Module 4 -- October 21 through 27, 2013

Topic: Authentication and Identity Management

Authentication enables actors in cyberspace to know with whom they are communicating. Online identities may or may not be tied to a person or machine. When they are, attribution is possible. "Attribution" in this context refers to determining the person responsible for a nefarious attempt to disrupt or alter a computer network or data. An American Bar Association report calls attribution "[a]rguably the most salient technical issue in Cyberconflict," and it is an obvious necessity for enforcement of laws against cyber crime. Of course, an action in cyber space that is truly anonymous is by definition incapable of attribution. Security requires a high capacity for attribution, while anonymity requires the opposite. Thus, the spectrum of attributability may be considered by some people to be a tradeoff between security and civil rights. This tradeoff is seen in the Secretary of State's call to develop "new tools that enable citizens to exercise their rights of free expression" while at the same time pledging that "[t]hose who use the internet [sic] to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities." Clearly, the Secretary wants persons engaging in political speech to be able to conceal their real-world identities from tyrants, but terrorists and criminals to be identifiable to law enforcement. If persons use the same authentication instrument for banking, medical records and "anonymous" blog posts, their speech can be attributed to their physical world identity. Who will make this necessary balance between trusted identification and civil liberties? Is requiring the authentication of all cyber actors the sine qua non of cyber security?

 

Reading Activity:

Please read this handout:

 

Lecture:

Please click the button below to start this week's lecture in Adobe Presenter format. The lecture runs about 74 minutes.

 

Pre-Discussion Activity:

Please post on the Discussion Board at least one question or clarification regarding the readings or the lecture prior to the live session on Thursday.

 

Online Seminar - Live Session:

Participate in the live online seminar on Thursday, October 24, 2013, 6:30 p.m. Eastern

Click the button to go to the seminar room:

 

Examination:

You can take a mini-examination including the questions about Module 4 now or at any time before the end of the course.

 

Additional Resources:

Preliminary Cybersecurity Framework, undated but released on October 22, 2013 by the White House and the National Institute of Standards and Technology, the document goes well beyond this week's topics but is of interest because it mentions the NSTIC and lists authentication as a critical area in need of improvement.

 

[not yet released]

[not yet released]

[not yet released]

[not yet released]

[not yet released]

 

After the seminar on October 24, 2012, posted here will be a link to a recording of the seminar. The recording is intended for students who are absent for the seminar and for any student who wishes to review the material.

Proceed to Module Five -->

 

Available now.

INSCT