Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Hal Granoff
Hal Granoff
Connect Directly
E-Mail vvv

How the Biden Administration Can Make Digital Identity a Reality

A digital identity framework is the answer to the US government's cybersecurity dilemma.

While data breaches and ransomware attacks kept the cybersecurity industry preoccupied last year, the scope of the SolarWinds data breach far surpassed common exploits, garnering mainstream and social media attention. The breach impacted several of the country's largest technology companies, including Cisco, Microsoft, and NVIDIA, as well as the US Departments of Commerce, Homeland Security, and Treasury. This incident prompted President Joe Biden to quickly sign the American Rescue Plan Act into law, prioritizing cybersecurity and allocating $2 billion to modernize the country's digital infrastructure.

The Biden administration has promised to broadly improve digital security, monitoring, and response times, establishing a modern "digital identity" system of particular importance. A digital identity system compiles specific information, such as proof of age, passport number, and basic health and financial data, into one "card" that resides on your phone, backed with biometric security.

Related Content:

What a Federal Data Privacy Law Would Mean for Consumers

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

By using recent European regulations as a foundation to secure individuals' data and link it to their digital identity, the federal government could close the security gaps that have historically led to fraud. Digital identity authentication would be faster, more accurate, and more useful than manually checking physical ID cards, accelerating public and private sector transactions.

A Holistic Approach to Digital Identity
Digital identity has already gained bipartisan support on Capitol Hill. In 2020, Representatives Bill Foster (D-IL) and John Katho (R-NY) introduced the Improving Digital Identity Act, designed to establish a nationwide approach to improving digital identity. Now, the Biden administration plans to leverage digital identity for modernization of public services, ranging from government assistance to healthcare to licensing.

The act would be a step forward but wouldn't completely address needs in the public and private sectors. Rep. Foster notes that the bill would primarily address the government's need for digital identity, paying less attention to issues (e.g., transaction friction, fraud) facing enterprises and consumers. That said, the Biden administration must take a broader, holistic approach to digital identity, eliminating data siloing that would make future digital IDs unnecessarily purpose-specific.

Any error would allow bad actors to access sensitive data and impersonate customers, resulting in fraudulent requests for government services, credit cards, loans, or licenses. Implementing a secure, robust digital identity system is critical as scammers created over 145,000 suspicious domain registrations last year targeting recipients of stimulus checks, exploiting security gaps to intercept another person's money.

The Biden administration should consider the United Kingdom, which is already making strides in developing a digital identity framework. The UK framework spans public and private organizations and includes a system for "vouching," allowing officially licensed local authority figures such as accountants, government officers, and even teachers to vouch for or confirm an individual's identity. A properly developed US framework would meet the security needs of various organizations without unnecessary friction for end users.

It's About the Who and How, Not the What and Where
Digital transformation across commerce has enabled bad actors to capitalize on security gaps in online transactions. 2020 saw more than 1.3 million identity theft cases — a 113% increase — where bad actors used available information (e.g., Social Security) to target individuals.

Tempting as it may be to avoid linking biometric data to digital identity, the opposite approach is instrumental to securing and authenticating future transactions. Before, fingerprints were required only for fighting crime and licensing certain professionals; however, within the past decade, fingerprint scanning became so ubiquitous in consumer devices that even 3D facial scanning seems standard nowadays. It's time to determine what should be part of one's digital identity, with an eye toward modern realities instead of past theoretical concerns.

The US framework should incorporate basic biometrics, and with appropriate consents and disclosures, can even incorporate patterns from past interactions as an additional security layer. Imagine a hospital expediting your registration because your ID thoroughly confirms who you claim to be or an ATM applying greater scrutiny to a potentially fraudulent withdrawal because the fraudster using your ID didn't follow your withdrawal patterns.

As long as privacy and data security are prioritized, using voluntarily opted-in biometric data is superior to a framework relying on cookies and constant surveillance. A digital identity framework powered by biometrics and a legitimate identity verification system will make it extremely difficult, if not virtually impossible, for bad actors to impersonate others without being flagged.

Making Digital Identity a Reality
The government and technology sectors have not been in sync for years, resulting in severe security gaps and outdated infrastructures. Though horrific, the SolarWinds data breach was the catalyst for long-needed public and private sector data-security changes, making a nationwide digital identity framework more feasible.

With the American Rescue Plan Act passed and the Improving Digital Identity Act pending, funding is available to start implementing solutions. At this point, the only questions are how and when the federal government will move forward on important digital identity initiatives.

The private sector will need to keep applying pressure, including identifying digital identity management and authentication solutions. At a high level, the administration should consider feedback on improving security and reducing fraud from CIOs and CISOs at large enterprises — including corporations damaged by the SolarWinds data breach — as well as innovative startups. A winning solution will be acceptable not only to government officials but also businesses of all sizes and the general public.

Until the federal government actively deploys a digital identity system, bad actors will continue to exploit weaknesses in the outdated current identity system. Beyond federal impacts, annual private sector damage will continue to be measured in billions of dollars, and state agencies will continue to be targets of benefits fraud and other identity-related crimes.

Thankfully, the broad frameworks, specific principles, and advanced technologies required to securely digitize identities are all within our grasp. It's now just a matter of seizing this opportunity to move public and private cybersecurity forward.

Hal leads the strategy and expansion of Callsign's Intelligence Driven Authentication in the United States. Previously, Hal was a Senior Director at Early Warning, where he was responsible for developing authentication solutions to protect financial institutions from the ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file