Published by The Lawfare Institute
in Cooperation With
In 1993, Pete Steiner published the New Yorker’s most reproduced cartoon of all time: A mutt on a computer commenting to a fellow hound, “On the Internet, nobody knows you’re a dog.”
At the time, Steiner’s cartoon captured an amusing point about the early days of going online, and how hard it was to figure out who was really who. Twenty-seven years later, those dogs are long-dead (because dog years), yet the cartoon is truer than ever.
If anything, the problem has gotten worse. In 2020, “dogs on the internet” are being actively weaponized. Identity is the most commonly exploited attack vector used to breach systems and commit cybercrimes. A report published in 2019 showed that more than 80 percent of breaches could be traced to some sort of compromised digital identity. More recently, dogs on the internet have been exploited by foreign adversaries to interfere in our democracy through social media manipulation.
There is a reason why we are still struggling with this issue 27 years later: It’s a very hard problem to solve. But we are getting closer to some useful answers and, with some timely investments in digital identity infrastructure, we can make a dent in the problem.
* * *
As the National Institute of Standards and Technology (NIST) pointed out in a 2017 publication:
Digital identity presents a technical challenge because this process often involves proofing individuals over an open network, and always involves the authentication of individual subjects over an open network …. The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks.
The problem has only been exacerbated by recent events. As the United States shifts to social distancing because of the coronavirus, the challenges with dogs on the internet are taking on new, more complex dimensions:
- The White House has ordered a partial shutdown of citizen-facing government services—focusing on services that “cannot be performed remotely or that require in-person interactions.”
- The Treasury Department, the Small Business Administration (SBA) and other agencies are scrambling to figure out how to validate the identities of citizens and small business owners who are eligible for new benefits under the CARES Act, as are firms that participate as lending partners with the SBA. This is important not only for delivering much-needed dollars to American citizens in a timely fashion but also to stop fraudsters who are already thinking of novel ways to steal this money.
- Outside of the government, criminals are racing to take advantage of the coronavirus chaos by launching millions of phishing and identity fraud attacks to trick Americans into giving up their logins and personal information online.
But it doesn’t have to be this way. Indeed, most of our peers—such as Canada, Australia, the United Kingdom and the European Union—do not have the same problems (at least not to the same degree as we do). As a March 24 European Commission announcement boasted:
Thanks to the “trust” enablers eID and … the eIDAS regulation, citizens do not need to leave their homes to interact with public administrations, they do not have to meet face-to-face to sign or even mail documents. In times of crisis, this is another way to achieve social distancing.
Why is the U.S. so far behind? While our international peers have invested in digital identity solutions, our federal and state governments have stayed stubbornly rooted to paper and plastic credentials.
In the government’s absence, industry has tried to fill the gap. They have built products such as knowledge-based verification (KBV) as an alternative to government-verified identity. But KBV can get you only so far—and today attackers often know the answers to the questions in KBV quizzes, just as they know the last four digits of your Social Security number. As attackers have caught up with these solutions—and identity fraud has risen—it has become clear that there is no substitute for the unique role that government plays as the authoritative source conferring legal identity.
The government’s unique role in identity verification arises because it has proved to be in the best position to address our challenges and make identity better. Not by issuing a national ID but by allowing consumers to request the government to stand behind the paper and plastic credentials it already issues in the physical world.
As Congress and the Trump administration prepare to consider a fourth coronavirus stimulus bill, they should recognize that most of the economy has shifted to a digital basis and invest in foundational building blocks of digital infrastructure. Digital identity is one such building block.
Where should the government focus? Echoing recommendations from the Better Identity Coalition, we offer three suggestions.
First, the government should establish a Federal Digital Identity Task Force (with sufficient funding) assigned to craft and implement a government-wide approach to digital identity. Today, some agencies dabble in digital identity solutions—either for supporting their own online services or for providing limited data-validation tools for the private sector—but there is no coordinated approach. What is needed is leadership, a government-wide approach for agencies to stand up new privacy-enhanced identity-validation services rooted in consumer consent, along with seed money (we estimate that no more than $50 million is necessary, which is a pittance in the post-pandemic world) for agencies to establish new digital identity services.
Second, NIST should create a Digital Identity Framework to ensure that any government agency, be it at the federal, state, or local level, can follow a standard approach to creating digital identity services that is secure, is designed around the needs of consumers and protects their privacy. This, too, will require only modest funding.
The idea of government taking a bigger role in digital identity raises concerns about the impact new identity services might have on security and privacy. The best way to mitigate these concerns is to make sure that any deployed services follow standards that set a high bar for security and privacy, thereby making sure new identity tools preserve privacy and empower consumers rather than create risks.
Third, yet more money. (Yes, it is a theme, but the benefits are so great that we think it worthwhile.) The federal government should fund new grants to the states for digital identity. The Department of Motor Vehicles (DMV) is the one place where almost every adult American goes through a robust, in-person identity-proofing process that is based on a federal standard (REAL ID). DMVs are ideally suited to help improve identity through mobile driver’s license applications and other identity-validation services. But they have antiquated infrastructure, and DMVs don’t have an incentive to focus on these issues.
These new grants could provide up to a billion dollars in seed money over five years to help states start to invest in closing the “identity gap”—by rolling out new mobile driver’s licenses and other digital identity solutions. Dollars could be spent only on solutions that implement the NIST Framework, thereby ensuring that federal investment fund systems set a high bar for privacy and security, and are interoperable across states.
While this is a large investment, the security and efficiency benefits to the country will be significant. States can leverage these solutions to enable more trusted online services, cut down on fraudulent benefits claims and protect citizen information. And by allowing their residents to ask the state to “vouch for them online” when they are looking to prove their identity in the private sector, states provide a critical service to businesses that are eager to know if prospective clients are “internet dogs” or legitimate customers.
* * *
Countless services, including banking, health care, government and e-commerce, depend on knowing “who is on the other side” of a transaction. In 2020, the ability to offer high-value transactions and services online is being tested more than ever, due in large part to the challenges of proving identity online. The lack of an easy, secure and reliable way for entities to verify identities of people they are dealing with online creates friction in commerce, leads to increased fraud and theft, degrades privacy, and hinders the availability of many services online.
The United States must act to improve identity verification. These three initiatives (a federal task force to lead the effort, standards from NIST and funding to help state DMVs upgrade their technology) will not solve every challenge in the identity space, but they represent three common-sense steps that are practical to implement and will be meaningful in their impact; they will make the state of digital identity better. And they will make the dogs on the internet entertainment, rather than nefarious weapons.