about the better identitymedia01.commpartners.com/2018/reingold/071918/better identity c… · as...
TRANSCRIPT
1
About the Better Identity Coalition
• Focus: developing and advancing consensus-driven, cross-sector policy solutions that promote the development and adoption of better solutions for identity verification and authentication.
• Launched in February 2018 as an initiative of the Center for Cybersecurity Policy & Law, a non-profit dedicated to promoting education and collaboration with policymakers on policies related to cybersecurity.
• As government contemplates new policies to improve the quality of digital identity, the Better Identity Coalition is bringing together leading companies to help develop innovative ideas that improve security, privacy, and convenience for all Americans.
2
Agenda
Time Agenda Speakers
9:30 AM Welcome and introduction Jeremy Grant, Coordinator, Better Identity Coalition
9:35 AM Congressional Keynote Rep. Michael McCaul – Chairman, House Committee on Homeland
Security and Co-Chair, Congressional Cybersecurity Caucus
9:50 AM Administration Keynote Grant Schneider – Senior Director for Cybersecurity, White House
National Security Council (NSC) & Acting Chief Information Security
Officer (CISO), U.S. Government
10:10 AM Industry Keynote Debbie Guild, Chief Security Officer, PNC
10:30 AM Overview: A Policy Blueprint for Better Identity in
America
Jeremy Grant, Coordinator, Better Identity Coalition
11:15 AM Remarks from the National Cyber Security Alliance
(NCSA)
Russ Schrader, Executive Director, NCSA
11:30 AM Panel: "Better Identity in the Post-Breach World”
Perspectives from industry and consumer
groups on “the identity challenge” and how
better identity solutions are needed
Donna Beatty – Global Product Management, JPMorgan Chase
Abbie Barbir – Senior Security Advisor, Aetna
Charlie Walton – Senior Vice President, Mastercard
Jim Barnett - AARP
12:15 PM Closing Keynote Rep. Jim Langevin - Co-Chair, Congressional Cybersecurity Caucus
12:30 PM Wrap-up - Lunch and informal discussion Informal lunchtime discussion between attendants and Better Identity
Coalition members
1:00 PM Event concludes
3
About the Better Identity Coalition
• Focus: developing and advancing consensus-driven, cross-sector policy solutions that promote the development and adoption of better solutions for identity verification and authentication.
• Launched in February 2018 as an initiative of the Center for Cybersecurity Policy & Law, a non-profit dedicated to promoting education and collaboration with policymakers on policies related to cybersecurity.
• As government contemplates new policies to improve the quality of digital identity, the Better Identity Coalition is bringing together leading companies to help develop innovative ideas that improve security, privacy, and convenience for all Americans.
4
Members
5
Framing the Challenge
6
Security
Privacy
Customer Experience
Transaction Costs
Trust
Compliance
Trustis hard to get right.
Identity(when done right)
enables Trust
Identityas
“the great enabler”
Identity as the Great Enabler
Providing a foundation for digital transactions and online experiences that are:
• Secure• Easy to Use• Protect Privacy
10
The challenge
11
“Digital identity presents a technical challenge because this process often involves proofing individuals over an opennetwork, and always involves the authentication of individual subjects over an open network...”
“The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks.”
- National Institute of Standards and Technology (NIST)
Our approach (to date)
12
Which has proven to be very practical
13
Especially when adversaries already know the answer
14
This has not worked well
15
Makes your employees and
customers hate you
Nobody can actually manage this for one password – let alone
20-30
Any password that meets this criteria is still susceptible to phishing, malware
and password reuse
The cost of outdated identity solutions
16
The cost of outdated identity solutions
17
Why has this been so hard to solve?
• The “identity gap” – the U.S. has many nationally recognized, authoritative identity systems
• All are trapped in the paper world
18
This was an attempt to get around the “identity gap”
19
Industry needed something to enable trusted digital commerce –this was the best solution out there
It worked for a while
• But today, attackers have caught up
• “Out of wallet” questions are not as secret as they used to be
20
21
While any one of these breaches on its own creates serious policy issues, there now exists the potential for malicious actors to combine multiple stolen data sets into one, thereby enabling them to obtain more complete “packages” of identity information.
-House Energy & Commerce Committee, 2017
SSNs are no longer “secrets”
22
Summary: Where we are today
• In an era where transactions are increasingly digital, our authoritative identity systems are stuck in the paper world
• Solutions that “papered over” that fact helped for a while – but now attackers have caught up
• “Shared secrets” like SSNs and passwords are no longer secret
• Industry innovation is helping to develop better, next-generation identity solutions such as passwordless authentication and identity proofing tools that scan and validate ID documents
• But – government remains the one authoritative issuer of identity. In this next phase of making identity “Better,” the government also has a role to play
23
What does “Better” look like?
• Better Security – with Less Fraud and Identity Theft – Embracing the recommendation of the 2016 Commission on
Enhancing National Cybersecurity that “Compromises of identity will be eliminated as a major attack vector by 2021.”
• Better Convenience for Consumers – Allowing consumers to open new accounts online with ease, without
having to go through duplicative, burdensome enrollment processes.
• Better Confidence for Both Consumers and Service Providers – That identities asserted online are reliable and trustworthy.
• Better Privacy – Shifting the predominant model for identity verification from one
based on firms aggregating personal data without opt-in consent, to one where consumers proactively request that their identity be validated by parties with whom they already have a trusted relationship
24
How to Get There: A Policy Blueprint
• Five core areas where government can and should help
• A specific action plan detailing “who needs to do what” in Congress and the Executive Branch
• No single action or initiative can “solve” identity
• But: taken as a package, if this Policy Blueprint is enacted and funded, it will make identity better
25
A caveat
• There are some identity problems that we honestly don’t know how to solve
• Some of them tie into issues that are highly political, and where consensus is not likely any time soon
• We acknowledge them – but we don’t have answers for everything
• Our focus here: a set of actionable items that – while they won’t solve every problem in identity, will definitively make digital identity better.
26
A Policy Blueprint
27
In simple terms:
If I’ve gone through the process of having an agency vet my identity once – can I ask that agency to vouch for me when I need to prove who I am to another party?
28
America’s legacy paper-based systems should be modernized around a privacy-protecting, consumer-centric model that allows consumers to ask the government agency that issued a credential to stand behind it in the online world – by validating the information from the credential.
How this could work
29
I request the government
helps me prove I’m me
Match! Match!
???
1. Agencies validate attributes
Of note…
30
• Sec. 215 of the “Economic Growth, Regulatory Relief, and Consumer Protection Act” directs SSA to establish this service for transactions covered under the Fair Credit Reporting Act (FCRA)
• One idea: expand beyond FCRA
How this could work
31
I request the government
helps me prove I’m me
???
Match!
2. Apps enable consumers to easily prove their identity
32
Improving Identity While Protecting Privacy
• Inadequate identity solutions have impacted the privacy of millions of Americans – through an epidemic of breaches. Better Identity is key to improving privacy protections.
• New identity solutions backed by the government should embrace a “Privacy by Design” approach ensures that any new solutions are architected from the start to address privacy risks; protections are embedded in the solution architecture
• Government should only validate data should when consumers request it, and only for the purpose specified.
• Consumers should be able to choose to share or validate only certain attributes about themselves without reveaing all their identifying data.
• To ensure that new systems are secure and privacy-preserving, NIST should be funded to lead development of a framework of standards and operating rules that will apply to any new government attribute validation services.
33
Helping states embrace Better Identity
• States are ideally suited to drive Better Identity– The driver’s license is the document most commonly
used to prove identity, and it’s backed today by a robust, in-person identity proofing process
• In practice, most state DMV systems are not built to support modern identity services
– Many states are running DMVs off infrastructure that is 20-30 years old
– States are not incented on their own to invest in DMV modernization to support digital identity
34
• $2.5-3 billion in unaddressed funding needs for DMV modernization that can support Better Identity
– Based on an analysis of recent DMV modernization efforts
• Federal assistance can help catalyze activity in state governments: A five-year, $200 million-per-year grant program
– Provide seed money to incent states to invest their own resources in modernizing DMVs to support digital identity
– “Strings attached” – grants can only be used for systems that follow Federal (NIST) framework for security and privacy
35
Helping states embrace Better Identity
Prioritize R&D and Standards• Government investment in identity R&D and standards work has waned
• The Federal government should develop a new, forward-looking investment strategy for R&D and standards work in identity that
1) Ensures alignment in priorities across agencies, and
2) Ensures necessary work around identity is adequately funded
• Focus areas:– Active partnership with private sector standards efforts
– Augmenting private sector-led R&D and standards work to fill critical gaps
– Research and standards for privacy-preserving technologies in identity systems
36
Address Policy & Regulatory Barriers
• Some policies and rules inhibit innovation in identity solutions– Some states have enacted strict protections against commercial use of DMV data in response to
privacy concerns – but have inadvertently created obstacles to a consumer requesting that a state share their data to assist the consumer with a transaction
– Ambiguity from some financial regulators on the use of digital identity solutions has inhibited banks from embracing digital identity – as well as a broader role in the identity ecosystem by serving as identity providers to other sectors
• Others can encourage and incentivize innovation– Incentivize use of new mobile driver’s license (mDL) applications by stating that TSA will accept
them at an airport checkpoints, and that the USPS and the State Department will recognize them for passport applications.
– The Department of the Treasury should convene a Digital Identity Task Force that includes regulators in the Federal Financial Institutions Examination Council (FFIEC), focused on exploring how government policy can drive the adoption of more resilient digital identity solutions across the financial services market with a focus on reducing fraud, enabling innovation in financial services, and promoting financial inclusion
37
Summary
a. Governments should offer new digital services to validate attributes – modernizing legacy paper-based identity systems around a privacy-protecting, consumer-centric digital model that allows consumers to ask the agency that issued a credential to stand behind it in the online world – by validating the information from the credential
b. Create a five-year, $200 million-per-year grant program to provide seed funding to states enabling DMVs to modernize and become digital identity providers
c. Develop a forward-looking investment strategy for R&D and standards work in identity
d. Address policy and regulatory barriers that inhibit private sector entities from innovating around identity – and create incentives that promote adoption of innovations
38
39
40
The Equifax breach spurred some proposals
41
The SSN is not just one thing
42
The SSN is not just one thing
Identifier
43
Identifier Authenticator
The SSN is not just one thing
44
a. Frame proposals about the “future of the SSN” on the basis of its use as an authenticator, and identifier, or both
b. Stop using the SSN as an authenticator
c. Preserve its use as an identifier – but look to reduce its use wherever feasible
Are all these requirements necessary?
At least 19 separate laws and regulations require SSN to be collected by:
• Employers – when they hire an individuals
• Financial institutions – when customers open an account or apply for a mortgage
– Required to retain it for up to five years after the account is closed
• College students – when applying for loans
• Health insurers – of each person they insure
• Blood banks – from donors giving blood
• The Coast Guard – as part of its Vessel Identification System
45
46
Don’t: Seek to replace the SSN with a new government-issued identifier
• It would cost billions of dollars and create confusion for millions of Americans – while offering very little security benefit
• Introduction of a new identifier would require both government and industry to map back to the old SSN
– Chaos due to errors in mapping and matching
47
Do:
• Executive Order or legislation banning agencies from using SSN as an authenticator
• Launch a task force charged with reviewing existing laws and regulations that require the use of the SSN and identifying whether any can be changed
• Acknowledge that SSA plays a role in the identity ecosystem
48
• SSN can no longer be used as an authenticator
• Passwords have also outlived their usefulness
• We need better alternatives
49
The password problem has been getting worse
50
Increase in phishing attacks over the number of attacks recorded in 2015
65% Attempted account compromises at Microsoft each day – up from 20M a year ago
100M
1 Anti-Phishing Working Group | 2Identity Theft Resource Center 2016| 3Microsoft CIS Speech 2017
And the problem goes beyond passwords
“These days, a phisher can successfully phish for an OTP just about as easily as they can a password.”
-Eric Sachs, Google, 2015 Cloud Identity Summit
51
All Shared Secrets are Phishable
The Good News:
The Market is Responding
Strong authentication is getting easier
What once required Now ships in this
These things are interesting
• Secure, hardware-based isolated execution environments (TPM/TEE/SE) – capable of generating, securing and applying cryptographic keys
• Multiple biometric sensors (finger/face/iris/voice)
• Other sensors and capabilities
Strong, Multi-factor Authentication
55
Enabled by Standards
Where government can help
1. Continue to partner with industry on standards development
2. Continue work to promote use of strong authentication– Enforce EO 13681, which requires “all agencies making personal data
accessible to citizens through digital applications (to) require the use of multiple factors of authentication”
3. Modernize rules and guidance in regulated industries that govern authentication requirements
4. Avoid creating new rules that might inadvertently preclude use of promising technologies for risk-based authentication
56
57
• Our primary focus is the U.S. – but identity extends across borders
– American citizens abroad– Foreigners doing business in the U.S. – American firms operating abroad
• Other countries have launched cross-border efforts– eIDAS (electronic IDentification, Authentication and trust Services) in
Europe Enabling digital interoperability between private and public credentials issued
in different countries in the EU New focus on leveraging e-IDAS to help banks with new account opening
– Financial Action Task Force (FATF) Focused on Anti-Money Laundering (AML) issues, including Customer Identity Global standards for Identity have emerged as a crucial issue in an era of
FinTech – how to enable innovation and inclusion while upholding high AML standards.
58
The U.S. Treasury Department should lead here
• Treasury is on point for AML – and just assumed presidency of the FATF
• Treasury should engage with eIDAS in Europe and the FATF globally to explore opportunities for harmonization of identity requirements for account openings – and global standards to support them
59
60
Better technology is only part of the solution
• Consumers and businesses need to know 1) That better identity solutions exist, and 2) How to best obtain them and use them
• Government should partner with industry to educate both consumers and businesses, with an eye toward promoting modern approaches and best practices.
• The National Cyber Security Alliance (NCSA) – which has a strong record of driving public/private partnerships to educate the public on cybersecurity – should be leveraged to promote better identity outcomes.
– The Administration should partner with NCSA to develop a new initiative focused on educating both consumers and businesses about better identity.
61
Summary
62
Questions?
Jeremy Grant
Coordinator
Better Identity Coalition
63
Agenda
Time Agenda Speakers
9:30 AM Welcome and introduction Jeremy Grant, Coordinator, Better Identity Coalition
9:35 AM Congressional Keynote Rep. Michael McCaul – Chairman, House Committee on Homeland
Security and Co-Chair, Congressional Cybersecurity Caucus
9:50 AM Administration Keynote Grant Schneider – Senior Director for Cybersecurity, White House
National Security Council (NSC) & Acting Chief Information Security
Officer (CISO), U.S. Government
10:10 AM Industry Keynote Debbie Guild, Chief Security Officer, PNC
10:30 AM Overview: A Policy Blueprint for Better Identity in
America
Jeremy Grant, Coordinator, Better Identity Coalition
11:15 AM Remarks from the National Cyber Security Alliance
(NCSA)
Russ Schrader, Executive Director, NCSA
11:30 AM Panel: "Better Identity in the Post-Breach World”
Perspectives from industry and consumer
groups on “the identity challenge” and how
better identity solutions are needed
Donna Beatty – Global Product Management, JPMorgan Chase
Abbie Barbir – Senior Security Advisor, Aetna
Charlie Walton – Senior Vice President, Mastercard
Jim Barnett - AARP
12:15 PM Closing Keynote Rep. Jim Langevin - Co-Chair, Congressional Cybersecurity Caucus
12:30 PM Wrap-up - Lunch and informal discussion Informal lunchtime discussion between attendants and Better Identity
Coalition members
1:00 PM Event concludes
64