Amid all the recent talk of online privacy and personal identity, we must recognize that identity is no longer just about the driver’s license in our wallet. Now, identity includes the data we provide via our interactions with banks, utility providers, educational institutions, e-retailers, social media platforms and the government.
The problem is much of this information is available for pennies on the dark web, thanks to the endless data breaches that have resulted in more than 13 billion records being stolen since the beginning of 2013. Synthetic identities, made from a combination of real and fabricated identifying details, are proliferating as well.
Yet government agencies continue to rely on this kind of static information to assign and authenticate identity — your name, date of birth, Social Security number, etc., as well as your username and password for their online accounts. They also rely on static information to provide government benefits, manage the tax system and control access to their networks.
This means that a lot of taxpayer money is at risk if this data ends up in the wrong hands. In fact, losses from the Centers for Medicare and Medicaid Services, the IRS, Social Security Administration and other government programs totaled nearly $100 billion in 2016 alone.
In the private sector, losses of this magnitude would result in shareholder revolts, leadership overhauls and screaming headlines across every major media outlet. But when it comes to the government, the response continues to involve hiding behind standards created a decade ago and blaming others for their lack of progress.
Take for example the government’s reliance on the National Institute of Standards and Technology (NIST)’s Digital Identity Guidelines. Under these guidelines, risk-based adaptive systems are not considered valid authenticators — even though the private sector has already implemented these systems to separate good actors from bad.
The government is just beginning to recognize and address its oversights and missteps. The White House published a memorandum redefining standards and principles to improve identity management within and outside the federal government. The task now is to reconcile this with NIST’s outdated guidelines.
This is going to mean adopting a risk management perspective, enhancing use by federal agencies of a redefined digital identity and the user credentials derived from it, and going beyond managing access to managing online identity. It will also inevitably mean realigning budgets.
All of this is vital because criminals, who do not base their “business plans” on government rules, will continue to profit by exploiting the current weaknesses in federal standards, namely the NIST’s.
A new paradigm is needed
There are ways to fast-track and solve the problems in our system that would actually enhance our government’s service to its citizens. It’s time to take cues from the private sector, where a new concept of digital identity is already a working reality, with dynamic systems that experience significantly lower fraud levels than the federal government’s and deliver a seamless user experience.
Financial institutions use technologies like behavioral analytics (analyzing a user’s journey through their website) and/or artificial intelligence and machine learning, which are embedded in an innovation called behavioral biometrics (analyzing user-device interactions such as mouse movements, scrolling patterns and website familiarity, among thousands of other parameters), to ensure that new credit card and insurance applicants are not using stolen or synthetic identities.
Big banks use behavioral biometrics and analytics, AI and machine learning to ensure people are who they claim to be when accessing their online accounts and to prevent malicious actors from taking over online sessions after a legitimate log-in. These new systems operate “under the hood,” with no disruption to the user’s session, unless their behavior suggests fraud.
For the federal government, this type of digital identity needs to be based on the same kind of seamless and friction-less consumer experience. It needs to be dynamic, not static, and portable, not device- or location-dependent. It needs to incorporate — but not rely upon — unchanging personal attributes, such as our physical and digital footprints. It should profile normal online habits and routine human-device interactions, all the while keeping privacy as a core tenet of its design by maintaining user anonymity on the back end.
This digital identity must also be able to constantly re-calibrate and get smarter over time, just as the criminals do. This kind of modern digital identity is already safeguarding billions of transactions each year on hundreds of millions of smartphones, laptops and other devices in the private sector.
These approaches can be, and should be, part of the “zero-trust” mindset being adopted by the Office of Management and Budget (OMB) and by NIST’s Special Publication 800-63-3, a publication, now two years old, that requires revisions, and fast.
Some of these approaches are starting to get the green light in government. In mid-June, the Government Accountability Office (GAO) issued a report advising that key citizen-facing agencies strengthen their remote identity proofing processes. GAO also suggested that NIST enhance its work in supporting these efforts. Of note, Health and Human Services — the agency that loses the most money to fraudsters — chose not to follow GAO’s recommendations.
Agencies can use now open doors provided by NIST and OMB to deploy digital identity innovation. OMB has stated categorically that agencies should engage in programs that give NIST, and others, opportunities to review the latest technologies in spirit with current identity management guidelines and frameworks.
If the government continues to rely on outdated policies and use a static framework of identity, we will continue to accept bad actors stealing taxpayer dollars and allow high levels of monetary and privacy risk to enter our economy. It is imperative that we move beyond static identity and adopt a new digital identity paradigm for the impending data-driven decade.
Patrick Hearn is CEO of Endeavor Worldwide, an international advisory firm that brings together senior company executives and government leaders, with specialty focus in converged identity management, cybersecurity, biometrics and industry 4.0.