A security guru points the way to safety. I’m normally optimistic. But recently, in the world of online identity management, it feels like the sky really is falling.
A quick Google search shows more than 700 articles relating to online identity fraud over the past 20 days. In a substantial number of these stories, consumers rightly worry that their personal identity information is unprotected and vulnerable to abuse, and that businesses and institutions cannot adequately manage the identity information that flows through their systems.
According to recent data from the Identity Theft Resource Center, at least 152 identity theft incidents in 2005 potentially affected more than 57.7 million individuals, many of these stemming from online or network security breaches. These incidents ran the gamut from large banks and businesses, to the government and academia. You probably think it’s time to lock up your online doors and windows and throw away the key.
While it’s true that consumer vigilance over personal identity information is critical in eradicating the identity fraud epidemic, it is only part of the equation. Businesses, government, and even academic institutions must also play a vital role to overcome the challenges we face in managing identity in the digital world.
As a former cyber security advisor to the White House and former chief security officer of both Microsoft and eBay, I have spent the majority of my career working with the government and corporate sectors to find a balanced approach to sharing the responsibility of online security between business and government. However, when it comes to effective online identity protection, I believe that the three key safeguarding factors–technology, enforcement of criminal laws and education–seem to tax a consumer’s ability.
The corporate world appears to be in a cyber security arms race. The amount of money invested in developing the latest and greatest enterprise security solution is staggering–but certainly warranted. However, businesses alone cannot keep online identity safe.
Once sensitive information moves to the consumer’s computer, malicious software such as key loggers and spyware can steal the identities from less protected machines. Therefore, it is within the scope of the information security industry to arm ordinary users with the necessary tools to protect their online identity. It is time for usable cyber security solutions to be made available to the general public at a reasonable price. Otherwise, the trust that home users have in the online experience will erode.
As far as regulation is concerned, we’ve starting to take the right steps. For example, the Federal Financial Institutions Examination Council recently issued stronger guidance and compliance requirements on authenticating the identity of customers accessing Internet-based financial services.
This regulation calls for financial institutions to strengthen authentication techniques by the end of 2006. In addition, HIPAA’s security provisions took affect in April 2005, better protecting individual’s health and personal data stored in the U.S. health care system–an area that accounted for 15 percent of reported breaches last year.
Finally, education and research are key components. This is one of the areas where security experts from the corporate and government sectors can band together and support new research into identity management solutions.
In fact, on May 17, I gave the keynote address at the Identity Management Summit, hosted by the Georgia Tech Information Security Center. Here, executives from major companies in the financial, security and IT industries, including Atlanta’s Equifax and CipherTrust, as well as Bank of America and Siemens Communications, started a national dialogue on the best ways to empower everyday users to protect their online identity.
We must make the online world safer by minimizing the risks and threats to citizens’ online identity. It is up to the corporate, government and academic leaders to bear arms and fight to protect the everyday user. We’ve done a lot, but we need to do much more. Working together, we can make a difference.
Howard A. Schmidt serves on the faculty of the Georgia Tech Information Security Center. He is a former special advisor to the White House on Cyberspace Security, as well as the former chief security officer for Microsoft and eBay.