Will government embrace a new role in digital ID?

As data breaches and identity theft become increasingly regular parts of the news cycle, there is growing support for government taking a lead role in identity proofing. If it does happen, expect to see the Better Identity Coalition's Jeremy Grant showing the way.

two-factor authentication (Sentavio/Shutterstock.com)
 

As data breaches and identity theft become increasingly regular parts of the news cycle, there is growing support for government taking a lead role in identity proofing. If it does happen, expect to see the Better Identity Coalition's Jeremy Grant showing the way.

After the Equifax breach, which included the theft of data on 147 million customers, Congress launched a series of hearings on the subject of individual identity, and Grant, the former head of the Commerce Department's National Strategy for Trusted Identities in Cyberspace, helped form the Better Identity Coalition as a trade group to prod government into taking a more authoritative role in digital identity.

In July, the Coalition put out a blueprint for policymakers, outlining five policy initiatives promoting security and identity verification. Its recommendations included getting the federal government to spend $1 billion over five years in grants to modernize motor vehicle departments to provide ID cards that can digitally validate identities as well as ending the use of the Social Security number as an identifier.

Since releasing its blueprint in July, the Coalition has grown to 18 members -- including Equifax.

"We did a couple double-takes," said Grant. "But whatever happened a year ago, they're still here, and they're actually a pretty important part of the marketplace…. We were pleasantly surprised when they called and said, 'We really like the blueprint you guys put out, and we'd like to be part of the effort to try and advance it,'" he said.

FCW's Chase Gunter sat down with Grant to talk about where government should step in and what an increased government role in digital identity would entail.

This interview has been edited for length and clarity.

FCW: Following the release of the blueprint, where do you see movement or support for the recommendations?

Grant: Things are happening. One, I think the Hill's continuing to look at what do they do on identity. The Equifax breach certainly spurred the hearing in the House Commerce Committee, as well as the one the House Ways and Means Committee had on the future of the Social Security number. We continue to get questions from different parts of the Hill, and you know, this was a think-piece about what the government could do and what should happen.

Two or three weeks after we put out the policy blueprint, the Treasury Department published its FinTech report. [There were] a lot of things in there around identity, echoing the call we had  for the Treasury and the regulators to look at whether there are existing regulations that either explicitly or just through ambiguity are hindering innovation when it comes to identity in this space. They specifically called out the same things that we did around the use of driver's licenses and the fact that the Real ID Act establishes a standard for identity proofing as something that could then be leveraged perhaps, if you could get digital approaches.

I think a lot of the things we're calling for [are] going to take some time. The idea was not to go for moonshots, but that doesn't mean they're all going to be implemented a year from now either.

The Office of Management and Budget put out a draft identity memo from the OMB cyber team back in the spring. I'm told that should be out in the next couple months, and I think even if it's just a draft that comes out, it'll make a number of changes in how the government approaches identity that I think will be meaningful. But I'll be curious to see what changes they make to it as well.

FCW: How much of this do you look to the legislative branch to take on, and what do you think should be done through the executive branch or at the agency level?

Grant: As we've gone through the action plan and tried to figure out where we actually need legislation, and where do things just happen on the executive side, there's really only one area we need legislation. And that would be to create a new grant program focused on DMV modernization with the incentive of turning them into digital identity providers.

There [are] other areas where I think legislation would be helpful, but a lot of it can be done probably more quickly, more efficiently, just working with the agencies.

FCW: In what areas and sectors do you see these changes being most impactful?

Grant: I think financial services is by far where we're getting the most attention. You're seeing this right now with the explosion of FinTech, both driven from startups as well from banks themselves that are making investments in new technology that can change the way we deliver financial services.

And I think you'll find both industry and government alike are both excited by it in that it can deliver services more efficiently.… The flip side is, if you're creating new ways to move money, that can create new ways to launder money, that can be used for terrorist financing. That's a real problem. I think you're seeing, not just in the U.S. but globally, a lot of focus from the regulators on money laundering and bank secrecy and all that, on digital identity because they realize it's going to be hard to get some of the things they want -- the benefits of the technology -- if they don't also have identity technologies underneath it that can enable these kinds of new models of moving money without creating the risks that the financial systems are abused through new channels.

FCW: Is this a systems issue, a business process issue, or what?

Grant: I think it's standards -- standards and regulations, honestly. The U.S. has rules under the Bank Secrecy Act for customer identification. There [are] global things happening as well. The global body that coordinates this [the Financial Action Task Force]. One of our recommendations in the blueprint was that the Treasury engage more on the identity issue. The Treasury said, "Will you come to China and talk to the next FATF meeting about it," which we did in September. My understanding is that the FATF is working on some new language on this topic. They had a big session on digital identity, and essentially their global standards-making body with all the different regulators will put something out that all the different countries will have to implement, too.

FCW: How do you — or do you see — individual identity factoring into something like voting security?

Grant: Certainly on the authentication side. Because anybody who's trying to secure voting infrastructure with passwords or a shared secret like a one-time password is probably setting themselves up considering we've got nation-states coming after those systems.

I got this question a lot when I was back in government. "Oh, so we'll be able to enable digital voting now?" And our take was no. My personal view is -- and look, we've seen it the past couple years -- our election infrastructure is such a juicy target that even if you solved the identity level, there's still so many other ways that people could come after it, that identity alone doesn't enable you to start doing e-balloting in a way that's going to be secure.

That said, it's certainly key element of the infrastructure. If we can solve identity and the seven other problems we would need to do that, we could potentially do something. But I wouldn't just say, "I have a certificate on my phone, great, now I can cast votes digitally." We don't know how to secure those things yet.