was exploited, but weak identity controls around what these individuals were authorized to do with them.
Why does this keep happening? The simple answer is that identity is complicated. Many first-generation password alternatives created new hassles for users rather than streamlining the login process. And the important work of ensuring proper governance of an identity and access management (IAM) system in enterprises has all too often been neglected, opening the door to attacks from both inside and abroad.
Against this backdrop, the need for trusted identity solutions in cyberspace is more important than ever, particularly as we embrace the cloud and look to bring more high-value, personalized applications online for consumers and citizens. In the cloud, the first question any system must answer is, “are you who you say you are?” and the second is, “what are you allowed to access?” Identity is the key to get in the door. And done right, identity is the great enabler – improving security and privacy while offering more streamlined, trusted experiences to employees and customers alike.
Government has been an innovator here, through initiatives, such as HSPD-12, which focused on improving authentication to government systems, and the National Strategy for Trusted Identities in Cyberspace (NSTIC), which prompted government and the private sector to work together to catalyze a marketplace of next-generation, trusted identity solutions. With a new Administration about to take charge, there are big questions as to how they might address these issues, and how they might balance security, privacy, choice, and innovation.
