Why is our government taking a back seat on digital identity issues?

Last month, the White House decided to leave digital identity out of its implementation plan for the National Cybersecurity Strategy. While the strategy contained a robust and thoughtful section on digital identity when it was published in March, the July implementation plan skipped over the topic as if it never existed.

The White House has made clear that people should not read much into this omission, stating, “This is an iterative document — just because you’re not seeing an initiative tied to a strategic objective today doesn’t mean it won’t be there for the next go-round.”

However, for the moment, White House efforts seem to be largely focused on a narrower effort to address identity theft in government benefits programs, rather than the more holistic, multi-sector approach outlined in the strategy. 

To be clear, it’s not just the White House that has sidestepped this issue. The last three Congresses have considered the Improving Digital Identity Act, which would launch a coordinated effort to address critical deficiencies in digital identity infrastructure and set a high bar for privacy, security and inclusion. Despite key committees of jurisdiction signing off on the bill, others have blocked its passage. 

Whether intentionally or through ambivalence, decisions have been made in the legislative and executive branches to do nothing when it comes to a comprehensive initiative to address challenges around digital identity. What is often overlooked in debates over whether to pass a bill or advance a policy is that choosing to do nothing is also an active policy choice; it’s a decision to embrace the status quo, to do nothing as other forces change things. 

And in the digital identity world, a lot is changing that could benefit from some attention. 

Privacy and civil liberties

The lack of an overarching strategy or policy initiative does not mean that the government is inactive. Instead, we’re seeing several different initiatives in digital identity: states are piloting digital versions of driver’s licenses; the Department of Homeland Security is looking to create digital versions of immigration and travel credentials; local agencies are exploring how to digitize vital records like birth certificates. And many states have passed new age verification laws to govern access to social media or pornography. 

Get the designs and policies right, and these new tools could help improve privacy and civil liberties. But if we get them wrong, they could be a disaster. Sloppy architectures could enable government tracking of the ways people use digital credentials, and the use of biased technologies could exacerbate existing inequities. 

There’s a window of opportunity for the federal government to step in and steer things in the right direction. As Jay Stanley at the ACLU noted in a recent article, “We’re in a formative moment right now; as a big player in the credentialing ecosystem, the federal government may have the power to affect the digital credentials architecture as it develops. If we get locked in, it should be something that’s got maximum capability to protect privacy.” 

The National Cybersecurity Strategy acknowledged the potential risks of new solutions like mobile driver’s licenses, but said only that the administration “notes and encourages a focus on privacy, security, civil liberties, equity, accessibility, and interoperability.” It’s time to go beyond encouraging good outcomes; let’s take proactive steps to ensure they are all achieved. 

Security implications of generative AI

Voices, photos, videos — these used to be things we could trust. But the explosion of new generative AI technologies is making them increasingly easy to spoof, giving a newer, darker meaning to the security term “Zero Trust,” and raising new questions about how we might be able to tell “who is who” online. 

This year we have seen AI being used to launch new sophisticated attacks focused on defrauding people and stealing identities. AI can clone a loved one’s voice to trick someone into sending money; video deepfakes are becoming easier to create and use in attacks. It’s clear these are just the early storm clouds on the horizon of what is likely to be a massive shift in the tools our adversaries have to launch attacks. 

Year after year, we have seen the same organized criminals and hostile nation-states exploiting the same core weaknesses in digital identity infrastructure to steal billions, not just from governments but from banks, healthcare, retailers, fintech services, and cryptocurrency exchanges. A new report from the government’s Cyber Safety Review Board  made this point very clear, flagging the importance of strong identity verification as key to stopping the most commonly exploited cyberattacks. With AI now promising to supercharge these attacks, our leaders should be thinking strategically about how to protect Americans from them. 

Economic impacts

A 2019 McKinsey study estimated that the U.S. could unlock the economic value of 4 percent GDP with investments to drive digital ID adoption. Conversely, if there is no action, we’re likely to backslide, as identity-related cybercrime increases and businesses and governments struggle to safely deliver services online. 

The White House’s National Cybersecurity Strategy and Congress’s Improving Digital Identity Act both offer a thoughtful way forward to ensure that the U.S. can address threats to privacy, security, equity and civil liberties being posed by changes in the digital identity ecosystem. But the current decisions in both the White House and in Congress to “do nothing” on this issue only increase the likelihood of solutions that fail to address these priorities. 

Doing nothing is a clear policy choice — but not a very good one on issues concerning digital identity.

Jeremy Grant is a managing director in the Technology and Innovation Group at Venable LLP and also serves as coordinator for the Better Identity Coalition. He previously led the National Strategy for Trusted Identities in Cyberspace at the National Institute of Standards and Technology. The views expressed in this article are those of the author and do not reflect the views of Venable LLP.