New White House cyber plan leaves digital identity action items out
White House officials said Wednesday that while the current cybersecurity implementation strategy did not include digital identity plans, future iterations could. KTSDESIGN/SCIENCE PHOTO LIBRARY/Getty Images
By
Natalie Alms
Officials noted that identity action items could still be included in later iterations of the national cybersecurity strategy implementation plan.
The White House’s implementation plan for the national cybersecurity strategy has 69 initiatives for agencies to carry out, but lacks any action items on digital identity, a shock to stakeholders who want action.
“The Brits invented the word ‘gobsmacked’ to describe things like this,” Jeremy Grant, longtime digital identity expert who has worked at the National Institute of Standards and Technology and now runs the Better Identity Coalition interest group, told Nextgov/FCW.
The strategy, released in March, had “[supporting] development of a digital identity ecosystem” as a strategic objective and previewed government investments in digital identity solutions, like providing attribute validation services, updating standards and developing digital identity platforms.
But the new “roadmap,” as acting national cyber director Kemba Walden called it in a briefing with reporters, doesn’t include anything on digital identity, the only objective left out other than data privacy.
When asked about the absence, a senior administration official told reporters: “This is an iterative document, so just because you’re not seeing an initiative tied to a strategic objective today doesn’t mean it won’t be there for the next go-round.”
The White House’s current efforts on digital identity, they said, are going to be coming from other ongoing efforts around digital identity and fraud.
“You've heard… the administration several times talk about work on digital identity actions in the context of identity fraud and combating that, and that is fundamentally what is holding that space right now,” the official said. “The administration is committed to action in that space, and that is still pre-decisional activity, but we would expect that follow-on actions from the identity fraud work would come into future iterations of the implementation plan.”
President Biden first promised an executive order on the topic in his 2022 State of the Union address, although it has yet to materialize.
“When you have this many departments and you actually have an executive order that is requiring an actual change of behavior, it requires a level of vetting from Justice Department, the [Office of Legal Counsel] and each counsel’s office that is a bit more from other executive orders,” White House senior advisor Gene Sperling told reporters in March during a call about a $1.6 billion anti-fraud proposal, including $600 million for identity theft and fraud prevention.
“It should be out soon, but I don’t want to predict what I can’t control, which is the time it takes to get everybody to completely — every counsel’s office to completely sign off,” said Sperling.
As for the impact of the omission, the original strategy itself noted that “the lack of secure, privacy-preserving, consent-based digital identity solutions allows fraud to flourish, perpetuates exclusion and inequity and adds inefficiency to our financial activities and daily life.”
There were 14,817 identity crimes reported in 2022, according to the nonprofit Identity Theft Resource Center. The center’s president and CEO Eva Velasquez told Nextgov/FCW via email that “the U.S. needs a digital identity strategy to help reduce identity fraud and the number of people who are victims of identity crimes.”
“I think it was a huge oversight,” Linda Miller — former deputy executive director of the government’s Pandemic Response Accountability Committee and founder and CEO of boutique consultancy Audient Group — told Nextgov/FCW via email about the lack of digital identity in the implementation plan. “It is very surprising and disappointing to me.
“Identity theft is a primary threat vector for government fraud at the federal, state and local levels of government,” she said. “We saw historic levels of identity theft-based fraud in unemployment assistance during the pandemic, and nation state actors used stolen identities to defraud many other pandemic programs as well.”
Jordan Burris, former chief of staff in the Office of the Federal CIO from 2017 to 2021 and current vice president and head of public sector strategy at digital identity company Socure said via email that although "it is understood that the plan may not encompass all the activities underway by the administration," the omission of digital identity is "deeply concerning.
"I fear that the failure to include digital identity in the cybersecurity implementation plan signals this critical work is being deferred, all the while we continue to see an uptick in identity theft, synthetic fraud and AI-driven attacks targeting government programs," he said. "There appears to be little momentum at the federal level to change the status quo."
A draft of the promised executive order obtained by Nextgov/FCW in February focused heavily on scaling the General Services Administration's identity service, Login.gov —although nothing is official policy until an actual order is issued. Since then, GSA’s inspector general issued a report in March which found that GSA has misled agencies about the level of identity proofing standards Login.gov met.
Grant’s identity-focused trade group, meanwhile, has urged the White House to focus on digitizing identity credentials with a task force, noting that “White House leadership is essential,” given the dispersion of issuers of identity documents across levels of government.
Grant told Nextgov/FCW that the “hope is that in the weeks ahead, we’ll see additional details from the administration outlining how they will protect millions of Americans from identity-related cybercrime and identity theft, by strengthening the security and privacy of digital credentials.”
As for when action items on digital identity might be added to the implementation plan, Walden said that the document will “evolve” over time, with a 2.0 version coming next year as the first of annual updates.
“The implementation plan does not capture all of the cybersecurity activities in the federal government, nor does it intend to,” she said. “What it does do is capture key initiatives that we must get done in the near term.”
The White House declined to comment on the promised executive order.
Editor's note: This article has been updated to include comment from Eva Velasquez and White House response.