Will government embrace a new role in digital ID?

By Chase Gunter

By Chase Gunter

|

As data breaches and identity theft become increasingly regular parts of the news cycle, there is growing support for government taking a lead role in identity proofing. If it does happen, expect to see the Better Identity Coalition's Jeremy Grant showing the way.

two-factor authentication (Sentavio/Shutterstock.com)
 

As data breaches and identity theft become increasingly regular parts of the news cycle, there is growing support for government taking a lead role in identity proofing. If it does happen, expect to see the Better Identity Coalition's Jeremy Grant showing the way.

After the Equifax breach, which included the theft of data on 147 million customers, Congress launched a series of hearings on the subject of individual identity, and Grant, the former head of the Commerce Department's National Strategy for Trusted Identities in Cyberspace, helped form the Better Identity Coalition as a trade group to prod government into taking a more authoritative role in digital identity.

In July, the Coalition put out a blueprint for policymakers, outlining five policy initiatives promoting security and identity verification. Its recommendations included getting the federal government to spend $1 billion over five years in grants to modernize motor vehicle departments to provide ID cards that can digitally validate identities as well as ending the use of the Social Security number as an identifier.

Since releasing its blueprint in July, the Coalition has grown to 18 members -- including Equifax.

"We did a couple double-takes," said Grant. "But whatever happened a year ago, they're still here, and they're actually a pretty important part of the marketplace…. We were pleasantly surprised when they called and said, 'We really like the blueprint you guys put out, and we'd like to be part of the effort to try and advance it,'" he said.

FCW's Chase Gunter sat down with Grant to talk about where government should step in and what an increased government role in digital identity would entail.

This interview has been edited for length and clarity.

FCW: Following the release of the blueprint, where do you see movement or support for the recommendations?

Grant: Things are happening. One, I think the Hill's continuing to look at what do they do on identity. The Equifax breach certainly spurred the hearing in the House Commerce Committee, as well as the one the House Ways and Means Committee had on the future of the Social Security number. We continue to get questions from different parts of the Hill, and you know, this was a think-piece about what the government could do and what should happen.

Two or three weeks after we put out the policy blueprint, the Treasury Department published its FinTech report. [There were] a lot of things in there around identity, echoing the call we had  for the Treasury and the regulators to look at whether there are existing regulations that either explicitly or just through ambiguity are hindering innovation when it comes to identity in this space. They specifically called out the same things that we did around the use of driver's licenses and the fact that the Real ID Act establishes a standard for identity proofing as something that could then be leveraged perhaps, if you could get digital approaches.

I think a lot of the things we're calling for [are] going to take some time. The idea was not to go for moonshots, but that doesn't mean they're all going to be implemented a year from now either.

The Office of Management and Budget put out a draft identity memo from the OMB cyber team back in the spring. I'm told that should be out in the next couple months, and I think even if it's just a draft that comes out, it'll make a number of changes in how the government approaches identity that I think will be meaningful. But I'll be curious to see what changes they make to it as well.

FCW: How much of this do you look to the legislative branch to take on, and what do you think should be done through the executive branch or at the agency level?

Grant: As we've gone through the action plan and tried to figure out where we actually need legislation, and where do things just happen on the executive side, there's really only one area we need legislation. And that would be to create a new grant program focused on DMV modernization with the incentive of turning them into digital identity providers.

There [are] other areas where I think legislation would be helpful, but a lot of it can be done probably more quickly, more efficiently, just working with the agencies.

FCW: In what areas and sectors do you see these changes being most impactful?

Grant: I think financial services is by far where we're getting the most attention. You're seeing this right now with the explosion of FinTech, both driven from startups as well from banks themselves that are making investments in new technology that can change the way we deliver financial services.

And I think you'll find both industry and government alike are both excited by it in that it can deliver services more efficiently.… The flip side is, if you're creating new ways to move money, that can create new ways to launder money, that can be used for terrorist financing. That's a real problem. I think you're seeing, not just in the U.S. but globally, a lot of focus from the regulators on money laundering and bank secrecy and all that, on digital identity because they realize it's going to be hard to get some of the things they want -- the benefits of the technology -- if they don't also have identity technologies underneath it that can enable these kinds of new models of moving money without creating the risks that the financial systems are abused through new channels.

FCW: Is this a systems issue, a business process issue, or what?

Grant: I think it's standards -- standards and regulations, honestly. The U.S. has rules under the Bank Secrecy Act for customer identification. There [are] global things happening as well. The global body that coordinates this [the Financial Action Task Force]. One of our recommendations in the blueprint was that the Treasury engage more on the identity issue. The Treasury said, "Will you come to China and talk to the next FATF meeting about it," which we did in September. My understanding is that the FATF is working on some new language on this topic. They had a big session on digital identity, and essentially their global standards-making body with all the different regulators will put something out that all the different countries will have to implement, too.

FCW: How do you — or do you see — individual identity factoring into something like voting security?

Grant: Certainly on the authentication side. Because anybody who's trying to secure voting infrastructure with passwords or a shared secret like a one-time password is probably setting themselves up considering we've got nation-states coming after those systems.

I got this question a lot when I was back in government. "Oh, so we'll be able to enable digital voting now?" And our take was no. My personal view is -- and look, we've seen it the past couple years -- our election infrastructure is such a juicy target that even if you solved the identity level, there's still so many other ways that people could come after it, that identity alone doesn't enable you to start doing e-balloting in a way that's going to be secure.

That said, it's certainly key element of the infrastructure. If we can solve identity and the seven other problems we would need to do that, we could potentially do something. But I wouldn't just say, "I have a certificate on my phone, great, now I can cast votes digitally." We don't know how to secure those things yet.

NEXT STORY: DHS risk center wants to revolutionize cyber response, but first it must get organized

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.