Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Hal Granoff
Hal Granoff
Connect Directly
E-Mail vvv

How the Biden Administration Can Make Digital Identity a Reality

A digital identity framework is the answer to the US government's cybersecurity dilemma.

While data breaches and ransomware attacks kept the cybersecurity industry preoccupied last year, the scope of the SolarWinds data breach far surpassed common exploits, garnering mainstream and social media attention. The breach impacted several of the country's largest technology companies, including Cisco, Microsoft, and NVIDIA, as well as the US Departments of Commerce, Homeland Security, and Treasury. This incident prompted President Joe Biden to quickly sign the American Rescue Plan Act into law, prioritizing cybersecurity and allocating $2 billion to modernize the country's digital infrastructure.

The Biden administration has promised to broadly improve digital security, monitoring, and response times, establishing a modern "digital identity" system of particular importance. A digital identity system compiles specific information, such as proof of age, passport number, and basic health and financial data, into one "card" that resides on your phone, backed with biometric security.

Related Content:

What a Federal Data Privacy Law Would Mean for Consumers

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

By using recent European regulations as a foundation to secure individuals' data and link it to their digital identity, the federal government could close the security gaps that have historically led to fraud. Digital identity authentication would be faster, more accurate, and more useful than manually checking physical ID cards, accelerating public and private sector transactions.

A Holistic Approach to Digital Identity
Digital identity has already gained bipartisan support on Capitol Hill. In 2020, Representatives Bill Foster (D-IL) and John Katho (R-NY) introduced the Improving Digital Identity Act, designed to establish a nationwide approach to improving digital identity. Now, the Biden administration plans to leverage digital identity for modernization of public services, ranging from government assistance to healthcare to licensing.

The act would be a step forward but wouldn't completely address needs in the public and private sectors. Rep. Foster notes that the bill would primarily address the government's need for digital identity, paying less attention to issues (e.g., transaction friction, fraud) facing enterprises and consumers. That said, the Biden administration must take a broader, holistic approach to digital identity, eliminating data siloing that would make future digital IDs unnecessarily purpose-specific.

Any error would allow bad actors to access sensitive data and impersonate customers, resulting in fraudulent requests for government services, credit cards, loans, or licenses. Implementing a secure, robust digital identity system is critical as scammers created over 145,000 suspicious domain registrations last year targeting recipients of stimulus checks, exploiting security gaps to intercept another person's money.

The Biden administration should consider the United Kingdom, which is already making strides in developing a digital identity framework. The UK framework spans public and private organizations and includes a system for "vouching," allowing officially licensed local authority figures such as accountants, government officers, and even teachers to vouch for or confirm an individual's identity. A properly developed US framework would meet the security needs of various organizations without unnecessary friction for end users.

It's About the Who and How, Not the What and Where
Digital transformation across commerce has enabled bad actors to capitalize on security gaps in online transactions. 2020 saw more than 1.3 million identity theft cases — a 113% increase — where bad actors used available information (e.g., Social Security) to target individuals.

Tempting as it may be to avoid linking biometric data to digital identity, the opposite approach is instrumental to securing and authenticating future transactions. Before, fingerprints were required only for fighting crime and licensing certain professionals; however, within the past decade, fingerprint scanning became so ubiquitous in consumer devices that even 3D facial scanning seems standard nowadays. It's time to determine what should be part of one's digital identity, with an eye toward modern realities instead of past theoretical concerns.

The US framework should incorporate basic biometrics, and with appropriate consents and disclosures, can even incorporate patterns from past interactions as an additional security layer. Imagine a hospital expediting your registration because your ID thoroughly confirms who you claim to be or an ATM applying greater scrutiny to a potentially fraudulent withdrawal because the fraudster using your ID didn't follow your withdrawal patterns.

As long as privacy and data security are prioritized, using voluntarily opted-in biometric data is superior to a framework relying on cookies and constant surveillance. A digital identity framework powered by biometrics and a legitimate identity verification system will make it extremely difficult, if not virtually impossible, for bad actors to impersonate others without being flagged.

Making Digital Identity a Reality
The government and technology sectors have not been in sync for years, resulting in severe security gaps and outdated infrastructures. Though horrific, the SolarWinds data breach was the catalyst for long-needed public and private sector data-security changes, making a nationwide digital identity framework more feasible.

With the American Rescue Plan Act passed and the Improving Digital Identity Act pending, funding is available to start implementing solutions. At this point, the only questions are how and when the federal government will move forward on important digital identity initiatives.

The private sector will need to keep applying pressure, including identifying digital identity management and authentication solutions. At a high level, the administration should consider feedback on improving security and reducing fraud from CIOs and CISOs at large enterprises — including corporations damaged by the SolarWinds data breach — as well as innovative startups. A winning solution will be acceptable not only to government officials but also businesses of all sizes and the general public.

Until the federal government actively deploys a digital identity system, bad actors will continue to exploit weaknesses in the outdated current identity system. Beyond federal impacts, annual private sector damage will continue to be measured in billions of dollars, and state agencies will continue to be targets of benefits fraud and other identity-related crimes.

Thankfully, the broad frameworks, specific principles, and advanced technologies required to securely digitize identities are all within our grasp. It's now just a matter of seizing this opportunity to move public and private cybersecurity forward.

Hal leads the strategy and expansion of Callsign's Intelligence Driven Authentication in the United States. Previously, Hal was a Senior Director at Early Warning, where he was responsible for developing authentication solutions to protect financial institutions from the ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-27
HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on ...
PUBLISHED: 2022-06-27
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. Thi...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to co...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled b...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if th...