White House: Government Identity Verification Tools Aren’t Meeting The Threat
The order comes as personal information that organizations once used to verify people is increasingly available online.
The White House issued a mammoth directive ordering agencies to update their identity verification policies, but the document mostly outlines agency responsibilities and includes no firm deadlines.
The Friday order on “Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management” comes as hackers are increasingly using identifying information that’s publicly available on social media, through data breaches and elsewhere to con their way into private and corporate email accounts and other private systems.
In 2015 and 2016, for example, teenage hackers compromised the personal email accounts of CIA Director John Brennan and Director of National Intelligence James Clapper, likely by using information they found online to answer security questions.
Officials fear that criminal or nation state-backed hackers could use similar tactics to worm their way into government computer networks and compromise sensitive information.
Increasingly, government agencies and other organizations are requiring multiple factors before a user can access a system. Those factors might include a password, a physical card with a barcode or computer chip, a unique code texted to a smartphone or a biometric identifier, such as a fingerprint.
In its broadest strokes, Friday’s order directs agencies to update their identity verification policies to match the current threat, designate a team to keep those policies updated and streamline the reporting process for how agencies and employees are adhering to those policies.
The order also describes efforts to share identity verification services between agencies and promotes verification tools that are based on vetted, open source software that can be easily replaced if a superior product enters the market.
Much of the directive also applies to citizens who must verify their identities to access government websites and services.
The White House Office of Management and Budget also published the policy on the code-sharing website Github where people can comment on it and suggest edits.