Commission on Enhancing National Cybersecurity: Implement MFA

At the end of 2016, the Commission on Enhancing National Cybersecurity, a nonpartisan committee charged with developing actionable recommendations for securing and growing the digital economy, presented its report to then President Obama.

federal columns_60493615 copy

While Obama has left office, the report still provides a valuable path towards ensuring cybersecurity, mapped out in a series of key action items. The most relevant for readers of this blog are found in Recommendation 1.3, summarized below.

Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.

As you know, Centrify is a provider of, and strong believer, in multi-factor authentication (MFA). And we agree that a government-private initiative in this area would be effective in driving more rapid, widespread adoption.

As the report mentions, the main point of entry for many of the largest and most destructive breaches of the last several years were consistently the same — compromised identity characteristics. This shouldn’t come as a surprise to most of us — it’s the reason we often refer to identity as “the new perimeter.” But despite the fact that most of us know strong authentication is essential in today’s environment, and the fact that industry leaders have been calling for MFA since at least 2004, usernames and passwords remain the most widely used form of identification and authentication today. And that isn’t good enough.

The report states, “An effective identity management system is foundational to managing privacy interests and relates directly to security.” Exactly. It goes on to provide four specific short- and medium-term action items that would go a long way in improving identity management practices.

Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication

This action item advocates strong authentication for all external-facing government apps that require identity management. This would include IRS tax services, social security accounts, passport services and Medicare and Medicaid healthcare programs, among others. The use of MFA solutions across these consumer-facing apps will help to extend adoption across the private sector as it follows the government’s lead, and also leverages the resulting increased comfort levels of citizens with the technology.

Action Item 1.3.2: The next Administration should direct that all federal agencies require the use of strong authentication by their employees, contractors, and others using federal systems.

This basically extends the use of MFA technology to all entities associated with federal agencies, which again will help to drive acceptance, adoption and familiarity across the private sector.

Action Item 1.3.3: The government should serve as a source to validate identity attributes to address online identity challenges.

This section calls for an inter-agency task force that acts as an authoritative source to validate identities across the marketplace. This would be an extension of the vital role government already plays in the identity ecosystem that includes driver’s licenses, birth certificates, etc. This system would be used to augment current private sector efforts in identity management.

Action Item 1.3.4: The next Administration should convene a body of experts from the private and public sectors to develop identity management requirements for devices and processes in support of specifying the sources of data.

This action item revolves around the rapid growth of Internet of Things (IoT) devices and recommends the creation of a team of experts focused on how to establish trust in the way these devices capture, process and aggregate data, while keeping users safe.

Overall, this is a good set of recommendations that will help the new US leadership to address several issues that have been largely neglected up to now. Execution of these action items, including the implementation of strong authentication by the federal government and its associated agencies, will certainly help to drive adoption in the private sector.

To learn more about today’s MFA, check out our eBook: “Level Up Your Security.