Today is day two of the NSTIC conference and most of today is an extension of the discussions that started to happen in the working groups yesterday afternoon. The discussions themselves are interesting and will lead to a consolidated set of ideas that will be published and then taken into account with the responses to the NOI. All of that will hopefully be the basis of a governance structure that will allow NSTIC to move ahead.
As I sit through these discussions I hear the familiar refrains: Government should not be involved - this should be a Private sector driven effort; government needs to handle liability and provide funding for pilots; the governance needs to be all inclusive with industry, government, relying parties, consumers, education ....; the steering committees need to be small - but represent all parties. Some of these certainly seem to be contradictory so it will be interesting to see where the arrow lands as it spins through the options.
I will note that even when people say that the market will decide how this will happen I get a little bit nervous. FFIEC defined some very strong requirements for banking systems and authentication, as did HIPAA for healthcare systems, however these requirements were later overshadowed by other events and the strong requirements were never implemented or enforced. This lack of implementation was generated by industry and the lack of enforcement a reaction by government.
We need to get better at this - we need to make rules that are implementable and enforceable and we must hold feet to the fire to have it happen. The end goal is to make the environment more secure but that does not happen unless someone starts and it does not start unless there is a relying party need or a mandate from industry or the government. The reaction of FDIC's Harper is a good example of the right direction - we just need to see it get implemented.
None of this will happen overnight but, as I mentioned in previous posts, that should not stop people from moving forward it should only help them to understand that they need to be involved and to build systems that can grow and be flexible. Today's authentication solutions will likely not be tomorrow's. I never thought that when I got my first RSA securID two decades ago that today I would be using a phone based OTP not from RSA. In fact after the last 3 months I am kind of glad it is not from RSA.
No comments:
Post a Comment