Tuesday, 4 August 2009

US national identity management - no to anonymity, after all?

A keynote speech which seemed to be very anti-anonymity was given at the Black Hat USA Conference 2009 by Robert Lentz, who is Deputy Assistant Secretary of Defense for cyber, identity, and information assurance in the Office of the Assistant Secretary of Defense, and Chief Security Officer for the US Department of Defense.

From Dark Reading's report of Mr Lentz's speech:

"In my opinion, there needs to be a cyberczar just for identity. Without that, we're going to be done," said Lentz, who said reducing anonymity is key to ensuring security and resiliency on the Net. He noted that reducing anonymity also will generate debate over "legitimate privacy concerns," too."

Also see Heise Security's summary of the conference, which noted that Mr Lentz repeated "several times how important it is to get rid of anonymity on the Net".

Yet in contrast, in early July 2009 Thomas Donahue, director of cyber policy for Obama's National Security Staff, was reported as saying (at an identity management conference in Washington):

"Any system will have to allow for some level of anonymity, with room for a user to shed some anonymity in order to demonstrate trust with another person or a Web site in a digital relationship."

Very different attitudes, reflecting it seems very different backgrounds and priorities.

Anonymity has long been cherished as being vital for free speech in the USA.

The tricky issue will be how to reconcile the two approaches so as to strike the right balance between security and privacy.

As many said at the European e-Identity Management Conference June 2009 (including Mary Ellen Callahan, Chief Privacy Officer at the US Department of Homeland Security), privacy and security ought to be viewed as being two sides of the same coin, rather than being in conflict.

Much will depend on who is appointed as the US cybersecurity czar.

Melissa Hathaway, who was responsible for a review of cybersecurity for the Obama administration in April 2009 (full text of Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure), has just taken her name out of the hat (for details see the reports by the Wall Street Journal, BBC)

So the appointment of the US cybersecurity czar - and maybe cyberidentity czar? - will be awaited with especial interest.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.