We aren't making any progress in securing cyberspace. If anything, break-ins are happening more frequently than ever before.
For example, last year, there were nearly 61,000 cyber attacks and breaches across the entire federal government (and those are just the ones we know about). Clearly, leaving this problem solely to industry to solve has not worked.
Why not try something different? A public/private partnership to update the technology we use for authentication.
If the government ran (or helped launch) a "trustable" federated identity (TFI) service using technology available today from the private sector, that could go a long way to securing our computing infrastructure. The same TFI service could also be supplied by other governments and/or private companies to people all over the world.
A TFI service has the properties that you cannot compromise any infrastructure in a way that creates a mass breach of identity credentials, that the authentication is end-to-end secure (and does not rely on certificate authorities), that the identity provider is unable to ever assert a given user's identity, that all shared secrets are eliminated, and a users privacy (browsing history, personal information, etc) is preserved and unknown to the identity provider.
Adoption by sites and users would be totally optional. Such a system would make it both much harder to break into computers as well as mitigate the information loss if a break-in did occur. It also improves security for client-server communication and provides a much more secure mechanism for identification than using social security numbers or other personal information.
The locks on our front doors are more than 50 years old and it's high time for a makeover. In fact, the Anthem breach was caused by a compromise of an administrator's login credentials.
Is there a better idea on the table for improving the status quo? So what are we waiting for? Let's enumerate our options, pick the best one, and get moving!
For details, see A new approach to making it harder to breach computer security