Should government expand its ID proofing role?

Momentum is building in the public and private sectors behind an idea to expand government's role in validating and guaranteeing digital identities.

The question is part of an "ongoing debate of what to do with identity proofing in a post-Equifax world," said James Sheire, director of the General Services Administration's Federal Identity, Credential, and Access Management Office, at a Sept. 11 ACT-IAC meeting.

The Equifax breach, which exposed the data of 147 million consumers, is commanding the attention of policymakers in the identity space. The desire to better secure digital identity and to make better use of government's immense, if disparate, data, has led to the formation of a new trade group aimed at improving the status quo, as well as increasing executive and legislative interest.

The GSA budget for fiscal year 2019, for instance, proposed the creation of a Modernizing Identity Proofing Program Management Office. Congress also passed a law earlier this year that included a section directing the Social Security Administration to open an identity validation service.

Sheire said government "clearly having the resources" opens up the conversation of what its role should be.

Patrick Eager, deputy director of the Enterprise Security Services Division within the Department of Homeland Security's Office of the Chief Security Officer, endorsed government doing more in ID proofing: "I think it's a good idea."

Combiz Richard Abdolrahimi, a veteran of the Departments of State and Treasury, said that between birth certificates, driver's licenses and Social Security numbers, governments at all levels "are sitting on this identity data information" that could be used in the digital space.

"There's a lot of government agencies that are doing the proofing already, so it's just a matter of harmonizing it more, said Abdolrahimi, now the global emerging technology and innovation strategy manager at Deloitte.  "That could be a great service that could improve citizen services."

But government's legacy IT systems could be problematic in its taking a lead role in the digital space. Former Federal CIO Tony Scott noted that many of the systems "that run the federal government are pre-2001 in their architecture, in their design, in their implementation."

"That obviously presents a challenge when you have technology that's either old or came from a different design era," he said.

Jeremy Grant, founder of the Better Identity Coalition, acknowledged that "some government entities [are] in a good position to do this, and others will need to create a system to enable this."

"It's less a question of whether [an agency like] SSA has the ability to do that today or not," he said, but more of what the funding model will be, how much it will cost and which agencies are most appropriate and have the most germane data.

Grant said while the funding would come from Congress, exploring how to best go about expanding government's role in the identity validation space wouldn't even necessarily need new legislation and "could be done with OMB policy guidance [or] an executive order."

"We don't need to create new ID systems," he said. "We need to leverage what's out there, so if consumers want to do things online, they can do the things they can in the paper world."

Two executive branch documents seem to back him up. The Obama-era Commission on Cybersecurity's December 2016 report recommended the government explore identity validation as a way to combat identity theft.

The Trump administration's President's Management Agenda suggested identity management could be improved via a directive from the Office of Management and Budget or an executive order. "The administration will update or revise foundational policy documents that strengthen the federal approach to key areas such as … managing identity," the document read.