‘Death of the Password’ Among Ideas to Change the Future of Cyber

Lisa Donnan, left, Jenny Menna, and Renee Tarun address the 2016 Cyber Security Brainstorm on Sept. 13, 2016. (Photo: MeriTalk)

Lisa Donnan, left, Jenny Menna, and Renee Tarun address the 2016 Cyber Security Brainstorm on Sept. 13, 2016. (Photo: MeriTalk)

The future of cybersecurity in the government and beyond relies on finding the kernels of innovation potential within “crazy” ideas, according to experts. One such idea is to abandon the concept of passwords altogether.

“We need to get past using a password as the way we log in,” said Jenny Menna, vice president of security intelligence, engagement, and awareness and cybersecurity partnership executive at U.S. Bank. “All of us hate having gotten to the point where you have 50 passwords, and they’re all supposed to be different for very good reason, and you’ve got to change them all the time, they’ve gotta have special characters. It’s just too hard.”

Menna said she was particularly interested in the concept of having one identifier for a variety of interactions that was both secure and effective.

“In an ideal world, [we would] be able to have some sort of a way to identify ourselves, so that whether if you’re interacting with your bank, maybe there’s certain attributes of information that get shared, but have the same way to log in with your health care provider or your interaction with the government, recognizing that there’s certain parts of information that wouldn’t get shared with those people and, at the same time, that there may be times when you want to be totally anonymous on the Internet,” Menna said.

Phil Quade, director of the NSA cyber task force and special assistant to the director of NSA for Cyber, agreed with Menna, saying that such an identifier has the potential of “solving the world peace of the Internet.”

Universal identifiers are not an untried concept, as Estonia currently issues electronic IDs to its citizens that act as voter identification, health insurance cards, banking identification, government information access IDs, and many other forms of ID.

Lisa Donnan, board director of the National Cyber Security Society, also talked about identifiers as a source of cyber innovation.

“PKI [Public Key Infrastructure] is one of the things that I wrestle with,” said Donnan. “I think that innovation around PKI and using some of those data schematic schemes and putting some R&D into that would be a worthwhile exercise.”

Panelists and audience members at MeriTalk’s 2016 Cyber Security Brainstorm also addressed the potential for blockchain, and the concepts behind it, to be integrated into government cyber.

“Right now, blockchain is the way that virtual currencies like bitcoin work,” said Menna. People have talked about how the concepts might be applied in the security space, but it’s really about those virtual currencies and this concept of a shared ledger that everyone has, that all the people participating have visibility into.”

Renee Tarun, deputy director of the NSA Cyber Task Force, pointed to Integrated Active Cyber Defense as an innovative process that government can be taking advantage of.

“Essentially you’re going from sensing, sense making, decision-making, and acting to essentially detect and mitigate cybersecurity risk as being scale,” Tarun said. “And that’s leveraging a technology called security orchestration. It’s essentially taking all of the security components you currently have within your network environments, and we’re having them work together as a team.”

“I think we’ve kind of lost the game of cyber. I think that if you look at all of the classic 900-plus companies that we have, all doing the best they can, but it’s defense,” said Donnan. “I think we’ve kind of gotta try to look at those leapfrog technologies where there can be innovation.”

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
One Comment
  1. Anonymous | - Reply
    Misinformed hype, isn't it? However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort. And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us. Are you aware of this? https://youtu.be/-KEE2VdDnY0

Leave a Reply