One of the great things about my work here at Ping is that I get to explore identity matters from many different perspectives. I’m fortunate enough to be at a company that champions identity by delivering identity solutions like MFA, access management and data governance that empower companies, governments and organizations to secure their employees, customers and citizens. But identity goes well beyond the technical bits, bytes and widgets. So I also feel fortunate, and humbled, to be a part of the Better Identity Coalition, a group that brings together leading companies to promote education and collaboration on protecting identities online. It has given me an opportunity to have a richer and much fuller notion and understanding of identity.
That’s why I’m super excited that the latestHello User podcast features a discussion with Jeremy Grant, Coordinator of the Better Identity Coalition. Jeremy has been involved since the early days of government internet regulation working with former president Bill Clinton, Virginia senator Chuck Robb, the Obama administration, the Department of Defense, NIST, and various legislative work as a staffer. He now works for DC-based law firm Venable as well as being a consultant to clients in several sectors, where his focus is primarily in financial services, healthcare, IT and recently unemployment fraud due to billions of dollars lost during the pandemic.
In our sit-down, we dove into creating a centralized and holistic approach to protecting and regulating identity in the United States and the specifics of why digital identity and cybersecurity are national issues that the private sectors simply cannot tackle on their own. Here are some of the key takeaways.
Takeaway #1: Digital identity plays a substantial role in society—and the conversation is heating up.
“People are being recognized for these transformative changes and a lot of this is being driven off of identity.”
Interesting developments over the course of the last year or so have cast a very, very bright light on the challenges that we're facing with national security, national cybersecurity infrastructure, the idea of people having some part to say about their identities in the digital world, and the tensions that are being created by the lack of a national data privacy standard here in the United States. And we’re seeing metamorphic changes in the corporate sector driven off of identity. Jamil Farshchi, the CISO at Equifax, is pushing for increased collaboration among the public and private sectors. MasterCard is creating a digital identity product. Mark Zuckerberg is making waves about developing a digital identity standard for unbanked people through Facebook’s cryptocurrency efforts.
Jeremy points out that this transformation is also taking place on the national level. Two years ago, the Cybersecurity & Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security, declared identity as one of 55 national critical functions. Along with key infrastructure areas such as telecommunications, transportation and waste water management, CISA recognizes that a collapse in identity would have a cataclysmic effect across the economy.
Takeaway #2: The lack of standard language around identity is problematic.
“Much of my job is really as a translator, trying to help people in different sectors understand some of the different issues and why they are pertinent.”
To further our identity goals, we will need to make sure we’re all in sync when we’re simply talking about identity. During my past dozen years spent in the identity space, it has become obvious that we’re not all on the same page when it comes to how we talk about identity. We don’t have a standard taxonomy or lexicon, and this debate within our ranks is clearly not helpful. Jeremy also raised this point during our chat, observing that people come at the definition of identity in different ways.
For example, here at Ping we talk about “authentication” as confirming that a user is who they say they are upon sign on, and “identity verification” as matching an identity claim with documentation that can prove it, but Jeremy notes that some organizations don’t see the distinction between authentication and identity proofing, treating them as the same concept. As a result, he sees his role as sometimes being that of a translator, trying to make it easy for people to understand exactly what is being discussed. He sees glimmers of hope that the identity industry is beginning to come together around this so that it can grow and spread its wings.
Takeaway #3: Identity is not just a corporate issue—it needs a national approach.
“You cannot solve this without government help.”
It’s natural that people first look to their own industry expertise when considering how to solve a problem, and the solution often takes the form of a shotgun approach: spreading as much firepower around as possible to catch whatever threats exist. Take banking, for instance. The most highly-regulated industry in the nation is always going to be leading the way both in innovation and pain. As I'm talking with companies in the financial services sector, they tell me they’re finally getting to a point where their loss reserves, because of breaches and exploits, are unmanageable. Although they’ve made tremendous strides in identity, banks cannot go it alone, and I’m seeing the beginnings of a folding in of true public/private partnership.
As Jeremy points out, it is still a struggle at times to get people to take things up a level and look at this more as a national priority as opposed to a sector priority, but it’s essential that a mix of industry and government work together to solve identity challenges. Part of the message of the Better Identity Coalition is that they each provide those components which only they can best provide. For example, regarding authentication, he sees industry playing a huge part with FIDO, AuthN, behavior analytics tools and more. On the identity proofing side, however, he sees the government as having a large role as an authoritative assurer of identity. It is only through widespread collaboration—banks, healthcare, tech, identity security companies, the government—that we will be able to successfully tackle identity problems.
Takeaway #4: Solving identity challenges needs a holistic approach.”
“Folks tend to look at only the silo that they're in, in terms of where something needs to be solved.”
One big question that arose during our discussion was, “How do we solve this nationally at a digital level in a way that might actually work?” As Jeremy notes, you can’t just solve it in UI, you can’t just solve it in banking, and you can’t just solve it in-house. You need a more holistic approach that involves every facet working together. He sees us (business and society at large) as repeating the same patterns of choosing not to address the core issues—for instance, businesses suggesting that NIST controls are optional as opposed to being more prescriptive in adhering to the obligation, as companies inside of the national cybersecurity infrastructure of the United States, to protect their customer base or protect human beings.
Part of what I have seen as contributing to difficulties in navigating through a challenging environment is the fractioning of attention caused by the state-based laws. From an interoperability standpoint, states are going to actually have to sort out where the lines are because we're sending data across lines that may not transect those geographical boundaries. We’re in the nascent stages of dealing with these complexities holistically rather than working on this problem piecemeal, and recently introduced bi-partisan legislation, the Improving Digital Identity Act of 2020, holds some promise in this area.
Takeaway #5: Privacy is critical but often overlooked.
“Industry has come around to the idea that we need a national privacy law probably five years too late.”
One of the things I've found challenging in my digital identity evangelizing and proselytizing is the absence of a national data privacy standard here in the United States. We're already beginning to suffer the death of 50 cuts as it relates to state-based privacy mandates. Until we get to a point where a privacy accord or a privacy regulation has demands for actually protecting the person whom the data supposedly is associated with or it belongs to, we're going to have this paradox. If you keep protecting the stuff but not the people, all I've got to do is be you to get your stuff.
When I asked Jeremy for his take on this, he said that he sees industry as having come around to the idea that we need a national privacy law, although it’s probably five years too late. In 2018, when GDPR took effect and CCPA was signed into law, companies realized that other states were creating their own regulations—and the last thing American companies want is 50 different sets of laws to deal with. But how this plays out is yet to be determined. Virginia and Florida, for example, are passing their own legislation, and as states start to pass laws it becomes harder to convince policymakers sent from those states to Washington that they should preempt it. This will be an animated area to keep our eyes on in the coming months.
The Hello User Podcast
Thanks for joining in on the conversation around recognizing digital identity as a national issue. To listen to the full discussion and find out about other episodes, please head to the Hello User podcast page.