The Internet is anonymous. When conceived, security was not a consideration, and no universal identity scheme has since been developed.
Organizations that require security for their online communications and transactions have been forced to buy or build their own identity assurance technologies. As with any attempt to prove a negative, their effectiveness of these security systems is only revealed when they fail, and their value is only demonstrated by the resulting losses, measured in money, prestige or damaged careers.
To confirm the identity of one user to one Web site, or to assure an individual that the site they have reached is genuine, is a relatively simple process, and the costs, benefits and liabilities in the transaction can be assigned. Verifying the identity of anyone who simply drifts in from the Internet “cloud” asking for service, or deciding that a Web site is indeed what it purports to be, is much more difficult.
Web services and service-oriented architecture promise a more organic Internet, with responsive and innovative reaction to consumer demand. Citizens, the consumers of government services, believe their public-sector providers should match the online experiences they enjoy elsewhere.
The user has subjective ways to evaluate speed and convenience, but security remains a negative – until it fails, it’s fine. Businesses can manage their online risk and even take out insurance policies against failures, but governments do not have that luxury. Collectively, there has been a huge investment in the hardware and software that now connect the world, but much of the return depends on identity management.
As a consumer, an Internet user will understand and tolerate the different identity requirements of businesses and organizations. It’s clear there are different security requirements for different sites, and they do not expect the passwords and tokens that work at a banking site to open their e-mail account or an online store.
As a citizen, however, the Internet user probably expects governments, if not “The Government,” to act as one. It is probably a simplistic overstatement to say that taxpayers see only one government (they know a city does not issue drivers’ licences, for example, and that provinces do not yet issue passports), but they may well expect a single gateway to government services.
The task of co-ordinating identity management in the federal government resides in the Chief Information Officer Branch (CIOB) of Treasury Board Secretariat, and more specifically at the desk of Alice Sturgeon, its senior director.
When she took up the assignment almost two years ago, the challenge ahead was clear. “These departments and agencies tended to be working very much in isolation, doing their own research and trying to find their own path forward while meeting all the various policy requirements,” Sturgeon says.
“It made so much more sense to bring people together to one table and start talking to everybody together so we could collaborate.” A small team at the CIOB is now working with people in other departments and agencies, and an interdepartmental subcommittee on identity management is reporting to a senior level.
“We have actually worked out a very simple statement of a policy objective,” explains Sturgeon, “which is to make sure that the government is dealing with the right person. It is a very simple statement, but it really says a lot and it goes a long way towards a direction for all of the other policy instruments and deliverables that might flow out of it.”
A comprehensive government identity solution has to cover a huge number of users and business processes. CIOB has identified three client groups: Canadians and landed immigrants; businesses and organizations; and internal government employees and contractors.
The number of discrete business processes will probably never stop growing, or changing, long enough to be counted. “The main objectives of CIO Branch are improved service delivery and improved IM and IT, government-wide, so what we are doing on identity management really helps to support that, particularly in service delivery. “Overall, we see the identity management work as having the primary objective of improved service delivery.”
Looking ahead, there may be some high hurdles to a comprehensive identity management solution at the federal level. For example, can an approach that “provides detailed guidance but does not prescribe any specific technology or [product]” and that also “enables interoperability between systems, technologies and [products]” really be compatible with one that “leverages current investments and accomplishments, Secure Channel and ePass infrastructure”?
To mobilize resources and co-ordinate efforts across the country, a national committee on identity management and authentication has been set up, under joint management, by the Public Sector CIO Council and Public Sector Service Delivery Council.
As well, the Municipal Information Systems Association, a national organization, has named one of its major priorities as the alignment of methods for online identity management, authentication and authorization.
The bureaucratic tools for building a broad consensus appear to be all in place. Success depends on will and skill.