Clarke urges high standards for ID cards

President Bush's former counterterrorism chief yesterday called for the government to establish a system of open-source and transparent standards for a federated identity card system, noting that Americans continue to face the dual threats of identity theft and terrorist attack.

"You should want the highest form of technology and security for your privacy information, and frankly, we don't have that today," Richard Clarke said. A federated identity card would not necessarily be a national ID card, but privately issued identification cards, he said. Clarke spoke about managing smartcards and biometric identifiers at a Sept. 13 conference in Washington hosted by the Center for Strategic and International Studies.

"Federated" identity refers to an individual's authentication across multiple information technology systems or organizations. A federated identity card system would allow individuals to use the same user names, passwords or other personal identification to access the networks of more than one enterprise to conduct transactions.

Companies and government agencies that participate in such a system depend on each other to authenticate their respective users and permit them access to their services. They can share applications without having to adopt the same technologies for directory services, security and authentication.

The federated identity cards might be driver's licenses or another form of identification that would allow government agencies and private sector entities to choose which one that want to affiliate with, Clarke said.

Congress passed the Real ID Act in May, which will require states as of May 2008 to issue federally approved driver's licenses or identification cards to those who live and work in the United States. The ID cards will be required for citizens to drive, enter federal government buildings, collect Social Security, access a federal government service or use the services of private entities such as banks and airlines, which are required by federal law to verify customer identity.

Clarke said the country does not need "Potemkin IDs," but rather "real IDs that are verifiable and use the best security techniques and the best technology."

Besides open-source and transparent standards for federated identity cards, Clarke also recommended third-party audit and verification of the companies that issue the federated ID cards and that use them.

He also suggested that government regulators require two-factor authentification for smart cards for activities that they oversee, such as health care.

Clarke also said the government should pass and implement standards for protecting databases that hold private information. He also called for an independent and active civil liberties oversight board to serve as a watchdog for both government and private sector use of personal information.

President Bush appointed a new civil liberties protection board following the issuance of the Sept. 11 Commission Report and congressional passage of most of its recommendations, but the board has not generated much activity, Clarke said.

"We all need to demand that the civil liberties board created by the President be active and proactive, because if we're going to be using technology to protect our identity and protect our security, we have to have an active and independent civil liberties oversight function," he said. "And to the extent that it is not being done by government, we need to have active and independent [nongovernmental organizations] that are doing it."

Clarke served as a senior White House adviser to the last three presidents. During his 11 consecutive years of service there, he held the titles of special assistant to the president for global affairs, national coordinator for security and counterterrorism, and special adviser to the president for cybersecurity.

He testified before the Sept. 11 Commission last year that Bush administration did not consider terrorism an urgent priority before the attacks, despite Clarke's repeated warnings about the al-Qaeda terror network.

Clarke is now chairman of Good Harbor Consulting LLC, a Washington-based company that provides strategic advice and counsel for industry in the areas of homeland security, cyber security, critical infrastructure protection and counterterrorism.