Building trust in the age of data breaches
Protecting user data and identities is a never-ending battle, but there are some powerful tools available
Change is in the air. From the United Kingdom and the United States all the way to Australia, governments are putting stronger cybersecurity and authentication programmes in place. Governments in Asia should sit up and take notice.
In Thailand alone, three in five organisations say they have experienced a cybersecurity incident, costing companies and residents an estimated 286 billion baht, according to a Frost & Sullivan study. Given that it is practically impossible to avoid using the internet today, there is increasing pressure to implement better security to protect consumer information.
Governments are no exception. For example, as the Thai government moves towards a more digitised approach, it aims to develop an integrated information network within various sectors, including public administration, disaster prevention and investment, by 2021. Like all governments worldwide, it is seeking identity solutions that deliver not only improved security, but also privacy, interoperability and a better user experience.
To better serve citizens, while meeting public expectations for personal data safety, governments may want to explore using industry-backed certification, instead of building their own from scratch. In the world of digital security, one of the most influential cross-industry alliances is the FIDO Alliance. FIDO (Fast IDentity Online) champions simple, strong authentication, making the case that user data cannot be hacked from a server if it remains on the user device.
An example of this can be seen in Australia. A recent announcement from the Australian Signals Directorate (ASD) represents a major step forward in the use of strong authentication -- and lays the groundwork for other governments to easily use authentication products certified by the FIDO Alliance without having to create their own certification programmes. The FIDO Alliance certifies authentication devices to verify that they comply with FIDO specifications and meet certain security profiles.
The ASD recommendation is significant; I believe it is the first time that a government has opted to recognise FIDO's certification programme, rather than try to create one of its own.
In January, the ASD's Australian Cyber Security Centre (ACSC) published updated guidance on multi-factor authentication that highlights the benefits of FIDO U2F authentication.
This follows recognition of the value of FIDO authentication from governments such as the United Kingdom (via National Cyber Security Centre recommendations) and the United States (via National Institute of Standards and Technology guidance).
During the time I worked in government, leading the National Strategy for Trusted Identities in Cyberspace (NSTIC) in the United States, there was major focus on adopting strong, secure authentication. The benefits of using identity solutions from the private sector were clear as day.
But trust was a key challenge -- how could the government trust identity solutions that it did not issue?
While there were some early efforts in 2011 -- when NSTIC first launched -- to certify a handful of non-government identity solutions for government use, the FIDO Alliance programme stood out.
An existing, globally recognised certification programme, it was developed through thousands of hours of volunteer efforts by both industry and government, who have partnered to develop both the programme as well as the underlying standards that enable simpler, stronger user authentication.
As other governments around the world consider how to best use identity and authentication solutions from outside of government, they have the benefit of relying on an existing, globally recognised certification programme. In embracing strong authentication, there is no better time than now.
Jeremy Grant is the managing director of technology business strategy at the Washington-based law firm Venable LLP. He is a former senior executive adviser to the National Strategy for Trusted Identities in Cyberspace (NSTIC).