Fraud Management & Cybercrime , Identity & Access Management , Security Operations
ISMG Editors: The 'New Frontier' of AI and Identity Security
Identity Security Expert Jeremy Grant Discusses Challenges, Innovations and Trends Anna Delaney (annamadeline) • February 23, 2024In the latest weekly update, Jeremy Grant of Venable LLP joins editors at Information Security Media Group to discuss the state of secure identity in 2024, the challenges in developing next-generation remote ID proofing systems, and the potential role generative AI can play in both compromising and protecting identities.
See Also: The Future of Evolving Workplace Passwords
The panelists - Grant, managing director, technology business strategy at Venable; Anna Delaney, director of productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; and Tom Field, senior vice president, editorial - discussed:
- The "new frontier" of generative AI-based threats and deepfakes - and emerging solutions for protecting identities;
- The ongoing challenge of advancing next-generation remote ID proofing systems;
- The need for better transparency and understanding of data breaches involving stolen identities.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Feb. 9 edition on what CISOs should prepare for in 2024 and the Feb. 16 edition on what happened to the cyberwar in Israel.
Transcript
This transcript has been edited and refined for clarity.Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney, and today we delve into the state of the identity security in 2024, tackling pivotal questions. How does generative AI influence identity and access management and mobile driver licenses address identity verification challenges? Will social security numbers persist like passwords in the era of passwordless security? Joining us to provide insights into these topics and lead our conversation today is the excellent Jeremy Grant, managing director of technology business strategy at Venable LLP. Also with us are ISMG's Tom Field, senior vice president of Editorial, and Mathew Schwartz, executive editor of DataBreachToday in Europe. Jeremy, let's dive into the questions.
Tom Field: Jeremy, you and I have had this conversation for years, at the start of the year, and here we are. We've got all the year-end reports for 2023, and the year beginning reports in 2024. My perennial question is what is the state of secure identity here in the first part of 2024?
Jeremy Grant: Not awesome. Though in pockets, we're making good progress. As the numbers are coming out over the last couple of years, and we're seeing some new information come from different authoritative sources in the U.S. government tracking where we're seeing identity theft, identity-related cybercrime, things continue to get worse each year. The Identity Theft Resource Center recently released their annual data breach report in an event that we put together with them and the Better Identity Coalition and the FIDO Alliance at a policy forum last month. This is the worst year in terms of breaches and incidences of identity theft. FinCEN, the Treasury Department's Financial Crimes Enforcement Network, released a new study. They did an analysis of all the suspicious activity reports, the things that banks report to them where they think something is improper in the financial system with how it's been used. Over $212 billion in transactions in one year tied to some sort of compromise of identity. We continue to see incident after incident. Somebody said recently, "You don't necessarily hack in, you log in with a compromised credential," or you spoof somebody's identity to pretend to be them to open up an account someplace, and that's where the majority of cybercrime is happening. However, we're making good progress at least in the authentication side of that. How do we start to move beyond passwords, and some legacy forms of multi-factor authentication and get to true passwordless authentication that's both more secure and easier to use. A lot of things happening in the FIDO ecosystem with TASKI, is that I think we're going to see a lot more adoption this year. I'm a little bit bullish there, it's the identity proofing side where I'm increasingly worried that we're falling behind where the attacks are, and that things are about to get much worse.
Field: Jeremy, I'd be remiss if I didn't bring AI into the conversation, and I know it's still early days for generative AI, we're getting through a hype cycle now. How do you see generative AI being used to one attack identity and two to protect it?
Grant: Well, this is a good follow-up on my last point, which is "things are about to get worse." The commoditization of tools that can create very convincing deep fakes, be it voice, photo or video. In the last year, it's been a sea change in terms of the tools that are available to attackers, and we are already seeing adversaries exploit those. There was a story a few weeks ago, somebody - what would have normally been a business email compromised attack - used video deep fakes to fool somebody into wiring over $25 million to criminals. They thought it was all direction from their executive team. That's major crimes, not a scalable attack, very sophisticated; however, in tools that we use today to prove that we're real human online, and that we're a particular human - with photos, voices or videos - we're already seeing how what would have been a very sophisticated attack - if not impossible - a few years ago is now becoming quite easy. I'm not sure that we are fully prepared for the new advanced attacks on biometric systems and other things that we'll be seeing. This is an area where liveness detection is going to become much more important. On that note, AI can also help protect. Whether it's AI powered systems that can monitor for anomalies, in terms of are you seeing something unusual? Can you actually tell if it's really a live person who's presenting a photo or a fingerprint on the other end of a transaction, or something that's been spoofed, that's going to become much more important. There are certainly some good tools on the AI side that can also power defenses, but it's a bit of a new frontier right now, when it comes to attacks.
Mathew Schwartz: This won't be news to you, Jeremy, that the Better Identity Coalition recently issued his five-year review. If we're looking at it from an elementary school teacher's perspective, not grades that you'd want to take home with you. One of the challenges that I thought is fascinating, is developing next generation remote ID proofing and verification systems. However, this seems to be something that we're going to need, I wish we already had it, but it's such a challenge for the U.S. Has anybody got this right, yet? Are there any signs of potential awesomeness that you see on this front?
Grant: There's some signs sometimes of potential awesomeness. As background, the coalition's policy blueprint Better Identity Coalition's an industry group that I run that's focused on what I would call the policy layer of identity. Not looking at technology or standards, but more, what are the things that government needs to do in terms of advancing policies, regulations and initiatives to try and address among other things, some of these threats that we've been seeing over the years? Our original policy blueprint was published in 2018. Then we did an update of it that we released last month, which as you pointed out, had a report card. On this topic of what is the government actually doing to prioritize better remote identity proofing systems? We gave them a D. It gave me no pleasure to be doing that. In fact, it's a little upsetting, I think, that we're at this point. But, between two successive administrations - Trump and Biden administrations - that have declined to act on this - not to say there aren't people within both who seem to get the issue, but that doesn't necessarily translate into action, or coordinated activity. There's been legislation pending in Congress that's come close to getting over the finish line that would prompt the executive branch to act. Again, however, we have a couple of people who have blocked it, when you get down to the year-end deals involved, where you know, big bills tend to pass. It's a challenge for the U.S. That's not to say there's no activity, there's a handful of states piloting mobile driver's licenses, a couple of small projects that NIST is leading to try and advance some of the remote identity proofing applications of them. However, we're talking two or three people a third of their time in an agency with no resources. There are bright spots. In Europe, they have a major European Commission initiative to create portable digital wallets with identity at the center of them for every European. In the U.K., they're advancing legislation around a digital identity and attributes trust framework. Canada, Australia, New Zealand, Singapore, a lot of Latin America, and a lot of countries are taking this issue seriously and making it a priority. They're all approaching it a little differently, which I think does make sense because identity can be very local, and the values that you want to build into a system might vary from country to country. However, there's a bigger question, which is, the longer the U.S. lags here, what does it do to make us in the U.S. a bigger target for identity-related attacks? Other countries are hardening identity infrastructure, and we're ignoring it? What does it do over time to our economic competitiveness as well, when it comes to digital transactions? It's not too late for the U.S., but we should get moving soon, and taking this a little bit more seriously.
Schwartz: Speaking as an American, the driver's license is a critical part of identity. If you ever need to attest who you are, you think driver's license, and you mentioned mobile driver's licenses being developed by some states? I know, there's an immense backstory here in terms of deadlines and missed deadlines. Do you think that mobile driver's licenses will be what does give us this ability to remotely ID proof and verify people? Or do you think it's going to end up being some complementary solution? Or is the jury out on how this all unfolds?
Grant: I'm bullish on the concept of mobile driver's licenses. The way that they're being implemented to date is, from my perspective, missing the mark in terms of priorities. There's a ton of potential there, but this is getting back to why we gave the government collectively a D on this topic. There needs to be a lot more activity to prioritize the right use cases, and also take a step back to define what would "good" look like in a system of digital identity in the U.S. and how do we get there, setting a high bar for security and privacy and user control, and making sure we don't inadvertently build stuff into architectures that leads us down to a bit of a darker place. I testified in front of Congress. There was a hearing in the House Homeland Security Committee in early December on this topic, that was focusing in on the role of our Transportation Security Administration, the guys who run the airport checkpoints in driving MDLs. It's interesting because TSA has been given authority to update the regulations around an old law we have in the US called the Real ID Act that prescribes standards around driver's licenses in the physical world and to do things in the digital space. The main thrust of my testimony was, TSA is doing an admirable job focusing on the use cases that they care about getting people through a checkpoint, but that's just starting to scrape the surface. In this transition to digital identity from physical, TSA has been left off on an island. It's kind of absurd. There are two use cases when it comes to mobile driver's licenses, there's the in-person use cases like going through a security checkpoint at an airport or getting a beer at a bar. From my perspective, being able to carry my ID in my phone would be cool. However, when you look into the online world, where I mentioned before FinCEN, documenting hundreds of billions of dollars in suspicious activity and government benefits, we've seen over $100 billion in pandemic fraud that had been documented tied to identity proofing spoofing. The stories we see week to week in places like ISMG's publications around how exploits of identity proofing are being used for all sorts of nefarious purposes, we have the priorities upside down, we've got a crisis here in the online side, and we're focusing on these flash passes first. That can be digital, we should be flipping the priorities. We should have flipped it several years ago. All that said, work is progressing slowly on standards. For those online use cases, I'm bullish on it being the solution in the U.S. and that the U.S. is not going to have a national ID for a whole bunch of reasons anytime soon, and if ever, but the driver's license kind of functions - along with state ID cards for people who don't drive - as a de facto national ID in the physical world. It's the one place where most adult Americans go to a state office and prove who they are, and then they get a relatively robust credential. That's the logical starting point if you want to think about how to address deficiencies in digital identity infrastructure to come up with digital counterparts that credentials like the driver's license in the state ID card. Over time, it'll become important. We're not focused right now in the way that we should be in terms of how to prioritize that in a way that other countries are. One of the points you asked, are they going to be the only approach or complementary, I do think you're going to continue to see them be one offering in a broader ecosystem in that not all Americans are going to be comfortable using the government credential in the digital world. You're going to continue to see a lot of industry solutions as well. You'll have a vibrant ecosystem where everybody's got a choice if they want to use one of these mobile driver's licenses, but it's not going to be the only solution in the marketplace, you'll probably see people going down using a variety of different tools in the future.
Delaney: From mobile driver licenses to social security numbers. Jeremy, the security experts have long warned against using social security numbers as identifiers and authenticators, and we've seen some progress. Progress has been made with the Better Identity Coalition noting improvements. Over 20 laws, however, still mandate to their use. What will their future be? Do you see them lingering like passwords, even as passwordless security emerges?
Grant: This gets to a core issue we flagged in the coalition's original report five years ago, keeping in mind that the origins of this were massive breach with a big credit bureau in late 2017, over 140 million social security numbers stolen, and you're seeing proposals from policymakers that we should replace the SSN with something new, we should ban the credit bureaus from using it for any identification purpose. Sounded great in the wake of the headlines, because all these things got breached. What are we talking about here? A point that we made in our original policy blueprint that I think has actually helped change the conversation a lot is when you're talking about the SSN, it is not one thing, it's two. It's an identifier to try and figure out which Jeremy Grant or which Matthew Schwartz is. About 300 Jeremy Grants are in the U.S., only one has my SSN, that's an identifier, and that's an essential thing that every society needs. When somebody claims to be somebody and they're applying for credit, or a government service, or something else, where you need to vet them, you can quickly resolve which of these persons with this name you're talking about. We should always preserve the SSN as an identifier, in that you need an identifier, and it's the least bad solution that's out there. Where we've gotten silly over the years is pretending that this number is a secret, and that nobody will ever find it out if you just keep it locked up and are very careful who you give it to, and we started using the SSN as an authenticator. I've been pointing it out for a while, if you call your bank, and they say, "Anna, what's the last four of your social security number?" The only logical response these days is to say, "Don't you realize that the Russians have that, and the Chinese have that, and about 87 well-organized criminal gangs have it and any mediocre 17-year-old hacker can get on the dark web for 63 cents." These things stopped being secret a long time ago. However, we have this problem in cybersecurity, we're always fighting the last war rather than looking to where the attacks have shifted. Whether it's in passwords, where we advise people to have a strong, unique password, and change it every three months. That doesn't work these days because even with that strong password, you'll probably fall for a phishing attack and put it in. Getting the password list is where we need to go. On the social security number side, devalue it, stop pretending it's a secret. We worked with some members of Congress to put a bill together that said, in 10 years, the SSA will publish to the equivalent of a phonebook of everybody's name and social security number for the sole purpose of making clear that this is not secret information. You should never build or architect the system around the idea that there's any security value to this, because every Americans had their SSN breach too many times already. However, identifiers don't have to be a secret. In fact, in a lot of countries, they are publicly known. We're not advocating to publish everybody's SSN, but the introduction of the bill made a point, which is that attackers have moved on, our defenses need to move on. Let's stop building systems that pretend that knowing your SSN means anything from a security standpoint.
Delaney: Last year, as you said, was the worst year ever. When it comes to data breaches, the U.S. saw a record number of breaches involving stolen identities or weaknesses in identity-focused defenses, yet, many effected organizations aren't transparent about what occurred. How can we improve our understanding of these incidents? Do we need better intelligence on breaches? How do we make that happen?
Grant: It's a real challenge, and this is something our friends at the ID Theft Resource Center had flagged the last couple years is they're able to document more breaches, but companies are releasing less and less about what happened. A lot of that's because they're worried about enforcement actions and lawsuits, and so they're not incented to share. However, you're right, if we don't have a collective picture of how things are happening, and we know the bad things are happening, but can't document why or what the attack methods are, it limits the intel we have in terms of trying to understand how attacks are happening, and what we should be preparing for in the future? I don't have a great answer there. You see a lot of focus on information sharing both with the government as well as with sectors in some of the ISACs, the Information Sharing and Analysis Councils. We're still able to glean a decent amount of information there in terms of where attacks are happening. We've certainly seen in the U.S. agencies like the FBI, and CISA constantly publishing alerts of "look, we're seeing signs and detecting this attack vector that's been exploited, and it's a little bit of a twist on perhaps what we saw two years ago, and should be prepared for that." That information is getting out there, but I would agree that trying to come up for ways to better incent companies that have been victimized by breach to share more about what happened in a safe harbor, without the threat that that's also going to lead to some sort of enforcement action. That would be beneficial. The flip side is we're seeing, for example, with publicly-traded companies new rules from the Securities and Exchange Commission, the SEC, is been focusing more on holding companies accountable. Those two things are both worthy goals, but also very much at odds with each other in terms of some of the objectives that we're trying to achieve.
Delaney: Insightful and educational as always. Last question, just for fun. If you could create a superhero whose sole mission is to protect people's identities online, what would their name and superpowers be? Tom?
Field: I am calling my hero, MF Agent, Multifactor Agent. He's going to be out there fighting the dark web for us to ensure that kind and good-hearted people are protecting themselves with multiple factors when they log into their various accounts.
Delaney: Wonderful. MF Agent love it. Mat?
Schwartz: Mine's called The Data Expunger - devoted to truth, justice and data minimization principles, including - as we were just discussing - the ability to eliminate people's personally identifiable information, or PII, from criminal or intelligence agency databases. Unfortunately, this is a fictional character, because this would totally be a fictional superpower. Like Jeremy said, copies of everything important are already circulating at least in triplicate everywhere, so we can dream, right?
Delaney: We can dream! I'm going for Cyber Guardian. My superpowers would include making myself and others invisible making it nearly impossible for these hackers to identify or track individuals online. However, more importantly, I'd be a cyber empath, so I'd be able to empathize with victims of crime providing them with emotional support and guidance. Jeremy, what have you got for us?
Grant: I didn't think about this enough beforehand. I'm going to go for a reach. I'm going to go for MDL Mothra Mama, a giant moth woman, who with a flap of her moth wings could basically instantly send a ripple through the space time continuum that would undo the last 10 years of ineptitude on advancing portable digital identities for people and get a foundation in place that will give everybody something they could carry with them that they could use to protect and secure the information when they need it.
Delaney: Impressive creative thinking there on the spot. Jeremy, thank you so much for your deep insights and time on the panel today. I hope you'll join us again soon. Thanks, Tom and Mat.