The Treasury Department wants to help state and local governments finance systems for reducing the amount of personal information individuals share with providers of digital services in order to both protect individual privacy and bolster national security.
“The effectiveness of digital identity solutions and services depends on the ability to validate identity attributes against authoritative government databases,” said Elizabeth Rosenberg, Treasury’s assistant secretary for terrorist financing and financial crimes. “That means digitizing local and state databases and developing appropriate infrastructure and applications such as mobile driver’s license infrastructure that can support privacy preserving identity attribute validation services [and] exploring the possibility of voluntary grants to help states do that.”
Rosenberg spoke Tuesday at an event hosted by the Better Identity Coalition, a group of companies that has successfully pushed for such systems at the national level and recommended help for state and local governments to take similar action in 2018.
“Assistant Secretary Rosenberg was just confirmed about a month ago and so I was really pleasantly surprised to hear all that,” Jeremy Grant, coordinator of the coalition and host of the two-day event told Nextgov.
Privacy and cybersecurity are often pitted against each other, but for years, officials have been working on a way to have both that seemed too good to be true. Going back to 2011 when the Obama administration issued a National Strategy for Trusted Identities in Cyberspace, the National Institute of Standards and Technology discussed the topic during an RSA Security Conference panel titled: “Privacy-enhancing Technologies: Pipe Dream or Unfulfilled Promise?”
But more recently, observers such as Ellisson Anne Williams, a former National Security Agency staffer who now leads the firm Enveil and spoke with Nextgov on the issue, exhort, “it’s not magic, it’s just math.”
Broadly speaking, the kind of privacy enhancing technology, or PET, Rosenberg was referring to reduces the amount of personal data in circulation by employing a yes-no rubric of confirmation in response to queries of data while it remains in an encrypted state in the state-controlled databases.
“Imagine a customer providing a valid driver’s license to prove her age without actually revealing her full birth date or other unnecessary information,” NIST wrote ten years ago.
The current effort to use privacy enhancing technologies to digitize identification comes as the Biden administration looks to encourage their use by cryptocurrency exchanges, the preferred venues for ransomware criminals to receive payment from their victims.
Implementing the digital identity systems can allow the American public to live “in a world with less digital fraud and fewer stolen identities, with stronger defenses against ransomware attacks,” Roseberg said.
Also speaking at the event, Carole House, director for cybersecurity and secure digital innovation on the National Security Council, said improving digital identification systems is also at the core of a May executive order, under which the Office of Management and Budget rolled out deadlines for agencies Wednesday.
“Something is not quite right in how we are authenticating and verifying identities for access to key services. I’ve heard estimates from industry that most ransomware incidents potentially could have been prevented through simple implementation of multi factor authentication,” House said. “Identity sits at the heart of ‘zero trust.’”