A Call to Action: Why Venture Capitalists Must Pay Attention to the National Strategy for Trusted Identities in Cyberspace (NSTIC)




Today the White House announced the National Strategy for Trusted Identities in Cyberspace (NSTIC), a bold initiative designed to resolve the identification, authentication, and authorization problems that haunt all online transactions.  Venture capitalists have an opportunity to impact the implementation and standards of this grand plan, but they must engage in a pragmatic dialogue with the White House leadership responsible for cybersecurity now, before this agenda falls into the quicksand of the Beltway and gathers dust like so many that have come before it.

Privacy advocates should find more reasons to cheer for the NSTIC than to fear it.  Why? Because the principles behind the vision of creating a trusted Identity Ecosystem are sensibly “rooted in the United States Department of Health, Education and Welfare’s seminal 1973 report, ―Records, Computers and the Rights of Citizens.”   This report established a set of Fair Information Practice Principles (FIPPs), and the NSTIC wisely asserts that, “to truly enhance privacy in the conduct of online transactions, these FIPPs “must be universally and consistently adopted and applied in the Identity Ecosystem. …These principles are at the core of the Privacy Act of 1974 and are mirrored in the laws of many U.S. states, as well as in those of many foreign nations and international organizations.”

In my view, when you distill the NSTIC grand strategy down to its core foundation, it rests on the solid bedrock of sensible tenets to promote privacy and security in an online environment:

“Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).

Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.

Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.

Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).

Use Limitation: Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.

Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.

Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

Universal application of FIPPs provides the basis for confidence and trust in online transactions.”

In announcing the NSTIC, the Federal Government commits to being an early adopter and to using both its purchasing power and its authority to implement the NSTIC across government agencies.  Done right, proactive Government leadership could accelerate the proliferation of this new standard for trusted online transactions.  If NSTIC adoption reaches critical mass, it could become the dominant framework at the core of our nation’s common commercial cybersecurity standards (previously unspecified) over the next five to ten years.

At a minimum, venture capitalists active in the security space should (1) read the full document CLICK HERE; (2) pay very close attention to what will follow this announcement in terms of the formation of the steering group under the Commerce Department that will guide NSTIC’s implementation; and (3) evaluate specific opportunities to get involved.

As the NSTIC document notes: “The Strategy can only succeed if the private sector voluntarily implements the Identity Ecosystem and only if it makes business sense to do so.”  Let’s not waste this opportunity to prove the Government right, for a change.

Be Sociable, Share!

Leave a Reply

You must be logged in to post a comment.