A few years ago, I drafted the first version of a paper for the Federal Public Key Infrastructure Policy Authority (FPKIPA), entitled “The Realized Value of the Federal Public Key Infrastructure (FPKI).” At that time, we declared it mature and proudly documented its value to the Federal PKI community. The laundry list included strong digital signatures, authentication and encryption; and “Trusted Interoperability between Disparate Systems.” We also spoke of “Increased Industry Adoption.” We thought all the battles were over and that PKI, once adopted, would provide a trusted, secure environment for Federal transactions.
A recent survey calls those assumptions into question, especially the veracity of the trust fabric that underpins PKI and much of our government and economy.
I refer to the Ponemon Institute survey -- underwritten by Venafi -- of 2,342 respondents from mainly Global 2000 enterprises, “2013 Annual Cost of Failed Trust Report: Threats and Attacks.” This is reportedly the first attempt to quantify the potential cost of flawed PKI-based trust over the next two years, which the Ponemon Institute estimates to be $400 Million per enterprise.
The Ponemon Institute maintains that “no enterprise is safe.” All the Global enterprises surveyed have experienced an inability to control trust. The report summarizes how failure to control trust in the face of increased threats and breaches, places all global enterprises, including governments, at risk. “A few kilobytes of cryptographic data is all that stands in the way of millions lost in sales, grounded airplanes and closed borders,” the report states.
The report goes on to relate the cost of each type of breach and breaks down the percentage of financial losses incurred by PKI-enabled global enterprises per threat type in five countries: the U.S., the U.K., Australia, France and Germany.
The threat and potential losses for cloud-based services is probably even higher, but that remains to be seen.
I’d like to stop now and ask you to read the Ponemon Institute report, so that we can open a dialogue on its findings and potential fixes. And, I’d like to elicit information about how well you think the U.S. Federal Government is doing in regard to measures being taken to avoid erosion of the Federal PKI.
 Ibid., p. 3.