Perhaps you’ve been displaced, and you learn your benefits are delayed because an agency can’t confirm your new address. You’re forced to drive an hour to verify your identity in person.
Or maybe you work for an agency and discover that thousands of dollars in small-business grants didn’t go to legitimate recipients but to fraudsters who had stolen identities online.
All these scenarios are possible in state and local government today because agencies still struggle with creating and managing digital identities for residents.
IDENTITY THREATS
The digital identity challenge for governments arrives at a time when threat actors are relentless.
Compromised digital identity is the No. 1 attack vector in data breaches. Attackers use personal information stolen in data breaches to launch bulk attacks against benefits programs. During the pandemic, cyber criminals stole millions of dollars in government benefits that should have gone to vulnerable constituents. In fact, there was a 2,920 percent increase in identity theft reports to the Federal Trade Commission (FTC) tied to government benefits during this time. In 2022 alone, identity-related data compromises across American organizations led to 422 million individual cases of stolen credentials.
Synthetic identity fraud is also increasing. With this type of fraud, perpetrators use a combination of real and fake attributes to create a new fraudulent identity and access government unemployment benefits, tax refunds, stimulus checks and other funds.
In this evolving threat landscape — and with growing constituent demand for digital services — governments must holistically address digital identity. The federal government realizes this. The latest version of the National Cybersecurity Strategy, released in March 2023, calls for the development of a digital identity ecosystem.
“Enhanced digital identity solutions and infrastructure can enable a more innovative, equitable, safe and efficient digital economy. These solutions can support easier and more secure access to government benefits and services,” the administration said in the strategy document.
The National Institute of Standards and Technology (NIST) maintains digital identity guidelines — NIST SP 800-63 — designed to help all levels of government properly frame and understand the technical requirements to implement robust digital identity services for employees, contractors and the public.
Additionally, more than $1 billion tied to the American Rescue Plan Act is being used to build digital identity infrastructure, with a focus on improving data sharing, modernizing systems and increasing predictive analytics capabilities. For example, the Department of Labor just released $653 million for states to spend on unemployment modernization.
But there needs to be more movement on digital identity at the state and local levels. Identity infrastructure is now critical infrastructure.
“As we think about government being more than a brick-and-mortar establishment — about it being a website and application that we interact with — we’ve got to think about the role of identity in that digital engagement,” says Matt Thompson, senior vice president and general manager of public sector solutions for Socure, a leading provider of identity verification and fraud detection solutions.
Getting digital identity right is complicated. But if state and local governments can develop a robust digital identity strategy, they can forge a more trusting relationship with constituents and better serve them.
BUILDING DIGITAL IDENTITIES
As state and local governments digitize more services, they will need better ways to validate constituents’ identities to make sure help goes to the right people at the right time.
But what exactly is digital identity?
“Digital identity is the representation of who someone is in an online ecosystem and a critical extension of their legal or physical identity,” says Jordan Burris, former federal chief information officer and chief of staff at the White House Office of Management and Budget (OMB) and current vice president of public sector strategy at Socure. “It’s the pieces of you, when evaluated online, that make up who you are.”
A range of data points can make up a digital identity, including information such as email addresses, usernames, passwords, online search activities, and even purchasing history and behavior, says Lydia Payne-Johnson, a senior fellow at the Center for Digital Government* with more than 40 years of experience in privacy, cybersecurity risk and data governance.
“Digital identities can be both a blessing and curse,” Payne-Johnson says. “Within the context of government, particularly in the U.S., we don’t have a clear approach for how to manage people’s information, particularly their most sensitive information. Governments are still in the 19th century in terms of some of their approaches, systems and how they handle identity.”
It’s clear that traditional identity approaches are no longer viable in an environment where domestic and foreign cyber criminals can easily access a variety of personal information online. Identity verification is quickly becoming one of the weakest links in the chain of trust for organizations.
“Almost all government services require us to validate your identity. A digital identity gives us that level of confidence to provide services to the right people,” says Ajay Gupta, chief digital transformation officer of the California DMV. “Without doing identity verification correctly, the cost of making a mistake is very high for states. It hurts not only the people who need services but also our economy.”
Ralph Rodriguez — an MIT fellow, expert in applied identity intelligence, former research scientist and former head of identity verification at Facebook — says the public sector faces several identity verification challenges. These challenges include a lack of standardized identity verification procedures, limited technological capability to detect fraudulent identity documents, and siloed databases and systems that make it difficult to verify identity across agencies.
“Identity verification frequently necessitates coordination across multiple agencies and databases, which can be complex and time-consuming to implement,” Rodriguez says.
This article is an edited excerpt from the new Government Technology handbook, “Digital Identity 101: A Playbook for State and Local CIOs, CTOs and CISOs.” Click here to download the full paper.
*Note: The Center for Digital Government is part of e.Republic, Government Technology's parent company.
