While data breaches and ransomware attacks kept the cybersecurity industry preoccupied last year, the scope of the SolarWinds data breach far surpassed common exploits, garnering mainstream and social media attention. The breach impacted several of the country's largest technology companies, including Cisco, Microsoft, and NVIDIA, as well as the US Departments of Commerce, Homeland Security, and Treasury. This incident prompted President Joe Biden to quickly sign the American Rescue Plan Act into law, prioritizing cybersecurity and allocating $2 billion to modernize the country's digital infrastructure.
The Biden administration has promised to broadly improve digital security, monitoring, and response times, establishing a modern "digital identity" system of particular importance. A digital identity system compiles specific information, such as proof of age, passport number, and basic health and financial data, into one "card" that resides on your phone, backed with biometric security.
By using recent European regulations as a foundation to secure individuals' data and link it to their digital identity, the federal government could close the security gaps that have historically led to fraud. Digital identity authentication would be faster, more accurate, and more useful than manually checking physical ID cards, accelerating public and private sector transactions.
A Holistic Approach to Digital Identity
Digital identity has already gained bipartisan support on Capitol Hill. In 2020, Representatives Bill Foster (D-IL) and John Katho (R-NY) introduced the Improving Digital Identity Act, designed to establish a nationwide approach to improving digital identity. Now, the Biden administration plans to leverage digital identity for modernization of public services, ranging from government assistance to healthcare to licensing.
The act would be a step forward but wouldn't completely address needs in the public and private sectors. Rep. Foster notes that the bill would primarily address the government's need for digital identity, paying less attention to issues (e.g., transaction friction, fraud) facing enterprises and consumers. That said, the Biden administration must take a broader, holistic approach to digital identity, eliminating data siloing that would make future digital IDs unnecessarily purpose-specific.
Any error would allow bad actors to access sensitive data and impersonate customers, resulting in fraudulent requests for government services, credit cards, loans, or licenses. Implementing a secure, robust digital identity system is critical as scammers created over 145,000 suspicious domain registrations last year targeting recipients of stimulus checks, exploiting security gaps to intercept another person's money.
The Biden administration should consider the United Kingdom, which is already making strides in developing a digital identity framework. The UK framework spans public and private organizations and includes a system for "vouching," allowing officially licensed local authority figures such as accountants, government officers, and even teachers to vouch for or confirm an individual's identity. A properly developed US framework would meet the security needs of various organizations without unnecessary friction for end users.
It's About the Who and How, Not the What and Where
Digital transformation across commerce has enabled bad actors to capitalize on security gaps in online transactions. 2020 saw more than 1.3 million identity theft cases — a 113% increase — where bad actors used available information (e.g., Social Security) to target individuals.
Tempting as it may be to avoid linking biometric data to digital identity, the opposite approach is instrumental to securing and authenticating future transactions. Before, fingerprints were required only for fighting crime and licensing certain professionals; however, within the past decade, fingerprint scanning became so ubiquitous in consumer devices that even 3D facial scanning seems standard nowadays. It's time to determine what should be part of one's digital identity, with an eye toward modern realities instead of past theoretical concerns.
The US framework should incorporate basic biometrics, and with appropriate consents and disclosures, can even incorporate patterns from past interactions as an additional security layer. Imagine a hospital expediting your registration because your ID thoroughly confirms who you claim to be or an ATM applying greater scrutiny to a potentially fraudulent withdrawal because the fraudster using your ID didn't follow your withdrawal patterns.
As long as privacy and data security are prioritized, using voluntarily opted-in biometric data is superior to a framework relying on cookies and constant surveillance. A digital identity framework powered by biometrics and a legitimate identity verification system will make it extremely difficult, if not virtually impossible, for bad actors to impersonate others without being flagged.
Making Digital Identity a Reality
The government and technology sectors have not been in sync for years, resulting in severe security gaps and outdated infrastructures. Though horrific, the SolarWinds data breach was the catalyst for long-needed public and private sector data-security changes, making a nationwide digital identity framework more feasible.
With the American Rescue Plan Act passed and the Improving Digital Identity Act pending, funding is available to start implementing solutions. At this point, the only questions are how and when the federal government will move forward on important digital identity initiatives.
The private sector will need to keep applying pressure, including identifying digital identity management and authentication solutions. At a high level, the administration should consider feedback on improving security and reducing fraud from CIOs and CISOs at large enterprises — including corporations damaged by the SolarWinds data breach — as well as innovative startups. A winning solution will be acceptable not only to government officials but also businesses of all sizes and the general public.
Until the federal government actively deploys a digital identity system, bad actors will continue to exploit weaknesses in the outdated current identity system. Beyond federal impacts, annual private sector damage will continue to be measured in billions of dollars, and state agencies will continue to be targets of benefits fraud and other identity-related crimes.
Thankfully, the broad frameworks, specific principles, and advanced technologies required to securely digitize identities are all within our grasp. It's now just a matter of seizing this opportunity to move public and private cybersecurity forward.