Identity is crucial, but it isn't protected as such.
Identity is critical to the security of our online and offline activities, yet it’s too easily stolen.
The Hudson’s Bay breach, which compromised the financial information of 5 million customers at Saks Fifth Avenue and Lord & Taylor, is just one of many prominent examples of this. This significant incident for consumers and businesses is just one of many recent watershed moments for privacy, security and our way of life. It is clear that companies entrusted with handling individuals’ identity information are struggling to dedicate the resources and attention needed to protect it.
With the past year’s record-breaking wave of breaches, it is now safe to believe that most Americans have had their personal identity information exposed—and analysis of the Hudson Bay breach has confirmed this knowledge is now being traded in dark markets. The long-term ramifications are going to have an impact on every public and private sector organization that utilizes our identity to conduct business and to provide access to critical systems, which will create disruption in our day-to-day activities and even to our way of life.
Because business and government institutions that handle personal information are vital to our society, it’s time to designate "identity" as a new segment in the nation's critical infrastructure, a set of 16 sectors the Homeland Security Department deems essential to the nation’s well-being.
Everything we do online and off is dependent on identity, from making purchases and filing taxes to logging into corporate and government networks. Historically, we presented a birth certificate or driver's license to verify who we are for offline activities such as cashing a check or enrolling in school. With the advent of the internet came passwords, tokens and, now, mobile biometrics.
None of these systems are perfect; who didn’t know at least one student in college with a fake ID? In the past, the damage that could be wrought by falsifying identity was limited in size. In the digital age, the stakes are massively higher. Criminals buy and sell databases containing information about billions of people and then use it to commit crime on a mass scale.
What can be done?
The entire identity chain must be strengthened to prevent these criminal activities. Birth certificates, which can be used to open bank accounts, are still administered by hospitals that are ill-equipped to manage security. Our government devotes huge resources to ensuring that currency can’t be counterfeited, yet it pays scant attention to documents that can be used to obtain multiple forms of ID. Every physical document we use to prove our identity should be made far harder to duplicate.
We can then move onto our digital systems. Researchers have long warned that passwords are ineffective due to reuse and brute force attacks. We supplement this system using “facts” like the name of a first pet, but in the age of social media, these are easily discoverable online. Social Security numbers are another popular identifier, but their value has been greatly diminished because so many companies ask for and store them. We should treat these with no more authority than email addresses.
Homeland Security came up with its critical infrastructure list to protect those systems considered so valuable that our society can’t function properly without them. As stated earlier and proven by example—identity now belongs on this list; it’s no longer an option, but a necessity.
Besides being critical to nearly all commercial activity, identity is inexorably linked to other parts of the critical infrastructure. Consider a worker who signs into their computer at a nuclear power plant, or applies for a security pass at a military facility. The security of all these systems depends on being able to identify an individual with certainty. Without certainty, identity is the weak link across our entire infrastructure.
Such a move would not be unprecedented. Just this year, amid evidence of Russian-sponsored election meddling, Homeland Security designated election systems as critical infrastructure. Doing the same for identity would create the means and incentive to shore up this vital area. For starters, entities that play a key role in managing identity—including hospitals and credit reporting agencies like Equifax—would come under government oversight and be encouraged to work together to find solutions and share threat data. They would also be eligible for technical support, services and possibly even grants that could further strengthen defenses. Most importantly, designating identity as critical infrastructure would provide it with the focus that it so obviously deserves.
In the 1960s, when ARPANET was created, the internet’s predecessor, no one envisioned the magnitude of what they were building. Because ARPANET communications were between trusted parties, there was no need for a strong authentication system. As a result, the industry has been trying to bolt on security as an afterthought ever since.
The federal government funded the initial research that led to ARPANET. Along with industry and the global technology community, it should now take steps to make the system more secure and reliable for the billions of people and companies that rely on it every day.
Andre Durand is the CEO of Ping Identity.