White House cyber czar's goal: 'Kill the password dead'

Wednesday - 6/18/2014, 12:06pm EDT

The White House cybersecurity czar is typically focused on strengthening online security methods.

Not so the common password, which is still the most common method of cyber protection used by agencies and industry, alike.

"I often say that one of my key goals in my job that I would really love to be able to do is to kill the password dead," said White House cybersecurity coordinator Michael Daniel, in a speech before the Identity Ecosystem Steering Group's ninth annual conference Wednesday.

That's because even as cyber threats continue to grow more sophisticated and destructive, passwords are weakening and proving easier to crack than ever, Daniel said. He cited studies showing as much as 80 percent of cyber intrusions — "some ridiculously high number," he said — are caused by exploiting weak or stolen passwords.

"It's one of these interesting situations where everybody knows that the passwords are terrible, and yet they remain the most prevalent security method we have," he said.

The administration is hoping to change that with broader implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls for agencies to partner with industry to develop an "identity ecosystem."

Instead of simple passwords, the system would allow Internet users engaging in e- commerce or seeking online services from the federal government to choose among a variety of ways to authenticate their online identity.

"That's a new thing, still, for many people," Daniel said.

Federal Cloud Credential Exchange a top priority

But it's not new for the Obama administration, which rolled out the NSTIC initiative three years ago.

Among the most recent initiatives to spin off from that effort is the Federal Cloud Credential Exchange, or FCCX, which Daniel called one of his top priorities.

The program, which is being brokered by the U.S. Postal Service, will connect the departments of Agriculture and Veterans Affairs, the National Institute of Standards and Technology and the General Services Administration with third-party credential providers that meet certain standards.

In addition, Daniel said the focus is on improving agency-to-agency coordination.

For example, he said, think of a veteran, who's currently in college and who pays taxes. The FCCX program would allow her to use the same credential to access services at the VA, fill out the federal student aid form and file her taxes online, he said.

Simple idea, complicated implementation

"But of course this is Washington, so actually making that simple idea a reality is not quite so simple," he said.

It's going to take multiple steps to getting an identity ecosystem up and running — and they're not necessarily sequential, he said. Agencies, facing long- term budget constraints, are juggling which steps to do in which order.

"Getting to 'done' in this space is not cheap," Daniel said. "And I don't necessarily mean in terms of dollars, although you can certainly spend some money in this area. But I mean in terms of leadership attention and leadership time and focus — and that's one of the most valuable commodities that we actually have in Washington."

The solution is to leverage commonly accepted credentials among agencies — and even outside government — to save the cost of re-credentialing the same user multiple times using multiple systems.

Such an identity ecosystem would also improve the availability of secure online government services, he added.

"Almost every part of the government can envision either moving current services online or providing new services for citizens online, if only we could sort out whether that person coming to the website or that portal online is really who they claim to be," Daniel said. "And it's really impossible to do this without addressing the core issues of identity and interoperability."

RELATED STORIES:

NSTIC turns 3, patience required

Cloud credential exchange almost ready for take off

NIST to play big role to secure online identities