Hill Staffers Expect Movement on Digital Identity Verification Bill
There’s strong, bipartisan potential for moving legislation that would establish digital identity verification practices meant to help the federal government combat identity theft, said Senate and House staffers during a Monday webinar.
The Senate Homeland Security Committee passed the Improving Digital Identity Act (S. 4528) by voice vote last week. Introduced by Sens. Kyrsten Sinema, D-Ariz., and Cynthia Lummis, R-Wyo., S. 4528 establishes a federal government task force to develop digital identity verification methods for agencies that could potentially save money and combat identity theft. Rep. Bill Foster, D-Ill., previously introduced his own version in the House, which envisioned a role for the National Institute of Standards and Technology to develop digital identity verification standards.
NIST is focused on challenges and opportunities associated with identity verification, said NIST Senior Technology Policy Adviser Connie LaSalle during a Congressional Internet Caucus Academy webinar. NIST wants to more fully explore proofing methods and the balance between privacy, security and inclusivity, she said. “There’s recognition from everyone that this is a really important issue that warrants a lot of in-depth study and attention,” said Cara Mumford, Senate Homeland Security Committee director-governmental affairs: “I was glad that we could work closely with our partners across the aisle” to get the bill out of committee.
Mumford and Tim Weiler, Foster’s economic policy adviser, cited the need for Congress to stay open-minded and not focus legislation on any particular type of technology. Lawmakers don’t want to pass laws that won’t apply to technology years later, said Weiler. “Remaining technology-agnostic is really, really important because we’re dealing with everything at a 30,000-foot level,” said Mumford, saying Congress needs to build flexibility into laws so they can evolve with the technology.
NIST is intrigued by the “promise” of distributed ledger technology like blockchain products, said LaSalle, noting the cloud was once “viewed as magic.” NIST will play a significant role in “shepherding the next era of innovation,” she said.
Biometric technologies are more effective for identity verification than blockchain technology, said Okta Federal Chief Security Officer Sean Frazier. Biometrics on Apple devices, for example, are “simple to use” for consumers. He discussed the September Uber data breach, in which attackers were able to bypass multifactor authentication (MFA) protection. The attack prompted federal agencies to rethink the potential for phishing-resistant MFA.
NIST hopes there will be more “phishing-resistant” options that are broadly available, affordable, portable, privacy-protective and easy to use, said LaSalle: “If we’re not hitting all of those factors, I don’t know how we can expect adoption gains” that create friction for attackers.
The Cybersecurity and Infrastructure Security Agency issued a binding operational directive Monday aimed at improving vulnerability detection by civilian agencies. Within six months, agencies must deliver vulnerability detection data, plus biannual progress reports detailing how agencies are complying with CISA’s directive. CISA will provide status reports to DHS, the Office of Management and Budget and the national cyber director.