OK, it’s been out a couple of months now with the usual “ZOMG it’s RealID all over again” worry-mongers raising their heads.

So we’re going to go through what NSTIC is and isn’t and some “colorful” (or “off-color” depending on your opinion) use cases for how I would (hypothetically, of course) use an Identity Provider under NSTIC.

The Future Looks Oddly Like the Past

There are already identity providers out there doing part of NSTIC: Google Authenticator, Microsoft Passport, FaceBook Connect, even OpenID fits into part of the ecosystem.  My first reaction after reading the NSTIC plan was that the Government was letting the pioneers in the online identity space take all the arrows and then swoop in to save the day with a standardized plan for the providers to do what they’ve been doing all along and to give them some compatibility.  I was partially right, NSTIC is the Government looking at what already exists out in the market and helping to grow those capabilities by providing some support as far as standardizations and community management.  And that’s the plan all along, but it makes sense: would you rather have experts build the basic system and then have the Government adopt the core pieces as the technology standard or would you like to have the Government clean-room a standard and a certification scheme and push it out there for people to use?

Not RealID Not RealID Not RealID

Many people think that NSTIC is RealID by another name.  Aaron Titus did a pretty good job at debunking some of these hasty conclusions.  The interesting thing about NSTIC for me is that the users can pick which identity or persona that they use for a particular use.  In that sense, it actually gives the public a better set of tools for determining how they are represented online and ways to keep these personas separate.  For those of you who haven’t seen some of the organizations that were consulted on NSTIC, their numbers include the EFF and the Center for Democracy and Technology (BTW, donate some money to both of them, please).  A primary goal of NSTIC is to help website owners verify that their users are who they say they are and yet give users a set of privacy controls.

Stick in the Mud photo by jurvetson.

Now on to the use cases, I hope you like them:

I have a computer at home.  I go to many websites where I have my public persona, Rybolov the Hero, the Defender of all Things Good and Just.  That’s the identity that I use to log into my official FaceBook account, use teh Twitters, log into LinkedIn–basically any social networking and blog stuff where I want people to think I’m a good guy.

Then I use a separate, non-publicized NSTIC identity to do all of my online banking.  That way, if somebody manages to “gank” one of my social networking accounts, they don’t get any money from me.  If I want to get really paranoid, I can use a separate NSTIC ID for each account.

At night, I go creeping around trolling on the Intertubes.  Because I don’t want my “Dudley Do-Right” persona to be sullied by my dark, emoting, impish underbelly or to get an identity “pwned” that gives access to my bank accounts, I use the “Rybolov the Troll” NSTIC  ID.  Or hey, I go without using a NSTIC ID at all.  Or I use an identity from an identity provider in a region *cough Europe cough* that has stronger privacy regulations and is a couple of jurisdiction hops away but is still compatible with NSTIC-enabled sites because of standards.

Keys to Success for NSTIC:

Internet users have a choice: You pick how you present yourself to the site.

Website owners have a choice: You pick the NSTIC ID providers that you support.

Standards: NIST just formalizes and adopts the existing standards so that they’re not controlled by one party.  They use the word “ecosystem” in the NSTIC description a lot for a reason.

• Bacn–It’s Cooked Spam
• NIST Cloud Conference Recap
• LOLCATS and NSTIC
• When Standards Aren’t Good Enough
• More on Georgia’s FISMA Reporting

A couple of months before I was activated and went to Afghanistan, I got a briefing from a Special Forces NCO who had done multiple tours in the desert.  One thing he said still sticks in my mind (obviously paraphrased):

“The Afghanis, they live in mud huts, they don’t have electricity, they are stick-people weighing 85 lbs, and to say that we could bomb them into the stone age would be an advancement in their technology level.  But never underestimate these people, they’re survivors.  They’ve survived 35 years of warfare, starting with the Soviets, then they fought a civil war before we arrived on the scene.  Never underestimate their ability to survive, and have respect for them because of who they are.”

Today, I feel the same way about government employees, even more so because it’s an election year:  they’re survivors.

Now time for what I see is the “real” reason why the government is doing badly (if that’s what you believe–opinions differ) at security: it’s all an issue of culture. I have a friend who converted a year ago to a GS-scale employee and took a class on what motivates government employees. Some of these are obvious:

• Pride at making a difference
• Helping people
• Supporting a cause
• Gaining unique experience on a global-class scope
• Job stability
• Retirement benefits

And one thing is noticeably absent: better pay and personal recognition.  Hey, sounds like me in the army.

The Companion Family Plan for Survival at Home photo by Uh … Bob.

Now I’m not trying to stereotype, but you need to know the organizational behavior pieces to understand how government security works. And in this case, the typical government employee is about as survival-aware as their Afghani counterpart.

Best advice I ever heard from a public policy wonk: the key to survival in this town is to influence everything you can get your hands on and never have your name actually written on anything.

In other words, don’t criticize, be nice to everybody even though you think they are a jerk, and avoid saying anything at all because you never know when it will be contrary to the political scene.  The Government culture is a silent culture. That’s why every day amazing things happen to promote security in the Government and you’ll never hear about it on the outside.

One of the reasons that I started blogging was to counter the naysayers who say that FISMA is failing and that the Government would succeed if they would just buy their product for technical policy compliance or end-to-end encryption.  Sadly, the true heroes in Government, the people who just do their job every day and try to survive a hostile political environment, are giving credit to the critics because of their silence.

Which brings me to my point:

Yes, my name is Rybolov and I’m a heretic, but this is the secret to security in the Government:  it’s cultural at all layers of the personnel stack.  Security (and innovation, now that I think about it) needs a culture of openness where it’s allowable to make mistakes and/or criticize.  Doesn’t sound like any government–local, state, or federal–that I’ve ever seen.  However, if you fix the culture, you fix the security.

• Some Thoughts on Comments to My Blog…
• Learning GovieSpeak: The Plum Book
• Cloud Computing and the Government
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security
• Auditors, Frameworks, and Philosophy

I have a very disturbing trend with comments to my blog:  I don’t get any comments on the serious stories–only the “fun” posts.

This leads me to believe one of the following is at play:

• I write succinctly and with authority and never make mistakes. (at least it helps to hope…)
• Nobody knows the subjects that I talk about because it’s a niche to a niche.
• I don’t sensationalize the news enough to make people want to comment.  Note that this is a radical departure from the mainstream media when it comes to security and government, where FUD-mongering is the norm.
• People are scared of me because they think I’m intellectually and emotionally unstable and that I’m going to trash them if they comment.  =)
• Government employees are afraid to put anything critical of their leadership in writing.
• Like they say about the classified world, “Those who know don’t talk, those who talk don’t know”. (side note:  what am I saying about myself here?)
• The First Rule of FISMA Club is that YOU DO NOT TALK ABOUT FISMA CLUB!!!111oneoneone
• If it’s your first comment, you have to fight.

Blog Explanation in French by Stephanie Booth

Now the problem for me is that in order to make security in the government work, we need to change the culture of the people doing it.  IT and specifically security require a zero-defects approach, and this is counter to survivability in a political environment.  The only way we can do that is if I’m not the only voice preaching in the wilderness–I really do want people to tell me I’m full of it and give a good rationale.  =)

In the spirit of helping, this is the Guerilla’s Guide to Commenting on http://www.guerilla-ciso.com/

• Everything in Moderation:  No big surprise–I moderate comments.  This is pretty much so I can keep the spam out.  I’ve only had one legitimate post that I deleted because it was personal in nature from a person who knew me in “a past life”.
• Email is Semi-Anonymous:  If you post a comment using a bogus email address, I’m happy with it as long as the content is relevant and doesn’t look like spam.  The email address is really only so wordpress can track you and automagically approve your next post as long as the name and email match up.
• Thou Shalt Remember the Chatham House Rule:  I do not repeat anything that was told to me in confidence.  Neither should you.  Yes, there are things I won’t write on here, like the conversation I had with [censored] from [censored] who confirmed that [censored]-[censored] is not yet final because [censored].
• I’m Neither a Crook Nor a Cop:  I have yet to receive any kind of subpoena asking for subscriber or commenter information, nor do I send you stupid spam jokes because I know who you are.

I’ll end with one of my favorite army jokes:  “What’s the difference between a war story and a fairy tale?  A fairy tale begins with ‘Once upon a time’, war stories begin with ‘No sh*t, there I was'”.

• On Government Employees, Culture, and Survivability
• The Press has Me all Confused
• My Blog is Dead, Long Live My Blog!
• On Why I Blog… FUD is the Reason for the Writin’
• A Funny Thing Happened Last Week on Capital Hill