Our personal information has become far less personal in this era of massive data breaches and aggressive cyberattacks.
Personal data we once held sacred — Social Security numbers, addresses and driver’s license numbers — are now readily available on the Internet for anyone to misuse. In 2016 alone, 15.4 million people in the U.S. were victims of identity fraud — up from 13.1 million the previous year, according to Javelin Strategy & Research.
And the data that fraudsters abuse is the same information victims rely on to verify their identity with federal agencies, healthcare providers and other entities before receiving goods and services. So what can agencies do to properly identify people and ensure they are who they say they are? The answer has come in the form of identity proofing.
The National Institute of Standards and Technology (NIST) defines identity proofing as a means “to establish the uniqueness and validity of an individual’s identity to facilitate the provision of an entitlement or service.” Proper identity proofing includes verifying identity documents, biographic information, biometric information and knowledge of personally relevant information or events.
To better understand the current landscape of government identity proofing, the challenges and what’s being done, GovLoop recently hosted a roundtable discussion with government and industry experts from various organization, including NIST, the Homeland Security Department and Experian, which specializes in identity management and fraud detection across all markets.
Why Identity Proofing Matters
Michael Duffy, Branch Chief of the Office of Cybersecurity and Communications at DHS, kicked things off by explaining the purpose of identity proofing. As the agency charged with operating government IT security systems on behalf of the American people and federal users, DHS needs to understand who is interacting with the government and using its networks.
DHS also wants to ensure that whoever is interacting with government networks is confident they are in fact interacting with the U.S. government and not a nefarious actor. This is the case for all agencies.
“We want to be able to give the right services to the right people at the right time,” said Paul Grassi, Senior Standards and Technology Advisor at NIST.
What Government Is Doing About Identity Proofing
Grassi’s agency is contributing to these efforts through its Special Publication 800-63. The publication provides technical requirements for federal agencies implementing digital identity services. This is a big deal because so much of what we do is online and agencies need a way to ensure employees, contractors and private individuals are who they claim to be and that they have the necessary credentials to prove it.
“We admitted that identity is hard, proofing is hard and it is supposed to be,” Grassi said about the NIST publication. “Making it easy is why we have had breaches. A lot of proofing done today doesn’t comply with 800-63. We’ve completely flipped proofing on its head in a way that mitigates breaches like [those that involved] Equifax and OPM [Office of Personnel Management].”
DHS is working on a governmentwide project that complements current identity proofing efforts.
“One of my chief goals is making sure the users of government systems and government users of government systems are confident the information they are sending and receiving is secure,” Duffy said.
To accomplish that goal, DHS issued a directive requiring agencies to begin implementing DMARC, or Domain-based Message Authentication, Reporting & Conformance. This email authentication, policy and reporting protocol “is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t,” according to dmarc.org. “This makes it easier to identify spam and phishing messages, and keep them out of peoples’ inboxes.”
Duffy said DHS expects it will take a year for this policy to be implemented across all federal departments and agencies.
“In 2017 going into 2018, we don’t want to see a whole lot of spear phishing coming from .gov [email addresses],” Duffy said.
When it comes to identity proofing, the public sector, in general, is ahead of the private sector, said Keir Breitenfeld, Senior Business Consultant at Experian Fraud and Identity Solutions.
Referring to the work happening at NIST and across government, Breitenfeld said NIST 800-63 is a standard that the private sector should strive to meet. “[Industry] needs to understand this is the direction we are going,” he said.
The balance for any organization that must verify and authenticate identities is to make the user experience as frictionless as possible, while reserving more stringent requirements for risky transactions that involve sensitive data.
That's why Breitenfeld recommended agencies use different “workstreams” for different users when it comes to identity proofing. This may include allowing users to verify their identity via phone, in-person or virtually through other means.
“[But] you can’t assume it is a fraud-proof process,” he said. Agencies have to acknowledge that fraud will happen and feel comfortable sharing known fraud instances and cases.
“If we can share a little more without risk of reputation and liability, that’s critical,” he said.