 | |
| |
TechnologyDaily Mobile
The PKI Path To Security
by Maureen Sirhal
Initiatives to secure the nation's physical and cyber infrastructure have taken center stage since Sept. 11, 2001, and many experts in the area say an already existing technology known as public-key infrastructure, or PKI, could aid in those efforts. But companies have been slow to embrace the technology due to the vagaries of a 2000 law.
PKI provides a mechanism to authenticate a person's identity on the Internet, and it is often promoted as the technological solution to verify that an online transmission, such as e-mail or an e-commerce transaction, has originated from the person who claims to have made it.
Cyber security is a fundamental underpinning of the Bush administration's homeland security strategy. The proposed Homeland Security Department would emphasize cyber security for private companies, and most technology trade groups are clamoring to have one central place, such as the proposed Cabinet-level department, address the issue.
A survey conducted by the National Association of Manufacturers (NAM) showed that the issue of cyber security was not a great concern to NAM members before last year's terrorist attacks in Washington and New York, but Tom Orlowski, NAM's vice president of information systems, said that outlook "flip flopped" after Sept. 11.
Defining 'Electronic Signature'
Roger Cochetti, vice president for global policy at VeriSign, which sells PKI among its Internet security software offerings, said that the critical elements for security are integrity and authentication in dealing with Internet transactions and communications. "There are two things you have to have for security: You have to have integrity and ... authenticity." Integrity ensures that communications are protected, and authentication verifies the actual identity of the person sending the message, he noted.
Congress passed the Electronic Signatures in Global and National Commerce Act (ESIGN) in June 2000. The measure gave the same legal weight to digital or electronically signed documents that is afforded to pen on paper but never specified what sort of technology or method constitutes a "digital signature."
"What we lack in the area of authentication is tools that are needed to give legal predictability to the use of electronic signatures," Cochetti said. "ESIGN sort of left off with the thought that you can't throw out a signature because it's in digital form. But no judge was given any guidance in figuring out what does constitute a valid electronic signature."
Instead, the law created a system whereby the courts and legal challenges would create a body of law to outline practices that satisfied the law's requirements, Cochetti said. "Deferring this definition to the court is a process that will take a very long time."
VeriSign's role in pushing the use of electronic signatures is not surprising. Thomas Crocker, a partner with law firm Alston & Bird in Washington, noted that the PKI industry was a major influence in the passage of ESIGN. Even so, he contends that ESIGN contains a "lot of uncertainties and vagueness in its language," and "as a result there has been a rather noticeable reluctance to rely on the statute to use digital signatures."
A Promise Unfulfilled?
Understandably, most businesses are not eager to be the first in court to determine the legality of e-signature technology. "We need to give more guidance to the courts on what constitutes a valid electronic signature rather than simply wait for litigation to work its way through," Cochetti said.
Other experts have echoed Cochetti and Crocker, adding that ESIGN's language makes it unclear whether it pre-empts certain state laws. Cochetti posited that the uncertainty is causing businesses to avoid PKI technology as a means to implement e-signatures and hence could be hindering a fundamental pillar of cyber security.
ESIGN's promise for the majority of businesses has remained hollow and unfulfilled, Crocker and others charge. With the exception of industries like financial services, and some sectors within the healthcare industry, widespread consumer or business use of PKI is very low.
Several industry experts and federal officials have cited other reasons for the lackluster adoption of electronic signatures. They say the promise of PKI may have been overly hyped, for example. "It's not so much that ESIGN discouraged the private sector or government sectors in adopting the technology" for PKI, said Simon Perry, vice president for security strategy for Computer Associates. It was just "overstated by a number of sectors."
Perry said that for many of Computer Associates' customers that sought to implement PKI technologies, 7 percent of those projects never exceeded the 'pilot' phase. "The reason for that is that there was never a sound business reason for doing PKI," he said. Many companies, computer security and secure online transactions might not require a technology like PKI. Rather, biometrics could be the answer, he added.
The expense of implementing PKI technologies has led some companies and federal agencies to seek other options. "It's expensive and it's enormously complex," said Douglas Sabo, director of government relations at Network Associates. The economic downturn also is a key variable in determining which security measure, if any, a firm will implement, he noted.
It is a dilemma, Sabo said. "On one side of it, customers are saying security is the No. 1 concern, but because of economic realities, companies haven't been able to follow through on that."
Additionally, when faced with a lengthy menu of options, companies are grappling with which area of network security to tackle first. "The digital piece of it is nice, and there are some folks around that I have heard implement digital signatures, but there are so many other aspects of security that are wide open," NAM's Orlowski said.
Uncle Sam As Innovator
Many e-signature practitioners say the impetus in pushing secure, online signatures, should come from the government. "The federal government is the 800-pound gorilla in the IT world," Sabo said. With billions of dollars allocated for technology projects across federal agencies, "I think those in the PKI industry are looking at the government," he said.
To be sure, industries looking to e-signatures and PKI technologies for e-commerce transactions are doing so in part because of federal regulations. The financial services sector is looking to technology like PKI to comply with federal rules for privacy in information practices, and healthcare providers are increasingly using the technology to meet guidelines in federal rules promulgated under the Health Insurance Portability and Accountability Act.
"When the government begins to demand certain technologies or establish a standard by outlining what's acceptable ... that certainly helps drive a cross-industry, cross-government standard," Orlowski said.
Perry argues that for most firms looking to cyber security, they must define their purpose before picking technologies. Many firms automatically look to PKI because it was hyped for so long as the best solution. But not every transaction requires the level of security offered by PKI, he said.
The driver for technology will be commercial, and it will require the same cost-benefit analysis as every other business purchase, he said.
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
