In its new cybersecurity strategy, the White House says a digital identity (ID) ecosystem could bring new opportunities for digital contracts and payment systems to the United States.
Last week, the Biden administration released the national cybersecurity strategy to build “a safe and secure digital ecosystem for all Americans”.
One of the five pillars of the new strategy is investing in a “resilient future”, which includes the objective to support the development of enhanced digital ID solutions and infrastructure.
“Today, the lack of secure, privacy-preserving, consent-based digital identity solutions allow fraud to flourish, perpetuates exclusion and inequity, and adds inefficiency to our financial activities and daily life,” the document says.
Identity theft is one of the most common types of fraud in the United States.
Research firm Javelin estimates that identity theft led to financial losses of $24bn in 2021, affecting around 15m US consumers. Other reports indicate that one-third of Americans have encountered some kind of identity theft attempt in their lives.
The White House argues that operating independently, neither the private nor the public sectors have been able to solve this problem.
The administration therefore encourages investments in verifiable digital ID solutions that “promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth”.
These efforts will include strengthening the security of digital credentials, providing attribute and credential validation services, conducting foundational research, and updating standards and governance processes to support adoption and interoperability.
The commitment to upgrading and investing in a national set of cybersecurity policies is welcome news for the United States, according to Shaz Khan, CEO and co-founder of Vroozi.
The strategy follows the increase of major cyber-attacks that blocked key public services in the US in recent years and builds on efforts dating back to the Obama and Trump administrations.
According to Khan, these incidents, which are only expected to increase in volume and intensity, have proven that the existing identity system and cybersecurity standards are “antiquated and provide easy on-ramps to perpetuate fraud, hold financial institutions hostage, and damage critical infrastructure”.
Therefore, the need for a US digital ID system is getting more pressing by the year.
In 2019, Kenneth Blanco, director of the Treasury’s Financial Crime Enforcement Network (FinCEN), warned that “the abuse of personally identifiable information and other building blocks of identity is a key enabler behind much of the fraud and cybercrime impacting the United States today”.
More recent analysis by FinCEN found that of the 3m plus suspicious activity reports (SARs) filed with the agency in 2021, “the majority include reference to potential breakdowns in the identity verification process”.
Last year, members of Congress introduced bipartisan legislation across both houses of Congress to improve digital identity verification and increase privacy protections and private-public collaboration. Although the bill did not make it to the floor, several trade groups expressed their support for it.
Among those, the Bank Policy Institute (BPI) emphasised that knowing “who is on the other side” of a transaction is critical in many services, including banking, government and e-commerce.
“The lack of an easy, secure, reliable way for entities to verify identities of people they are dealing with online creates friction in commerce, leads to increased fraud and theft, degrades privacy, and hinders the availability of many services online,” the BPI added.
Shifting liability from people to software firms
A key part of the strategy is to shift the burden for cybersecurity away from individuals, small businesses and local governments to software makers.
By doing so, the administration aims to place liability “where it will do the most good”, acting national cyber director Kemba Walden said in a press briefing.
She explained that shifting liability will be a long-term process which begins with working with the industry to establish what better software development practices look like and to implement those.
The administration will also work with the private sector and Congress to develop legislation that establishes liability for software products and services.
Khan welcomed the administration’s plans to engage with the private sector.
“Software companies in the private sector have a critical role in having a seat at the table with the federal government to not only learn about cybersecurity defense tactics but also contribute to new areas of innovation that can help the United States take a leadership position in the New World Digital age.”