Smart Card Alliance Government Conference Day One: Experts Talk NSTIC and Moving Away from ‘Broken Passwords’

Smart Card Alliance Government Conference Day One: Experts Talk NSTIC and Moving Away from ‘Broken Passwords’

Washington, DC, November 3, 2011, 10th Annual Smart Card Alliance Government Conference–Passwords are broken, and key logging, man-in-the-middle, phishing, and malware attacks have made the industry’s reliance on passwords the soft underbelly of the Internet, according to Jeremy Grant, senior executive adviser for identity management at NIST and the manager responsible for creating the national program office for the National Strategy for Trusted Identities in Cyberspace (NSTIC).

Addressing attendees at the 10th Annual Smart Card Alliance Government Conference, taking place this week through November 4th at the Ronald Reagan International Trade Center in Washington, DC, Grant cited two examples of how smart card technology can help to solve the problems the NSTIC intends to address. Several years ago, network intrusions at the Department of Defense (DoD) fell 46 percent almost overnight when the agency mandated that passwords could no longer be used and smart cards were required to access all systems. More recently, the U.S. Army cut classified leaks by 85 percent using a software program tied to their smart card-based Common Access Card (CAC).

Passwords are the most common vector for attacks that lead to data breaches, with four out of seven attacks linked to weak passwords, according to a Secret Service study conducted by Verizon that Grant cited.

“The online industry is stunned by the lack of security,” said Don Thibeau, executive director of the OpenID foundation and chairman of the board of the Open Identity Exchange (OIX). “Well over 100,000 identities are stolen every day in America.”

A panel of identity security experts came up with a list of ways to evaluate whether the NSTIC is successful. Gartner’s Ian Glazer suggested that having a set of technical norms and established trust patterns that the industry can follow would be a good metric of success.

Mike Wyatt of Deloitte suggested that getting industries aligned around a standard approach would be a measure of success, citing SAFE-BioPharma as an example.

Joni Brennan of the Kantara Initiative said that the NSTIC would be effective when identity becomes embedded in people’s lives and as normal as using a driver’s license or passport.

Aaron Brauer-Rieke of the Center for Democracy and Technology set a more practical measure for the program’s early stages, stating, “If someone would get excited and do something–that would be a success.”

Thibeau sees the NSTIC as a forcing function that will get security specialists in the smart card community talking to the online community. “There’s no question the Alliance has a seat at the table. The question is where is the table and who else is there?” he said.

Other highlights from the conference’s first day:

  • The Commonwealths of Virginia and Pennsylvania in the Philadelphia region are issuing 68,000 Personal Identity Verification-Interoperable (PIV-I) credentials to first responders.

  • FEMA’s National Incident Management System (NIMS) document has been a big factor for getting state and local governments to move forward because it established the use of PIV-I credentials as a best practice for first responders, according to Bobby Kagel, the deputy director for emergency management in Chester County, Pennsylvania.

  • In discussing the use of PIV-I smart cards for online security, Northrop Grumman’s Ken Lehman said, “When you look at the threats that are out there, this is the silver bullet.”

“This marks the 10th year of the Smart Card Alliance Government conference and our collaboration with government identity security and policy leaders,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “Through the breadth of government and commercial individuals who actively participate in our organization, we have maintained a consistent and prominent role in education and awareness around government identity programs.”

For more news from the 10th Annual Smart Card Alliance Government Conference, follow the Smart Card Alliance on Twitter @SmartCardOrgUSA, hashtag #scagovconf, and Facebook at Smart Card Alliance.

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit