Making Data Better

Navigating digital ID: The role of government

November 07, 2023 Lockstep Consulting Pty Ltd Season 1 Episode 5
Making Data Better
Navigating digital ID: The role of government
Show Notes Transcript Chapter Markers

Ever wondered about government's role in online identification and how it could expand to help our digital economy function better and safer? Or how government data quality directly impacts risk assessment?

In this episode of Making Data Better, we tackle where US and Australian governments stand on protecting our digital IDs and personal credentials.

Join us as Jeremy Grant, Managing Director of Technology Business Strategy at Venable LLP, brings his insights on security technology strategy, policy, finance, and more to Making Data Better.  Jeremy speaks to his decades-long experience with US federal and state government initiatives. And to the work of his organization, the Better Identity Coalition (check out its policy papers for federal and state-level policymakers!)

Government issues the credentials we rely on to prove who we are. Regulating how those credentials may be protected to enjoy expanded usage is both necessary and fraught with complications. Tech regulation has a history of being well behind technology's evolution.

That said, it is coherent policy and political direction that is needed. Disparate agencies may fully understand the potential of the assets they manage but without strategic focus at the highest level, the challenge of digital ID will remain. And our exposure to fraudsters, synthetic identities, and nation-state attacks will continue.

This is no small matter. FINCEN, the Treasury Department's Financial Crimes Enforcement Network, recently announced their analysis of bank-filed suspicious activity reports. They found that $212 billion of transactions were tied to compromised identity. The General Accounting Office, the investigative arm of the US Congress, estimated between $100 and $135 billion losses in public benefits fraud during the pandemic.

This is real money, ending up in the hands of organized criminals and adversarial nation-states.

So, take a listen to this episode with Jeremy Grant and Lockstep's Steve Wilson and George Peabody. There's work to be done.

Speaker 1:

Welcome to Making Data Better, a podcast about data quality and the impact it has on how we protect, manage and use the digital data critical to our lives. I'm George Peabody, partner at Lockstep Consulting, and thanks for joining us. I'm so glad you can join us, and with me is Lockstep founder Steve Wilson. Hey, steve, hey George, how are you doing Very well? Sometime we're going to talk a lot about all the exciting things that are happening in Australia, but today we're going to take a little more of a focus on what's happening in the US to provide some context to something that we think is super important, and that's to be clear, data quality. And we look at data quality as a social and economic concern, while there are multiple mechanisms for individual enterprises to attempt to manage and protect their data, and we know that hackers find the cracks in those bespoke walls all too often. So we believe the long-term solution requires systemic change and ecosystem build, if you will, to how we conduct data sharing, security and government. And in this discussion, technology is not essential. We're far from it. We're interested in how the upcode to use Scott Shapiro's single word to describe the rules and procedures that govern tech behavior. We're really interested in how the upcode is developed and guides how we, in this case, manage the task of. We're really going to be talking a lot about identification online today, and I use that that last verb, govern intentionally, because we believe that government at all levels has a major role to play. Why? Well, let's focus on one use case for data quality identification online. Knowing who we transact with remains challenging, and getting that wrong is costly. Fraud hurts. The day we leave risk management up to the party with something to lose. Called the relying party is the party that owns the risk, and we are all relying parties. Each of us performs the risk management tasks every day. We may lock our apartment door, our car or use a password manager or not. Those are all individual decisions. Individuals and businesses have all sorts of tools to assess risk and decide whether or not to trust In the world we might want to see. We want to look someone right in the eye. Online, the tools we use are different. Cyber space is still new, risk management tools are evolving and the data isn't very good, and now that we have generative AI, we have the ability to create bullshitted industrial scale at zero cost. It turns out that managing the cost of fraud has many similarities to the cost of pollution, and I'm really going to be interested in our guests today reaction to this particular metaphor Individuals, and often those with the fewest assets to protect. They're a disproportionate burden of impact when defrauded. Today's post-breach nostrum of free data monitoring services how many of those have you gotten over the last 10 years, or 20? They're a thin layer of protection and we can't pretend that fraud doesn't have huge cost to enterprises too. In our last Making Data Better episode, we saw what it took for Heartland payment systems to recover from massive system compromise and, as we've seen over and over with pollution, the marketplace alone, without government influence, has insufficient incentives, imaginations or tools to put forward systemic or network-wide guidance. So that's our premise and viewpoint here at Lockstep. We think government has an important role to play in data quality, and it's a role that governments are just beginning to examine around data quality and in this role in online safety In the real world, government has a huge interest in safety. There's not an airplane in the air that doesn't conform to the FAA's strict certification regulations. 60 years ago, automobile safety was up to the manufacturer, no more. So what could or should governments do about data quality and what would be the impact. So I'm very pleased to say that we're going to examine the role of government. We're delighted to welcome Jeremy Grant, managing director of technology business strategy at Washington DC law firm Venable LLP. Jeremy has long worked on digital identity in the public sector, having been senior executive advisor to the USA's National Strategy for Trusted Identity and Cyberspace Initiative, a key advisor to the FIDO Alliance, which has a huge bit of something to celebrate this year and a leader of the Better Identity Coalition. So with all that preamble, jeremy, welcome to Making Data Better.

Speaker 2:

Thanks Great to be here. Where do we start?

Speaker 1:

So why don't we start with what you're doing? What you're doing now? Tell us about your work and why a law firm is so eager to have an expert in online identity in the practice.

Speaker 2:

Yeah, so the easiest way to describe my role at Venable. So Venable has what, by most measures, is the largest cybersecurity and privacy legal team in the US, and I'm going to say about eight, nine years ago. The chairman of that practice, who actually chairs the whole firm, now came to the conclusion that there's a lot of things that they're often asked to do as attorneys because they're in there as a trusted advisor, usually to the general councils of companies, but also sometimes dealing with product teams or on the security side, if somebody's dealing with incident response. He said there's a lot of things lawyers just don't necessarily know how to do, and so he had the idea of what if we could actually complement this best in class legal team with people who understand security technology strategy, policy, finance that would allow the firm to offer we call our 360 degree approach to service, where, if you're looking to do something, say, in the identity space, where you need help understanding technology, security strategy in terms of what might work, what might not, also liability and regulatory compliance, well, we've got attorneys who are great here. We've got a team that I lead that's really helpful there, and so think of us almost as a boutique consulting firm that just happens to be co-located inside a great law firm that specializes in the same things that we do. It's a little bit of a different model. I'm not sure any other firm has it, at least not at the scale that we have but it's one that works really well for us and for our clients.

Speaker 3:

That makes so much sense. Jeremy, we've got a particular angle that George has already explored, that we're looking at so many of the world's problems through this lens of data and a lot of what you say always resonates with me around data. We had some great conversations just a couple of weeks ago in Carlsbad at the Fido Authenticate Conference. It was great to be out traveling again and good to see you. Definitely. How do you reflect on data quality and its import for cyberspace and risk and everything that you're doing in the law firm?

Speaker 2:

I think it's a great angle you guys are looking at here, in that, beyond identity security or, frankly, anything that's fueling this data-driven economy, so much of the algorithms that we're feeding the systems that we're building are dependent on making sure that you're starting with the right facts, or at least enough of them, that you can start to analyze it properly. And I'll say as much as we'll talk about this a little more today. As much as I'm an advocate of having the government play a bigger role in digital identity, because they're the one nationally recognized authoritative source, even the government has a data quality problem when it comes to identity. I mean, I often point out our Social Security Administration here in the US mistakenly declares, I think, about 5,000 people dead every year, which, if you look at it in the context of there's 330 million Americans, all of whom have a social security number and deceased ones as well and whatnot, you're probably managing maybe twice that many identities in your system. 5,000 is a pretty low error rate. That sounds pretty good when you do the percentages, unless you're one of the 5,000 people who has been declared dead suddenly life now looks like a Monty Python skip, but perhaps a little less funny. So I think it is an issue that underpins things in that the government has a role to play, but at the end of the day, nobody's going to be perfect, and the more we're going to perhaps rely on government systems for certain things, we also need to make sure that the quality is there.

Speaker 3:

So we see a real willingness around the world. Well, not universally, but we see a willingness in the US administration with the Social Security online checking function, and in Australia we've got a document verification service where critical government documents can be checked in real time. So there's a willingness, we think, for government to get into the ecosystem. Would you like to see more done?

Speaker 2:

I think a lot more needs to happen and unfortunately, I would characterize the willingness we've seen within the US government to be in isolated pockets as opposed to, I would say, as a whole of government approach, to sort of bind into the idea that we actually need to play a bigger role here. The Better Identity Polish, in which you mentioned before and is a group I lead, was founded with the premise that we have a hodgepodge of different nationally recognized authoritative credentials issued by a mix of federal, state and local authorities, but their usefulness generally stops in physical application because there aren't digital counterparts. There aren't ways to validate the information there. There's no way for me as an American to ask an agency route that develops for me when I'm trying to prove who I am online, and so we see some isolated things that are out there. For example, when you mentioned, our Social Security administration will validate some appliance, say, for a new credit card. Is there really a Jeremy Grant with this date of birth and SSN who's not dead? Yes, no answer there can be really helpful in preventing synthetic identity fraud, which the Federal Reserve has stated is the fastest growing type of financial crime in the US, but they'll only do that for banks and only for certain types of applications because they were narrowly directed by Congress. Well, you have to do this. Nothing legally precludes them from doing that, say, if I'm applying for government benefits where there's also a big synthetic fraud problem, but the SSA does not do that, and so we actually have this. Really, I don't even know if bifurcated gets into how messed up it is in many ways, where there's little places here and there, where there's pockets of excellence in identity services, but without a holistic approach to define what good looks like and how we get there and ensure that services are available more widely, we actually, I think, are really falling behind a lot of our competitors across the globe.

Speaker 3:

You observe about the physical use of credentials. Typically I get a bit frustrated that it's not just a government problem but there's some tunnel vision with the ISO MDL work, sometimes the mobile driver's license. I've sat in rooms where people are saying wouldn't it be a good idea if this driver's license on the mobile phone was presented or usable online? And it's like their default assumption is this thing is only ever going to be used offline and it's a brand new idea that you would use a digital driver's license online. I just think it's a slow rate of thinking sometimes.

Speaker 2:

I would argue with what's happening in the MDL world. We've got things absolutely upside down in that the ability to use an app on my phone to go through an airport security checkpoint or to get a beer at a bar that's a nice to have, Makes things maybe a little more efficient, or if I leave my wallet behind while I've got a backup on my phone, but it doesn't really solve any pressing problems.

Speaker 3:

It is not transformative.

Speaker 2:

And meanwhile in the US and I think globally as well but I can certainly quote some of the US numbers we have an absolute epidemic of identity related cyber crime that is costing the country hundreds of billions of dollars. I mean just to quantify those numbers. Fincen, the Treasury Department's Financial Crimes Enforcement Network, recently announced that they did an analysis of all of the so banks file something called suspicious activity reports with FinCEN. When they see an evidence of, hey, this is likely, suspicious, likely financial crime, we're going to continue the 2021 reports that were filed. $212 billion of transactions that were filed in those reports tied to compromised identity. Moving to public benefits tracking fraud, during the pandemic, when our government pumped a lot of money into new benefits systems to aid people who were suddenly out of work, the GAO, which is the investigative arm of the US Congress, estimated between $100 and $135 billion loss. So let's take the low point of that, $100 on top of the $212 billion, that's over $300 billion just in two sectors, and that doesn't even start to scratch the surface of what's going on in other places. Much of this crime is because it is really easy to defeat the systems that agencies and private sector organizations have in place today to try and verify who's who online. We're still, in many places, clinging to this outdated idea that because I know five things about you, that means I must be you and so I can open an account in your name and assume your identity. And it's, I would say, a little frustrating that it has taken so long for the government and I would say, industry writ large as well to sort of recognize this stuff doesn't work anymore, and when we have a national problem and it's costing Americans and American businesses and government agencies and others a lot of money and we need to actually have a strategic approach to solve it, that is definitely missing right now in the US. Today Will sit.

Speaker 1:

Jeremy, we were all at Tvito authenticate and we are so happy to see that. Past keys, this replacement for passwords. We're shifting from plain text to device assisted presentation Super exciting, right. We'd love to see similar treatment to the credentials that we use, those, those other four other five things you were just talking about. Where there's some chain of custody, the provenance of that data can be assured through devices assisted presentation. Have you seen any discussion about that kind of thing?

Speaker 2:

Well, I think mobile driver's licenses are going to get there. I mean, to Steve's point, they're focusing largely on the in person use cases, but they are also working on a complimentary set of standards to support, you know, what I would call online presentation of my credentials. So, look, we've been at this a long time. The technology is not actually that hard. It's not very difficult to, you know, be able to have digitally signed credentials stored and protected hardware on this device tied back to the state. You know DMV that issues the credentials say it's a mobile driver's license that I can then use, so that the experience when I am looking to prove who I am goes from answer these five questions tied to your credit report. Or, hey, take a picture of your ID and a selfie and enter a bunch of other information to. In about five seconds, you launch your app that says hey, this bank or this agency is looking to know these four things about you, or these seven things, depending on how many validated attributes they need. Are you okay sharing it with them? Sure, and at that point this device then transmits digitally signed data that the reliant party can validate. I mean, this isn't rocket science. This is pretty easy stuff, but it does require-.

Speaker 1:

That's the down code. The up code is the government orientation towards the problem.

Speaker 2:

And the government has to decide collectively that. You know they give a crap to actually look to digitize this stuff, which I think is really where in the US we have been. Look, there are a lot of pockets of great people in different agencies right now, as well as in the States, looking to drive this forward, but most of them, in my view, are often an island. They're, you know, trying to drive stuff forward with the authorities and the budgets they have, which is not very significant, and there isn't any prioritization of this at a national level to try and guide it and, you know, ensure that as we do this, how do we set a high bar for security and privacy and accessibility and usability? How do we define? You know, as I said before, what good looks like and how to get there, or what bad looks like, and you know what are the risks to avoid. So it's not all bleak. In that, I feel like we're making some progress. My concern is that at the current pace, it's going to take us 15 or 20 years to solve this problem and I don't think we have that long, particularly as we're seeing new, you know, attacks powered by generative AI that make some of the old ID spoofing attacks look, you know, very unsophisticated in comparison. One of the points I've made is we rely on things you know, like biometrics, for example, the selfie match tool. You know we're nearing a point, as AI gets more sophisticated and our adversaries start to use it, where we can't trust any face or voice or video. So, and there's a lot of things I look at as a practitioner in the identity space and I say, well God, can we really guard against it? And in some cases we can with, you know, maybe AI-powered liveness detection, but there's going to be a lot of really high quality spoof out there. One thing AI does not know how to defeat is public key cryptography, at least until it gets married to a post quantum computer in 15 years, and then we'll all be bowing down to the machines. Getting back to what you talked about with FIDO and the great things that are happening there in terms of solving authentication, finally getting beyond the password, that's, leveraging public key cryptography, being able to find proof of my identity to some form of public key cryptography, like that digitally signed credential I talked about that I want on my phone, as we're asked more and more to prove that we're human. It's gonna be really essential, I think, to have proof of identity bound to some sort of a thing that the AI is not able to defeat.

Speaker 3:

Yeah, something physical, George, and I often say that this whole problem space boils down to data and metadata, but certainly that's the perspective of the relying party. That's all they've got to look at is data. But the physical aspect that you hit on there, I think, is so important and it's sort of key to FIDO. But AI can't defeat public key cryptography because it can't. You know, no large language model can walk out of the machine and grab hold of your key and enter a pin and take off with it. There's no scalable attack there. That because of the beauty of the hardware and the public key cryptography. You make such a good point. I just love hearing you say that, Jeremy.

Speaker 2:

To be clear, pki offers a lot of headaches as well. It's not that I want to say that it's the easy solution, but again, this is where I mean certainly some of the discussions I have with you know, I would say national security officials who are thinking about this, and how do we start to get ahead of, you know, what could be a wave of scams and cyber crime that you know sort of puts the shame some of what we have seen to date and I don't mean to be sensationalist, I'm just it's not too hard to sort of see where this could be going or where some of it already is in terms of the trends. Well, you know, how do we actually start to decide that this is actually a priority? How do we decide this is something we really care about? To me, this is the sort of thing as you see these threats on the horizon on top of what's already a very significant identity related cyber crime problem that's largely benefiting hostile nation states and organized criminals. It's not like anybody nice is taking this, who we want to have our data or our money, but as you sort of see the types of attacks that are on the horizon, to me, this is the sort of thing where you would like to see your leaders acknowledging the threat and coming up with a strategy to proactively deal with it, and we've been advocating for a lot of that within the coalition. I would say there are a lot of people in the Biden administration and Congress who get it, but not necessarily enough to make something happen at this point.

Speaker 1:

And would you say, Jeremy, that one of the challenges of democracy is that we have administrations that turn over on a periodic basis and then focus changes based on that?

Speaker 2:

I mean, sometimes change is good, right. So you know I, you know. So, look, I've worked in Democratic politics a little over the years. I very famously sent out some fundraising emails during the 2020 campaign that said you can't spell Biden without ID. Because I was very bullish that, after the Trump administration had more or less ignored this issue for four years, that a Biden administration would look to pick up on the leadership shown by the Obama Biden administration, which, not to say that NSDIC was the be all, end all, but this was, you know. At least there was a strategy and a vision for how to move forward and it came out of the White House. Yes, and instead there has unfortunately been nothing. The efforts to date from the administration have largely focused on trying to address identity fraud and government benefits, which is a very small subset of the problem, and I think there's a challenge and you know we've made this point and there are those who get it but some who don't which is it is the same organized criminals and hostile nation states taking advantage of the same two, three and a before deficiencies in digital identity infrastructure and it really is infrastructure, if you think about it properly to steal not only from government but from banks and health and retail and fintech and cryptocurrency exchanges. It's all the same stuff. It's compromised passwords or compromised MFA, it's synthetic identity fraud. It's hey, I know the five things about you so I can be you and take over, set up accounts in your name. None of this is overly sophisticated. In fact, the reason we see so much of it is the attacks have become scalable. But if you just try to treat this as an issue around government benefits, you're gonna fail In that. Solving the government benefits issue doesn't mean you build new infrastructure for government benefits. It means you build infrastructure that can work in every one of those verticals and then government consumes it and it's also a much better experience at that point for Americans who look at to get those services.

Speaker 1:

So that requires a government agency who has been issuing credentials for legibility purposes between the agency and its users, the citizens, to really rethink the utility of that account number that they created. What's it gonna take to get agencies? What do you think is the right approach to convince agency leadership that, hey, there's a bigger use for the credentials we already have?

Speaker 2:

If you leave it to the agency heads who are in charge of issuing driver's licenses or state IDs or passports or social security numbers, which are not really credential, but at least an identifier, to figure out which George Peebo you are, you're not gonna get too far. This, honestly, isn't their job, or at least they don't realize it's their job. Yet and I mean as an example, the driver's license bureaus for years, when they had these discussions about identity, would say with a totally straight face we are not in the identity business. You see what I mean? Say, we issue you a card that says that you are authorized to operate a motor vehicle driver's license. The fact that other agencies and private sector entities like to use that as proof of identity is mildly interesting, but that's not what we're here for. We're here to say you can operate a motor vehicle Now. Congress then in 2005 passed with some controversy to the Real ID Act, which forced federal standards onto the states. That kind of made it their problem. Even then, it took a while for a lot of them to sort of recognize. I think what you're seeing now is some states are waking up and saying this is a dumb argument. Of course we're in the identity business, and why don't we recognize that and then take a step back and think about what does that mean in terms of what our role should be? So I do think that you're now seeing a lot of DMVs who are taking a more modern approach to things, but it is taken, I mean, I would say, over 20 years for this conversation to happen, and even now you will still have some states who are looking very much to just keep doing what they've been doing. This is why we've tried to focus our policy blueprints one for the federal level and one for the state level and the Better Identity Coalition on state legislatures, governor's offices at the federal level, congress and the president and his administration. I mean, you shouldn't necessarily expect change to come from within, but you can have those bodies that actually supervise agencies in the credential issuing business and that maybe have the ability to think a little more strategically about this. They can change things too, and we think that's really where the discussions need to go, as opposed to beating up a DMV director that they just don't get the vision of the future.

Speaker 1:

Got it.

Speaker 3:

Well, one of the powerful things we think about the better idea agenda the initiatives are incremental. That's not to downplay the enormous impact of those incremental changes. But to us, the important thing and we've learned this the hard way for many years that when you come up with a radical new digital vision for people and you change the meaning of business rules or you take the rug underneath people's feet about how they deal with risk, they can't cope with that. I think there's five initiatives in your Better ID Coalition agenda and they're all incremental. They're things like stopping so stupid with the social security number.

Speaker 2:

Stop pretending that it's an authenticator. It's not a secret. It's great as an identifier, not very open.

Speaker 3:

We think that preserving or conserving the meaning of data and the processes behind the data is probably important so that we don't scare the horses and people are still comfortable in their own agency missions. But we've got to make that data better when it winds up in people's hands and it's less vulnerable to replay and et cetera. I like one of the things you said at Identiverse, I think, jeremy. I don't know why you called it a uniquely American approach, but maybe that was marketing. But I love the way that you said why don't we take these ideas that we have now and make them presentable digitally? Have I got that right?

Speaker 2:

Yeah, that's pretty much the thesis and I will say I mean here's why I think a uniquely American approach is needed is for years I mean certainly when I was running the NSTIC program for the Obama administration we would talk about what we were trying to do with the identity ecosystem and partnering with the private sector. You know, if I had a nickel every time somebody in the audience said, but what about the Estonians? Or but what about the Indians? I'd probably have about $8, which mean that wouldn't be rich. But it's got asked a lot and you know, like the point I made for example, look, india, for example I think it's just safe to say as an example with central match biometrics, would never fly politically in the US. Estonia is really interesting in that I mean, look, they've done some wonderful things for government services with their smart card program. But I also point out that Estonia is a country with a population that is less than that of Fairfax County, virginia, the suburb just across, you know, the river here in Northern Virginia, and it's actually a lot less diverse than Fairfax County. And also, fairfax County is not motivated by an existential threat immediately to its east because, you know a big driver for the big investment in digital government that the Estonians made when they became an independent country again was they're worried about when the Russians come in, and to them it's a matter, as we've seen with Ukraine, of you know if and not when, or at least that's how they're thinking, and they want to be able to run a government in exile which is a really great driver for issuing, you know, very robust smart cards to people, but a little different from the stuff we're working with in the US. So, look, the US has never had a national ID. The idea of one, I think, is triggers a lot of negativity on both the left and the right. People aren't comfortable with it, and so one of the things we thought about doing when we were creating the policy blueprint was to say what can we suggest? That's a little bit different, because too many times in the US, you get into maybe three minutes into the digital identity conversation and Estonia or India derail it. Yep, and how could we change the thinking to actually say here's another way we could do stuff? And so I think the best compliment I ever got on it was from Congressman Bill Foster, who spoke at an identity verse back in 2019, I believe, in Washington DC, right, and he said what I like about this blueprint. This was in his keynote, so I think it's fine if I quote him here what I like about this. I've been looking at this issue for a long time, and this is the only organization that's come up with an approach that's both technologically feasible, could solve the problem, and it's also politically feasible. It's not going to trigger people to take to the hills with their guns in protest, because we're not talking about creating any new identity systems whatsoever. We're just talking about coming up with digital counterparts and attribute validation services that are based off the systems we already have today, and I think what we have found politically in conversations with folks on all sides of the political spectrum is when you explain that, they kind of go oh, that doesn't sound so controversial, exactly.

Speaker 3:

It's incremental, it's safe. So we're seeing the same thing in Australia after about 12 years and three different rounds of draft legislation. The latest installment has dropped about two months ago and it's called the Digital ID Bill and I read it twice before I realized that the phrase digital identity doesn't appear, and I think it's a significant pivot to go from digital identity to digital ID. I think that ID is a safer term but, more importantly, it's not a new thing, and our digital minister it happens to be the minister for finance his ownership of this bill and she's been very strong and articulate for some time that a new digital identity is not on the cards, let alone a national ID, because we share the same allergy down under as you do in the states for a new national ID. But it's not needed At Lockstep. We think what's needed is to make the data better and make it useless to criminals. But this new digital ID legislation sets up a governance framework within which you can demonstrate the fact that you have a set of IDs driver's license, birth certificates. It's the normal vocabulary or the normal grammar of identification, but made digital. I don't think there's anything scary in that.

Speaker 2:

It shouldn't be to most people. I also think it's interesting. When we launched the N-Stick in 2011, we were very careful to say this is not a government-sponsored digital identity. It's all voluntary and all be driven by the private sector, because we were really trying to avoid triggering any of those emotions or different political groups and not to say that we didn't envision that the government might have some role in this. But there was an aspect of it where I think, in retrospect, we maybe were overlooking the elephant in the room which is, at the end of the day, the government's where the data is. The government's the only authoritative issuer. We've got a bunch of private sector systems that are trying to guess who's who. Some are decent at it, but let's not. Let's not be afraid to talk about why government's playing a more direct role is important. With that, I think we've also seen, in the 12 years since that strategy was first published, I think another generation has come into the digital age where, look, in 2011, we wouldn't have smartphones. I mean, a few people did, but it was still a pretty new thing. I had a flip phone when I went into government at the time but the idea of having these things that are very powerful and people are used to using as a remote control to their lives, and also just the fact that you're asked so many times each year to prove who you are to do something. People are tired of it. The idea of something as simple as I mean gosh. Again 2011, most people didn't have smartphones. Now we're carrying everything else on our phone. Why wouldn't you have your ID in it? People get this in a way that I don't think they would have a dozen years ago.

Speaker 1:

Yeah, we'll sit. What haven't we asked you, Jeremy?

Speaker 2:

Happy to talk about what's going on. We've got a, there's a legislation the Improving Digital Identity Act which we keep trying to drive forward or try to get the White House to do something based on it. We do point out you don't need a bill to actually tell the White House to launch an initiative to try and close this gap between physical and digital credentials. That's optimistic conversations with some folks in the House and Senate this last week, but I've also learned there's 10 steps to get a bill passed into law. You can get to nine and then somebody pops up and blocks you on number 10. And so it is a challenge that we still have, I think, to drive progress. Likewise, the White House had a really great section on digital identity and their national cyber strategy in March of this past year. When the implementation plan came out, we were all excited to see what they were going to do next. They skipped right over it, as if it was never in there, which I will say. There is disagreement in different parts of the White House in terms of whether they should do something, in how, and so I think there's some work that needs to be done to overcome some of those concerns as well.

Speaker 3:

I'd like to say watch this space in Australia. Sometimes the five major Anglophone countries take it in turns to try something innovative in cybersecurity and I think that perhaps we're going to see a really modest way forward and maybe a model coming out of Australia. We'll see what happens. We're supposed to have a legislation developed and passed by June of next year, but there'll be quite a lot of governance to put in place in the meantime. It'll look like some of that mature governance that we've got in our open banking system here and we'll build on that.

Speaker 2:

I'm rooting for you here and that we need more good examples of how to do this in a way that works and that candidly gets people worried that if we don't have something similar in the US, we're going to be falling behind. A point we keep making in our discussions with policymakers is that doing nothing is also an active policy choice. Indeed, you can look at do we pass this bill or not? That's often what the question is. A no vote means you're going to do nothing. You're going to preserve the status quo, which, in some cases, in some policies, is the right thing to do, but here, every year that we decide to do nothing means it's another year that we're falling further behind our peers like Australia that are leading on this, not to mention in the European Union and other countries across the globe. It means that the identity related attacks that we see in cyberspace get more sophisticated and we don't have a strategy. So doing nothing, even if you don't love the options, it's not a particularly good answer at this point, you know.

Speaker 1:

Jeremy, I come from the payments industry and we noticed after chip cards were deployed in the UK and Europe around the rest of the world that fraud was migrating happily to the US because we were only a magstripe country at the time. I told the story today, getting the same effect right now, with fraudsters who are seeing us as more vulnerable and, of course, a massive target, this is a story today to a room full of congressional staff.

Speaker 2:

I said in 2011, mastercard, at the conference I was at, revealed a stunning number, which is that the US accounted for 25% of all global transactions, but 50% of all payments card fraud, which meant we had an eight times higher fraud rate than the rest of the world, solely because we were stuck on magstripes while the rest of the world had moved to secure chip. And it was only after the target breach happened in 2013 that it was bad enough. Enough money was lost. The damage was bad enough that the banks and the retailers finally said we're going to move to chip. And I feel like we're at a very similar point right now when it comes to digital identity, in that, as other countries are moving ahead, we are going to be the last one standing hanging on to our old, archaic plastic cards and legacy systems trying to guess who's who, and we're going to be that eight times higher fraud rate again, if not more.

Speaker 3:

The one thing that gives me some pause is that on my last trip to the US and I don't travel that often anymore, but I was delighted to see how many average retailers were accepting my Apple Pay. Even use Apple Pay on the San Francisco subway. Now, if you can click to pay, then you should be able to click or tap to present, and we think that maybe the US has got this ability to in fact leapfrog. Now that there's a increasingly a social acceptance of using this smart technology to send ones and zeros that relate to your payments, well, why not use the same technology to send ones and zeros that relate to your driver's license, your real ID, your birth certificate?

Speaker 2:

I mean, it's no coincidence that in a lot of the companies that are driving digital identity solutions, it's the same team that's working on payments right now. The tech platforms, this is integrated. I mean they really see them as very complimentary to each other.

Speaker 1:

I'll be a little bit grumpy in that in the payments industry, there's revenue associated with each transaction for multiple parties, and when we're talking about digital ID and security in general, it's a cost. So I'm hoping that there's a world where, just like, the FAA will move the aviation industry instantly if it decides to put a rule in place. Do you think, jeremy, we're going to need that kind of rulemaking to start to address this? And that's not such an incremental change, that's a fundamentally I mean it's hard to say Look part of it.

Speaker 2:

I think, at least in terms of solving identity, is a lot of it gets back to government doing something itself, as opposed to trying to force industry through regulation. I think there's an interesting discussion around. I mean, more broadly, what's been going on in the cybersecurity space, where we've been in at least a 15 years argument over do we regulate critical infrastructure here or not, to mandate things like phishing resistance and multi-factor authentication versus just using passwords? And on that side I will say anytime you talk about regulating one, you've got one party that just doesn't like the idea right from the start. But also, how do I say this In aviation, the thing that's going to make a plane crash today is probably the same thing that was going to make it crash 10 years ago, and in 10 years we're now probably not a lot's going to change. You'll see some changes around the edges In security. Technology is changing constantly, threats changing constantly, and so I would say the anti-regulatory crowd does have a good point, which is that if you get too prescriptive, you may find yourself pointing to a bunch of compliance crap that's out of date. I mean, we see this all the time when I mean heck. The SEC just filed a lawsuit against SolarWinds this week, holding their CISO legally accountable, because they claim they had better password policies than they actually did. And my first reaction on that was password policies. What gives a crap about password policies in this decade? Like you can have a 30-character password and it'll still get fished. I mean, we're fighting the last war too many times, so I'll just offer that up as a cautionary note Every time we think forcing action. You really have to craft those things deliberately.

Speaker 1:

Well, Jeremy, I think we need to leave it there. Terrific having you on making data better. Really appreciate it.

Speaker 2:

Thank you for the invite. This was a pleasure.

Speaker 3:

Well, that was cool. That was very good. If we're reflecting on what he had to say, I mean, I think he nailed it. You see the same pattern, don't you? Time and time again? Benefits fraud, payments fraud. He talked about synthetic identity. You and I are talking about data generally. Jeremy raised faces and videos for selfie matching. You don't know if any of that stuff's true. So it's all about provenance, isn't it? I mean, he said the same pattern is occurring all the time. Let's not just pick on social benefits fraud. If you could reuse those patterns, what do you need to know? How are you going to know that the data is true? And it seems to me that time and time again, we're seeing the same thing. How do you distribute the meaning of data so that you can tell what's in front of you is true or not?

Speaker 1:

We have a lot of work to do.

Speaker 3:

Yeah, we do. We've got a lot of stories to tell and if we can make those stories simple and not triggering I love the way that he was conscious of not triggering people with digital transformation I think that that's the trick.

Speaker 1:

Well, I think, yeah, among other things, we ought to be encouraging folks to look at the Better Identity Coalition and their policy papers. We'll put that in the show notes. All right, we'll see. Thanks, very much Glad that we're doing this again. It's been a pleasure to talk to you.

Speaker 3:

Good stuff, George Prepare for another Desmond Show generation.

Government's Role in Data Quality
Government Action
Addressing Identity Fraud and Government Benefits
Digital Identity and Government Services
Importance of Cybersecurity and Digital Identity