The Trump administration is still deciding what role the federal government should play in identity, credential and access management, and at least one industry association wants it to be a “supporting role.”
In May, the White House updated its ICAM policy to give agencies greater control over how they authenticate network users. The Office of Management and Budget memo directs each agency to create an ICAM oversight structure, strategy and technology roadmap.
But that’s just the “opening chapter,” said Matt Lira, a special assistant to the president at the White House Office of American Innovation.
“This is really one of the fundamental questions of the next generation of what our economy looks like, and the federal government has a major role to play in that,” Lira said Wednesday at a Business Roundtable event in D.C. “But it’s not necessarily a dominant role, and it’s certainly not the only role.”
That same day, BRT — which represents the CEOs of some of America’s leading companies — released an eight-step, short-term action plan for industry-led development of digital identity solutions.
The white paper recommends government reduce dependency on passwords in favor of verified, secure authenticators like mobile apps or biometric sensors on mobile devices. Additionally, BRT advises agencies to move away from identity-proofing solutions that are solely knowledge-based like social security numbers and recognize them as identifiers, not authenticators.
Section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 allows the head of the Social Security Administration to permit other organizations to validate SSNs. And that’s precisely what BRT wants SSA to do.
“What we want to do in the future is create an ecosystem,” said Donna Beatty, executive director of digital identity and authentication at JPMorgan Chase. “An identity service provider can verify information on our behalf.”
In that model, JPMorgan could act as the trustee of a consenting customer’s identity whether they want to book a flight or buy a television — vouching for them instead of them having to show credentials. A phone number the person uses regularly, GPS location and daily ride-sharing or purchasing activity could all factor into the “digital footprint” identity service providers maintain, Beatty said.
SSA can be the test case — if it gets better about partnering with industry to make verification services more consistent, she added.
Now that Congress confirmed Andrew Saul as SSA commissioner in early June, the agency should be more cooperative. Agencies are in various stages of implementing ICAM with most in the middle and Federal Chief Information Security Officer Grant Schneider “leading a process to sort of herd those cats along,” Lira said.
“I want this to be more than a really passionate sprint,” he said. “We want to create the process and relationships that can really see this through in the long term.”
For the process to work, the government needs to improve support for validating identity attributes like driver’s licenses, passports, military IDs, and financial accounts. And that requires improved data sharing from, in particular, the IRS, State Department, Department of Defense, Department of Veterans Affairs, and SSA, according to BRT’s action plan.
BRT suggests validations be “yes-no,” rather than reveal personal information, and identities be federated across agencies so processes like Transportation Security Administration Pre-Check also applies to filling out federal job applications and obtaining benefits.
Some people have as many as 25 identities between the SSA, numerous “subs” like their driver’s license and health care account, and processors, said Kelly Bissell, global security lead at Accenture.
“That’s the major problem that we have, that attack vector if you will,” Bissell said. “The more identities we have, the more availability there is to breach those identities.”
Fraud increases as a result, Beatty said.
Other actions the white paper recommends include government eliminating barriers to tech adoption, establishing a public-private partnership to scale digital identity solutions, enhancing privacy by giving users control of data collection and use, and funding education initiatives around these issues.
CEOs aren’t the only community weighing in on the White House ICAM update, Lira said, with academia and other stakeholders being engaged and a couple “irons in the fire” to be announced later this year or early next.
“We can’t be shifting our policy wildly every two, four, six, eight years on digital identity for us to maximize the security of our people or the economic opportunity of our business community,” he said.