US Offers $10M to Jump-Start ID Security Tech Research

Identity theft and privacy breaches are reported almost daily. For example, on Jan. 23, two utilities in New York reported that an employee of a software contractor allowed unauthorized access to a database containing social security, date of birth and other information. There was no indication the records were misused, the utilities said.

That same day the U.S. Department of Justice reported the arrest of three women in California for engaging in a scheme to use stolen identities to illegally collect tax refunds. And just days earlier, DoJ officials reported the arrest in New York of seven persons for using stolen identities to charge merchandise and gift cards.

There is an obvious need to improve methods for combating identity security breaches, including greater consumer awareness, more careful monitoring of consumer accounts, and better technologies.

To jump-start investments in identity protection, the National Institute of Standards and Technology has just offered US$10 million worth of grants to commercial companies and other organizations for research on improved identity security technologies.

The agency will sponsor a competition supporting pilot projects that feature improved systems for interoperable, trusted online credentials that go beyond simple user IDs and passwords. The competition is being managed by NIST’s office for the National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and others to improve the privacy, security, and convenience of online transactions.

Proposals Due by Early March

“We’re looking for innovative approaches that can advance the NSTIC vision and provide a foundation upon which a trusted, user-centric identity ecosystem can be constructed,” said Jeremy Grant, NIST’s senior executive advisor for identity management.

“We can help to grow the online economy by enabling the advancement of promising new privacy-enhancing identity solutions — and ways to use them — that do not exist in the marketplace today,” he added.

NIST anticipates funding five to eight projects for up to two years in the range of approximately $1.25 million to $2 million per project. The deadline for submitting initial proposals is March 7, 2012. NIST will host an information meeting for prospective applicants on Feb. 15 in Washington, D.C., but attendance is not a requirement for project selection. The event will be available via a live webcast.

Barriers that have deterred identity solutions from being widely deployed in the marketplace, according to NIST, include the following:

Projects must meet several core principles guiding NSTIC. Identity solutions should be privacy-enhancing and voluntary, secure and resilient, interoperable, cost-effective, and easy to use.

One major issue in cybersecurity deployment is assessing the risk and reward for adopting protective policies or technologies, especially for commercial organizations. The benefit of a protection regime must outweigh the risks of breaches. Current debates over a national cybersecurity policy have included calls for incentives to reduce the financial risk commercial entities face in developing cyberprotection programs.

Incentives Will Spur Investments

“The grants initiative will get some ideas that are on whiteboards into actual practice. It provides some significant incentives to encourage technology investments, and the two-year commitment is an important factor for really sustaining these projects,” Craig Spiezle, executive director and president of the Online Trust Alliance, told CRM Buyer.

“It’s a positive development, and in a sense it demonstrates that the government is putting its money where its mouth is,” he said.

OTA, a nonprofit group with a broad public- and private-sector membership, focuses on public policy and sharing of best practices to promote online security. The group has been supportive of the NSTIC program and has been involved with NIST on forming a steering committee for the effort.

The grant program was shaped during outreach sessions sponsored by NIST as the facilitating body for the NSTIC. Participants include advocacy groups, technology firms and interested individuals.

“There has been a lot of excitement from those meetings about the potential for pilot projects. The input we’ve received at these workshops helped us to structure the types of projects sought through the Federal Funding Opportunity and the criteria for selection,” NIST’s Grant told CRM Buyer.

“The Internet safety mission is astoundingly big, and the NSTIC grants allow innovators for the first time a chance to add identity assurance as an important tool in the efforts to create meaningful online safety and privacy protections. While these NSTIC grants are a great opportunity for innovators, they’re even more of a win for consumers and Internet users,” Kelli Emerick, executive director of the Secure ID Coalition, told CRM Buyer.

As with many federal contract and grant activities, commercial firms are sometimes concerned about protecting their proprietary interests.

“That shouldn’t be too much of a barrier for participating in this program. The key goal is interoperability so that technologies of different parties can match up — so there are some common interests here. Some components of these projects, I would think, could still be protected,” Spiezle said.

Grants for pilot projects will be covered by U.S. Department of Commerce standards in conformity with federal law.

“The rights to any invention made by a NIST grant recipient are determined by the Bayh-Dole Act,” Grant said. “The specific rights for a given invention that may occur as the result of a grant can be complex. However, in simplest terms, the Bayh-Dole Act gives preference to the grantee rather than the government for retaining rights to intellectual property developed with federal assistance.”

Pilot Program Suggestions

NIST suggested some avenues of research that would be of interest, but noted that applicants were free to offer additional approaches. Among NIST’s suggestions:

• creating identity hubs to quickly validate credentials with strong authentication methods meeting agreed upon standards;
• developing incentives for consumers to use trusted authentication methods in lieu of user IDs and passwords;
• coming up with better ways to enhance consumer privacy, while simultaneously meeting business and security needs; and
• demonstrating interoperability across various technologies such as smart cards, one-time passwords, or digital certificates.

The overall NSTIC program is funded through the Commerce Department. When the department’s budget was approved last November, the allocation for NSTIC was $16.5 million. Congress approved an additional $10 million to establish a National Cybersecurity Center of Excellence at NIST. The level of funding in an era of tight budgets is an indication of the support for cyberprotection at the federal level.

“NSTIC is more than just a grant program to incentivize private sector innovation for secure technologies — it’s an opportunity for innovators at every level, especially for small guys with great ideas but who need help in bringing them to market,” Emerick said. “We look at NSTIC as the ‘moon shot’ of identity, something that is bigger than any one company or technology, with benefits for every Internet user.”