Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/16/2021
10:00 AM
Hal Granoff
Hal Granoff
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How the Biden Administration Can Make Digital Identity a Reality

A digital identity framework is the answer to the US government's cybersecurity dilemma.

While data breaches and ransomware attacks kept the cybersecurity industry preoccupied last year, the scope of the SolarWinds data breach far surpassed common exploits, garnering mainstream and social media attention. The breach impacted several of the country's largest technology companies, including Cisco, Microsoft, and NVIDIA, as well as the US Departments of Commerce, Homeland Security, and Treasury. This incident prompted President Joe Biden to quickly sign the American Rescue Plan Act into law, prioritizing cybersecurity and allocating $2 billion to modernize the country's digital infrastructure.

The Biden administration has promised to broadly improve digital security, monitoring, and response times, establishing a modern "digital identity" system of particular importance. A digital identity system compiles specific information, such as proof of age, passport number, and basic health and financial data, into one "card" that resides on your phone, backed with biometric security.

Related Content:

What a Federal Data Privacy Law Would Mean for Consumers

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

By using recent European regulations as a foundation to secure individuals' data and link it to their digital identity, the federal government could close the security gaps that have historically led to fraud. Digital identity authentication would be faster, more accurate, and more useful than manually checking physical ID cards, accelerating public and private sector transactions.

A Holistic Approach to Digital Identity
Digital identity has already gained bipartisan support on Capitol Hill. In 2020, Representatives Bill Foster (D-IL) and John Katho (R-NY) introduced the Improving Digital Identity Act, designed to establish a nationwide approach to improving digital identity. Now, the Biden administration plans to leverage digital identity for modernization of public services, ranging from government assistance to healthcare to licensing.

The act would be a step forward but wouldn't completely address needs in the public and private sectors. Rep. Foster notes that the bill would primarily address the government's need for digital identity, paying less attention to issues (e.g., transaction friction, fraud) facing enterprises and consumers. That said, the Biden administration must take a broader, holistic approach to digital identity, eliminating data siloing that would make future digital IDs unnecessarily purpose-specific.

Any error would allow bad actors to access sensitive data and impersonate customers, resulting in fraudulent requests for government services, credit cards, loans, or licenses. Implementing a secure, robust digital identity system is critical as scammers created over 145,000 suspicious domain registrations last year targeting recipients of stimulus checks, exploiting security gaps to intercept another person's money.

The Biden administration should consider the United Kingdom, which is already making strides in developing a digital identity framework. The UK framework spans public and private organizations and includes a system for "vouching," allowing officially licensed local authority figures such as accountants, government officers, and even teachers to vouch for or confirm an individual's identity. A properly developed US framework would meet the security needs of various organizations without unnecessary friction for end users.

It's About the Who and How, Not the What and Where
Digital transformation across commerce has enabled bad actors to capitalize on security gaps in online transactions. 2020 saw more than 1.3 million identity theft cases — a 113% increase — where bad actors used available information (e.g., Social Security) to target individuals.

Tempting as it may be to avoid linking biometric data to digital identity, the opposite approach is instrumental to securing and authenticating future transactions. Before, fingerprints were required only for fighting crime and licensing certain professionals; however, within the past decade, fingerprint scanning became so ubiquitous in consumer devices that even 3D facial scanning seems standard nowadays. It's time to determine what should be part of one's digital identity, with an eye toward modern realities instead of past theoretical concerns.

The US framework should incorporate basic biometrics, and with appropriate consents and disclosures, can even incorporate patterns from past interactions as an additional security layer. Imagine a hospital expediting your registration because your ID thoroughly confirms who you claim to be or an ATM applying greater scrutiny to a potentially fraudulent withdrawal because the fraudster using your ID didn't follow your withdrawal patterns.

As long as privacy and data security are prioritized, using voluntarily opted-in biometric data is superior to a framework relying on cookies and constant surveillance. A digital identity framework powered by biometrics and a legitimate identity verification system will make it extremely difficult, if not virtually impossible, for bad actors to impersonate others without being flagged.

Making Digital Identity a Reality
The government and technology sectors have not been in sync for years, resulting in severe security gaps and outdated infrastructures. Though horrific, the SolarWinds data breach was the catalyst for long-needed public and private sector data-security changes, making a nationwide digital identity framework more feasible.

With the American Rescue Plan Act passed and the Improving Digital Identity Act pending, funding is available to start implementing solutions. At this point, the only questions are how and when the federal government will move forward on important digital identity initiatives.

The private sector will need to keep applying pressure, including identifying digital identity management and authentication solutions. At a high level, the administration should consider feedback on improving security and reducing fraud from CIOs and CISOs at large enterprises — including corporations damaged by the SolarWinds data breach — as well as innovative startups. A winning solution will be acceptable not only to government officials but also businesses of all sizes and the general public.

Until the federal government actively deploys a digital identity system, bad actors will continue to exploit weaknesses in the outdated current identity system. Beyond federal impacts, annual private sector damage will continue to be measured in billions of dollars, and state agencies will continue to be targets of benefits fraud and other identity-related crimes.

Thankfully, the broad frameworks, specific principles, and advanced technologies required to securely digitize identities are all within our grasp. It's now just a matter of seizing this opportunity to move public and private cybersecurity forward.

Hal leads the strategy and expansion of Callsign's Intelligence Driven Authentication in the United States. Previously, Hal was a Senior Director at Early Warning, where he was responsible for developing authentication solutions to protect financial institutions from the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
CVE-2020-24119
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
CVE-2020-27833
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...