Congress, in response to the COVID-19 pandemic, has tasked agencies with distributing hundreds of billions of dollars in emergency relief.
But along the way, agencies have run into challenges verifying the identity of benefit recipients, and fraudsters have exploited gaps in this process, using stolen personal information to obtain pandemic relief.
The increasing scope of these problems led Reps. Bill Foster (D-Ill.), John Katko (R-N.Y.), Jim Langevin (D-R.I.) and Barry Loudermilk (R-Ga.) to introduce the Improving Digital Identity Act last September.
The bill didn’t gain much traction in the House, but Foster, speaking earlier this month at a forum hosted by the Better Identity Coalition, said he plans to re-introduce the bill in order for agencies to establish better practices around identity management.
Foster said the COVID-19 pandemic has demonstrated the inadequacy of agency systems, and said his bill, if passed, would help fix these problems.
“It’s clear that there are many, many points of friction in the federal government’s effort to connect with Americans,” Foster said. “A digital ID would make direct distribution channels seamless to Americans, saving Americans the time and money to help us all move more quickly during economic and health care crises, such as the one we’re in.”
The bill would establish a task force of federal agencies, as well as state and local governments, to develop secure methods to validate identity while keeping privacy and security top priorities.
The bill would also direct the National Institute of Standards and Technology to create a new framework of standards for agencies to follow when providing digital identity verification services.
As a member of the Select Subcommittee on the Coronavirus, Foster said his colleagues will eventually look at how other countries have responded to common challenges, including vaccine distribution.
Countries that have adopted the equivalent of a “digital driver’s license,” Foster said, has helped avoid bottlenecks in vaccine distribution.
“The efficiency of having a unique identifier [is] so you can say, ‘Here is your priority, here’s your place on the priority list.’ If people wish to get contacted, they can be contacted when their area has vaccine available, with a list of places where they can get it, and they can use that same authentication to reserve a place in line to get their vaccine. The countries that have that in place have had a huge advantage in not only vaccines, but in testing,” Foster said.
A stronger digital identity would also curb phishing attempts and ransomware malware attacks, which have grown in scope and sophistication under the pandemic.
Michael Mosier, the deputy director and digital innovation officer for the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), said criminals are increasingly exploiting vulnerabilities in identity systems to commit fraud, cybercrime, and other illicit activities.
Mosier said the agency has seen about 5,000 account takeover reports each month, resulting in about $400 million a month in fraud in the last two months.
Much of the fraud happens when scammers create accounts using stolen credentials. In a COVID-19 cybercrime advisory last summer, FinCEN highlighted that criminals are undermining identity verification processes through identity theft and synthetic identity fraud.
“With billions of compromised credentials exposed online, there’s a high likelihood that many users of the US financial system have had some legacy information compromised at some point,” Moiser said.
Stronger identity also leads to more resiliency in agency programs. Jeremy Grant, a former senior executive advisor for the National Strategy for Trusted Identities in Cyberspace (NSTIC), now the managing director at Venable, said the Trump administration in the early stages of the pandemic effectively ordered a partial government shutdown of citizen-facing services until the agencies could figure out a way to deliver them remotely.
“A lot of these services could have been delivered remotely if America had a robust, trustworthy digital identity infrastructure. We’ve seen federal and state agencies scrambling to figure out how to validate the identities of people who are eligible for new benefits tied to the pandemic, something important to both delivering dollars in a timely fashion and also stopping fraud,” Grant said.
The Office of Management and Budget, in a 2019 memo, tasked the General Services Administration with figuring out how citizens can access their federally held data through APIs.
Phil Lam, GSA’s executive director of identity, said GSA worked with several agencies to pilot that concept, and said the Social Security Administration has made considerable progress toward this goal.
“We as government are providing a lot of benefits to Americans today. In order to facilitate providing that benefit, we need to know who you are, are you eligible for this, to help reduce fraud and theft,” Lam said.
Through Login.gov, GSA provides a common account that enables access across many agencies. The site now has more than 25 million users. Lam said GSA piloted an identity verification product on Login.gov with the Railroad Retirement Board and SBA.
As the capabilities of Login.gov grow, Lam said GSA looks to deliver more capabilities to agency partners, and said agencies should make improving identity services a shared goal across governement.
“It’s a common challenge that requires a common solution set. So getting alignment across the agencies that yes, we’re not that special in terms of this specific challenge area, and thus, would need and desire a common shared platform for this. That’s something that, you know, our office helped drive towards this past year,” Lam said.