Digital Identity Is a National Security Issue

In 2007, I was overseeing the delivery of millions of state-of-the-art identification cards for the federal government. These cards with embedded chips ensured that, for the first time, 90 percent of federal agencies had smart card technology to comply with a White House directive known as Homeland Security Presidential Directive 12. Today, those cards are still largely provisioned via contracts I originally signed with various U.S. government agencies.

The directive, based on the “common access card” framework created within the U.S. Department of Defense, was intended to give the U.S. government a process whereby all employees and contractors could use bona fide credentials verified with biometrics embedded in the card to access government computer networks and enter government buildings. Communications and data on systems controlled by this infrastructure would be encrypted and automatically secured using public key infrastructure.

This high level of assurance made it difficult for U.S. adversaries to successfully penetrate networks or facilities, but it did not live up to its “common access” moniker. Just like in the Defense Department, where credentialing was fragmented across the military services, the civilian agencies took varying routes to compliance with Homeland Security Presidential Directive 12. Some, like the Department of Homeland Security, ran things in-house under a chief information officer, while others used shared service contracts through the General Services Administration.

As I issued those first cards in 2007, a consumer tech revolution unfolded in parallel. That same year, the first iPhone was released, and Facebook saw a fourfold increase in users to 50 million. Since that mobile and social media revolution, technology has transformed identity in our daily lives through varying  biometrics like facial recognition ,  license plate scanning, real-time location services on connected devices, and AI and machine learning tools to monitor behavior online.

With these technologies in place, almost every person in America can be identified by their patterns of movement, credit card use, and digital devices. Identity is thus available and readily used by businesses and by fraudsters, be they common criminals or sophisticated organizations and nation-states. But most citizens have little connection to, or understanding of, this new world of digital identity, and it puts them at risk every day.

An American’s identity is stolen almost once every minute, and, according to the Federal Trade Commission, 2020 saw an increase of almost 3,000 percent in cases of citizens’ information being used fraudulently to apply for government benefits. What’s worse, the role of identity theft by countries such as China, as seen in the 2014 Office of Personnel and Management breach, makes it clear U.S. adversaries view acquiring Americans’ identities as an intelligence asset objective.

Despite all this, the U.S. government sees digital identity as a back-burner issue. The United States needs to start treating identity as core to national security. The key steps the Biden administration and Congress can take include centralizing the focus and prioritization of digital identity across the government, legislating privacy and security by organizations that hold Americans’ personal identifiable information, and using existing infrastructure to build a national center of excellence for digital identity.

Identity as a Counter-Intelligence Challenge

The 2014 Office of Personnel and Management breach represented a counter-intelligence disaster for the United States. China stole 21.5 million records and gained access to information on 19.7 million individuals who applied for background investigations with the federal government. In short, Beijing acquired invaluable private information (e.g., mental health history, financial data, addresses, and social security numbers), of millions of Americans charged with guarding the countries’ secrets. Through this breach, China — and possibly others — have at their disposal digital identity information that could help them recruit U.S. officials to spy on America.

The breach should serve as a broader warning to the United States in that the acquisition of personal identifiable information is an ideal source to ensnare the thought leaders within the most sensitive of industries. As we consider how diffuse our digital personal information has become, it has become clear that the sources from which U.S. adversaries can choose are many. All it takes is to identify the weakest tender brick and exploit it. The lack of organization has offered many bricks to choose from.

Getting Organized

The U.S. government could bring coherence to the bureaucratically Balkanized identity management world by putting identity square in the White House. Today, the tender bricks of Americans’ digital identities sit in several different agencies, be it the Social Security Administration, Health and Human Services, Internal Revenue Service, or Department of Education. Each of them applies different standards and practices or infrastructure protection to Americans’ digital identities. Within the federal community itself, agencies, while meeting the directives of Homeland Security Presidential Directive 12, still utilize varying and independent infrastructures to provide services that could benefit from better alignment under more effective shared services.

The ability to provide best-practice digital identity has largely rested on historic and current unfunded White House memoranda on managing identity within agencies. A woefully out-of-date National Institute of Standards and Technology special publication on digital identity practices only compounds this problem. As an example, the latest finalized publication was issued in 2017. Since this time, there has been an explosion of new technologies, such as behavioral biometrics, being used at scale in organizations across America.

While standards publications are meant to adjust to changing technology, in the case of the National Institute of Standards and Technology, the lack of recognition of new technologies has limited the government to legacy commercial solutions. The ability to use, or even test or pilot, such technologies is curtailed because many agencies follow a practice of Federal Risk and Authorization Management Program certification even before pilot implementation.

This mentality further manifests itself in the ongoing use of outdated technology tools. A 2019 report by the Government Accountability Office criticized the Social Security Administration, U.S. Postal Service, and Centers for Medicaid and Medicare — key organizations that hold the crown jewels of citizen identity — for using discredited technologies. For instance, the report cites the use of knowledge-based authentication — which ask questions to determine if the respondent is in fact the actual person — as an example of a technology or process which does not sufficiently protect someone’s digital identity. While some of the identified organizations outlined steps to move from ineffective digital identity tools, the Centers for Medicare and Medicaid Services defended its ongoing use.

Attempts by the U.S. government to innovate are often small, like the start-up investments by the Department of Homeland Security Silicon Valley Innovation Program. This program, although well-meaning, places limits of $800,000 over a two-year period to incubate actual technologies. When compared to the funding available via venture capital and angel investors in the private sector, these levels of funding are only meaningful to companies squarely focused on the federal market. But most innovation is done with a business-to-business focus, where going to market is faster and profit margins are far higher. The Department of Homeland Security rarely seems to connect with some of the most innovative firms. Further, should the department find suitable technologies, there is no real framework to move highly limited pilot technologies into properly scaled initiatives that can meet national needs.

Attempts to legislate a more strategic approach to identity have also been failing. The Improving Digital Identity Act of 2020, which would have established a White House identity task force made up of federal agencies, Congress, and state and local government officials, did not progress through Congress. However, even innovative legislation like this reinforced stovepipes by leaving the Department of Defense on its own for identity management. A more appropriate approach would be to include the Department of Defense as part of a legislative approach to identity writ large under a modernized and broader Privacy Act.

The Domestic Policy Council, now led by former National Security Adviser Susan Rice, is well positioned to coordinate and rationalize this hodgepodge of actors and programs and to guide new legislation. Giving digital identity prominence and staffing at the White House, including a digital identity “czar,” as well as pulling together its traditional guardians — the National Institute for Standards and Technology, General Services Administration, Department of Homeland Security, and Department of Defense — can be a first step toward a new approach.

Further, clear mandates on the part of the Domestic Policy Council to force agencies to modernize their digital infrastructure should focus on entities that routinely require Americans to provide some their most sensitive digital identifiers. Such agencies include the Internal Revenue Service, Centers for Medicare and Medicaid Services, Social Security Administration, and Veterans Affairs, amongst others.

In terms of protection and safety, the Domestic Policy Council should leverage its traditional identity guardians alongside the Office of Management and Budget to look at how the United States can use national footprints such as the U.S. Postal Service to provide more robust enrollment processes beyond the current U.S. passport. There are no shortages of government-to-citizen services that require strong digital identity where most Americans can easily get to.

Identity as Safety and Security

From banks to dentist offices, Americans share personal identifiable information in insecure ways millions of times a day. Organizations that hold and manage personal identifiable information, such as biometrics and social security numbers, should function under best practices of privacy, use, and authentication to ensure the digital identities of Americans stay safe. The government should approach digital identity more like the safety of highways, railways, and airplanes.

Such a “safety first” framework for identity could include an optional federally guaranteed identity beyond the current RealID effort coordinated among states. This could replace the widespread and dangerous use of social security numbers. Just as using Apple or Google Pay creates a one-time token and no risk to your credit card number, a modern identity tool would “tokenize” sensitive information, use it only for a specific transaction, and then revoke access to that information. Another goal would be the creation of systems for differentiated levels of security based on a given situation. For example, identity verification should be less rigorous when joining the public library than when boarding a plane.

And breaches of identity, especially large-scale breaches with systemic implications, should be analyzed by technocratic professionals with the power to investigate and issue binding directive, much like the National Transportation Safety Board.

At a state government level, key agencies should receive robust federal support for best-in-class digital identity. As a start, states have been extremely slow to create an interoperable ecosystem for mobile driver’s licenses, even through there are clear international standards for driver’s licenses. Driver’s licenses are the cornerstone of America’s national identity system, but the country cannot afford to repeat the failure of the Real ID Act, a well-meaning federal law that has taken over 15 years to partially implement. These delays have largely been due to a combination of resistance by the states themselves, mainly for funding and infrastructure reasons.

While the federal government has now recognized the acceptability of mobile driver’s licenses, it should also look to fast-tracking, via the states, the capacity of one state  to authenticate another state’s driver’s license. Private sector providers could handle this capability. By using this process, the ability to safely roll out digital interoperable identity would receive a significant and safe enhancement to providing services such as voting, unemployment benefits, Medicaid programs, and much more.

A Collaborative Mission

The federal government should create a Digital Identity Center to work with the private sector and state and local governments to rapidly identify and support new digital identity technologies. Doing so would strengthen America’s cyber security posture and advance the country’s counter-intelligence interests. The center should be arm’s length to the government, allowing for independence, global exposure, and flexibility to meet new challenges. Within the federal community, those entrusted with leadership positions should make use of such a center to adopt an entrepreneur’s mindset.

The new center should directly involve state and local governments via attorneys general and law enforcement to strengthen state-issued digital identities. Organizations such as the National Association of Attorneys General and the National Sheriffs’ Association could support increased awareness and training on the role of digital identity in law enforcement, appropriate commercial use of digital identity, and actions to defend citizens from digital identity theft and malpractice by organizations that fail to protect citizens’ privacy and safety.

Looking Ahead

Secure digital identity is as important to all Americans now as providing secure credentials to U.S. government employees was back in 2008. By elevating digital identity to a national security and counter-intelligence priority, the Biden administration can set in motion several initiatives to keep the country and its secrets safe. The United States should prioritize centralizing digital identity efforts at the White House, creating best practices across agencies, and arming Americans with accountable tools to protect themselves. By doing so, the White House can help build a strong digital infrastructure that is essential to the country’s digital safety, privacy, economy, and democracy.

Patrick Hearn is chief executive officer of Endeavor Worldwide, an international advisory firm that brings together senior company executives and government leaders with a focus on converged identity management, cybersecurity, and biometrics. Patrick advises one of the largest U.S. government identity programs. The views expressed in this article are those of the author and do not represent the views of his respective institutions.

Image: U.S. Air Force (Photo by Airman 1st Class Andrew J. Alvarado)