The future of online trust

Craif Spiezle

Trust is an asset that takes a long time to build, but a millisecond to lose. The level of online trust in government impacts its efficiency, effectiveness and relevancy to customers and constituents.

During the past year, new levels of sophisticated spear phishing, resilient botnets, social networking abuse and malicious advertising affected nearly every industry, compromising valuable data and targeting government agencies in particular. The impact is both direct and indirect. Government employees and critical infrastructure are increasingly being targeted, while consumers are losing confidence in government services due to increased levels of forged email coming from nearly every branch of the federal government. 

With this onslaught of threats, the proliferation of mobile and personal devices and increased use of social media, it is imperative for both the private and public sectors to renew a commitment to implementing a security- and privacy-by-design discipline. 

Government agencies are challenged with the convergence of many issues spanning cost constraints, OMB directives and being targeted increasingly by cyber-criminals. The challenges currently facing government include:

1. The underlying requirement for government to be more efficient, responsive and progressive from an operational standpoint. As well as the pressure to be open and accessible 24/7 from a growing range of BYOD mobile devices and platforms.
2. Minimization of the deception and spoofing and forging of emails from key government agencies. In other words, can individuals trust that emails from the agency have actually come from the agency? Otherwise, trust and accessibility are compromised and the efficiencies and effectiveness of the Internet will not be fully realized.  
3. Minimization of fraud from users and consumers. Can organizations trust the identity of an individual coming to them for services over the Internet to avoid misuse of funds?  

The future of online trust will require meeting all the above challenges. Fortunately, strides have already been made in the adoption of online security best practices, including authentication to protect against spoofing, privacy policies and server SSL configuration. According to the 2012 Online Trust Honor Roll & Online Trust Index, the OTA’s annual analysis of adoption of best security practices, the highest growth rate (in adoption of security and privacy best practices) of all sectors was seen in the sector of federal government, where the rate of adoption grew from 36 percent to 50 percent, reflecting support of the Federal CIO Council, White House Office Management & Budget (OMB) and the U.S. Department of Homeland Security.

It’s not enough, however, and even more efforts are in process to make sure that the government and private security and privacy efforts go beyond reactive measures. A case in point is the National Strategy for Trust and Identity in Cyberspace (NSTIC), which is promoting initiatives such as the development of a better system of password management for customers in order to protect users from ID theft. NSTIC also is working on mechanisms that agencies can rely on to trust in the online identity of citizens who use their services.

The NSTIC, a government-convened and fostered initiative, is now moving from the government to the private sector and is a great example of a public-private partnership approach to a more secure and private online ecosystem. Implementation is now in high gear, with the launch of the privately-led Identity Ecosystem Steering Group and the award of more than $10 million in grants. James Sheire, of the Department of Commerce, and Peter Fonash, of the Department of Homeland Security, will be presenting on these and other initiatives at the upcoming Online Trust Forum, October 1-4 in San Jose, CA.

Following are several actions all organizations, and especially government organizations, can take to help ensure the future of online trust:

• Implement both SPF and DKIM across all domains and subdomains;
• Publish DMARC records;
• Improve SSL implementation score;
• Upgrade to EV SSL Certificates and consider adopting Always On SSL;
• Adopt OTA’s Top 10 Recommendations for business, consumer and brand protection;    
• Complete quarterly privacy and security risk assessments;
• Initiate planning and deployment of DNSSEC.

The public and private sector have a shared responsibility to work together to help protect and secure our data, privacy and identity from abuse. While we have made positive steps across the ecosystem, one cannot rest on one's laurels. The number and sophistication of these threats continue to rise. By working together, customers and constituents will be safer and systems more efficient and trustworthy. If we fail, we risk a tragedy of the trust commons. 

Craig Spiezle is the executive director and president of the Online Trust Alliance, and serves on the Board of the Identity Theft Council. He can be reached at:

craigs@otalliance.org