Bipartisan members of the house recently introduced legislation that would require the government to drastically modernise the United States’ digital identity infrastructure. This bill establishes the Improving Digital Identity Task Force to establish a government-wide effort to develop secure methods for governmental agencies to validate identity attributes to protect the privacy and security of individuals and support reliable, interoperable digital identity verification in the public and private sectors.
The National Institute of Standards and Technology (NIST) shall develop and periodically update a framework of standards, methodologies, procedures, and processes as a guide for federal, state, and local governments to follow when providing services to support digital identity verification. The Department of Homeland Security (DHS) shall award grants to states to upgrade systems that provide drivers’ licenses or other types of identity credentials to support the development of highly secure, interoperable state systems that enable digital identity verification.
At the same time, lawmakers are calling on the Office of Management and Budget to examine the feasibility of a federal governmentwide digital identity verification system. A draft version of the Senate infrastructure bill, included $500 million for the Department of Labour to institute a grant fund to supply states with digital identity proofing tools that are compliant with the National Institute of Standards and Technology to combat fraud in unemployment insurance benefits.
These efforts are long overdue. Unfortunately, the absence of secure, accessible, interoperable digital credentials increases security vulnerabilities, encourages online fraud and inhibits the expansion of digital public services. As agencies await federal guidance and standards, here are three things they can do now to ramp up their safeguards and begin to fix the nation’s “lagging” digital verification system.
If account credentials — such as a username, email address and password – are breached, federal IT administrators must know as soon as possible. Widely available on the dark web, credentials are one of the most sought-after data types by hackers
When a single email account is compromised or taken over, a hacker can access sensitive data, initiate social engineering attacks, propagate spam and malware and move laterally across an agency network. And, because most people use the same credentials for multiple systems, threat actors can easily use the same username and password to breach mission-critical applications. To stay one step ahead of credentials leaks, agencies must continuously monitor their email domains for exposure.
Enforce agency-wide access controls
Protecting every network endpoint with a digital verification mechanism would seem a logical approach to safeguarding federal systems. However, a lack of resources, funds and time means tools such as multifactor authentication are often reserved for critical entry points. But as the network perimeter widens and digital ecosystems expand to include cloud-hosted data, applications and services, agencies must prioritise checks and balances to ensure users can prove their identity.
Agencies can also better secure their growing network perimeter and cloud-based applications by layering in emerging technologies like secure access service edge. SASE is a cloud service that converges security and network technologies into a single platform. Taking a zero-trust approach, SASE prevents unauthorised access by layering security on top of the network. Using defined policies, SASE dynamically approves or denies access, eliminating the need for multiple point security technologies.
Focus on public-private partnerships
Building the government’s digital ID infrastructure also requires a collective effort. As malicious actors increasingly look to take advantage of the nation’s digital dependencies, a successful defence will require enhanced levels of public-private partnership.
This collective defence approach is being encouraged by The White House with Executive Order on Improving the Nation’s Cybersecurity calls for the private sector to partner with the Federal Government to foster more secure cyberspace. What this partnership will look like is to be determined, but the executive order is an important step toward achieving a collective defence posture.