Improving the Digital Identity Act of 2020

April 13, 2021

  • While there is no real “universal” US citizen identification number, the use of the Social Security number (SSN) has been adopted by most financial/credit industries as that identifier.
  • The use of stolen SSNs to commit fraud has become a very expensive and vexing concern. Not only does it cause unnecessary remediation efforts but it also causes financial losses in the billions.
  • A bipartisan group of House members are trying to address the problem by establishing the framework for a US-based identification system. H.R. 8215, which was introduced in the 116th Congress in September 2020, seeks to create this new identity system.

 


The establishment of a universal identity system hasn’t been a popular idea, which is why we now have the Social Security number as a de facto identifier. This was never intended to be the case: its original purpose was to identify members within the Social Security system.

 

H.R. 8215 will affect more than just the financial sector if fully adopted. The legislation will not only affect federal identification, but state and local as well. What exactly is this bill trying to do? The main sections of the bill essentially establish groups consisting of federal, state and local leadership to define a framework that can be used to create a universal digital identity. They will all report to a director appointed by the President.

 

These groups are tasked with the following:

 

(f) DUTIES.—The Task Force shall—
(1) identify Federal, State, and local agencies that issue identity information or hold information related to identifying an individual;
(2) assess restrictions with respect to the abilities of such agencies to verify identity information for other agencies and for nongovernmental organizations;
(3) assess any necessary changes in statute, regulation, or policy to address any restrictions determined under paragraph (2);
(4) recommend a standards-based architecture to enable agencies to provide services related to digital identity verification in a way that is secure, protects privacy, and is rooted in consumer consent;
(5) identify funding or resources needed to support such agencies that provide digital identity verification, including a recommendation with respect to additional funding required for the grant program under section 5;
(6) determine whether it would be practicable for such agencies to use a fee-based model to provide digital identity verification to private sector entities;
(7) determine if any additional steps are necessary with respect to Federal, State, and local agencies to improve digital identity verification and management processes for the purpose of enhancing the security, reliability, privacy, and convenience of digital identity solutions that support and protect transactions between individuals, government entities, and businesses;
(8) assess risks related to potential criminal exploitation of digital identity verification services; and
(9) to the extent practicable, seek input from and collaborate with interested parties in the private sector to carry out the purpose under subsection (b).
(g) RECOMMENDATIONS.—Not later than 180 days after the date of the enactment of this Act, the Task Force shall publish a report on the activities of the Task force, including recommendations on—
(1) priorities for research and development in the systems that enable digital identity verification, including how such priorities can be executed; and
(2) the standards-based architecture developed pursuant to subsection (f)(4).

 

While the bill is mostly about planning and reporting, other provisions are binding for federal agencies and will dictate enforcement of NIST 800-63 and other security enhancements.

 

 

True Impact

If the bill is enacted, task force members will be responsible for creating a universal digital identity for US citizens. With this in mind, let’s do a little thought experiment.

 

A true universal ID means a complete retooling of any system that uses SSNs as a federal identifier. For example, when filing state taxes, the use of a social security number is often part of that process. Once we remove the SSN from the equation for federal identification, credit bureaus and other agencies will still need a valid way to identify individuals.

 

A universal identification can be mishandled and abused, especially if everything about the individual is tied to the same number. The SSN is currently used for employment records as well as other non-government / financial purposes. These business systems would require updates and potentially new technology to accommodate the federal standard. The amount of time and money required to implement the program wouldn’t be trivial and it could affect other security or risk deployments. While many systems no longer use SSNs as proof of identity, there are still times where a portion of the social is still in use. Those system would also be affected by this new standard.

 

As an example, national ID programs start out by being optional, but quickly become universal in all things relating to the individual. Because of this, the opt-in quickly becomes mandatory for anyone with any government services interaction. As a result, there can be a lingering concern about a national database that makes it easier for the government to monitor individuals. Regardless of how far-fetched this may seem, any time there’s a database capable of identifying all citizens in a country, there’s the potential for abuse by both the government and any private entities that may have been granted access. And, as noted above, a centralized database is a valuable target for attack from criminal elements.

 

 

Voting

If for any reason the new digital identity required reissuing state IDs, that could prevent some currently eligible voters from having the proper identity to vote. This would be largely dependent on how the change affected the current state level identification and how quickly new identification could be issued. This may allow for adoption of new standards that could be construed as voter disenfranchisement.

 

 

Financial Impact

While there are sections in the legislation that provide funding to help states convert to the new identifier (Sec 5), this process will take a very long time due to the refactoring that may be required. There are also provisions that do provide some funding for the required changes, but there are always hidden costs in this type of effort. Those costs could add to state’s already overstretched budgets, causing some services to be reduced or cut.

 

In the end, a new identity system based on current standards rather than those established in the Social Security Act would provide some benefits, but there are many considerations that need to be addressed before implementation. The task force needs to really understand the global scope and impact of what’s being proposed.

 

Regardless of how it’s done, the new identity needs to be protected from misuse and overuse. Otherwise, the same thing that happened to social security numbers will happen to the new system and nothing will have ultimately changed.

Joe Burch
Engineering Fellow, Identity and Access Management | CyberArk
Joe Burch is an Engineering Fellow in Optiv’s IAM practice on the PAM CyberArk team. Joe’s role is to provide pre/post-sales support and consulting to Optiv’s clients with expertise in CyberArk solutions as well as providing support and mentoring to other Optiv team members.

Joe has over 20 years of experience ranging from small businesses to Fortune 50 corporations in a multitude of industries. He is a subject matter expert in the design and implementation of CyberArk solutions, and is experienced in several other areas of server security. Areas of expertise includes server based technologies, SSO, CyberArk, Risk and Controls and RSA. Prior to joining Optiv, Mr. Burch was principal SME on CyberArk and RSA for a Fortune 50 company.