Biden’s cyber strategy must disarm civilian data

President Joe Biden’s cybersecurity agenda is quickly taking shape. Aware of the destruction wrought by the SolarWinds breach last year, the White House moved quickly to prepare executive action – released May 12 – to reform the practices of the agencies that helped allow one of the worst violations of the history of the United States to occur. . The administration has also nominated candidates for key positions and is awaiting Senate approval: Chris Inglis for the national cybersecurity director and Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency. All signs are that cybersecurity will play a prominent role during the president’s first term.

Despite this, the White House response risks addressing the breach in only one direction: prevention. Executive action so far has focused on sanctioning Russia, but with 18,000 SolarWinds clients potentially violated, including nine federal agencies and 100 private sector companies, a treasure trove of civilian data is now available for scammers of all stripes, who can easily be used for further attacks if agencies continue to rely on less effective means of authentication, namely knowledge-based authentication or KBA. If the federal government focuses only on prevention and agencies continue to rely on KBA, scammers will use the personally identifiable information gleaned to cause further damage. Authentication should be done using several factors without relying too much on the identity query. The White House must disarm stolen personal information by taking a holistic approach to thwart the cycle of breaches.

Federal agencies continue to identify citizens by asking KBA questions: your mother’s maiden name, the name of a childhood pet, or an address or cell phone number. Anyone with even a cursory knowledge of data privacy in 2021 knows that the answers to these questions are easily obtained by identity thieves, and SolarWinds has just made things a lot easier.

The federal government already recognizes the risks presented by KBA. The own guidelines of the National Institute of Standards and Technology disavow KBA for digital applications, because “the ease with which an attacker can find the answers to many KBA questions, and the relatively small number of choices available for many of them, make KBA at an unacceptable risk of being used. successfully by an attacker. ” Confidence in KBA has already been declining in the private sector for years. “Contact center security needs a makeover”, Javelin Strategy & Research affirmed in December 2019. “If one area has strong consumer authentication but another channel has limited resources, criminals will get information where they can first, and then work through the channel that has the most funds available. to fly.”

More reliable forms of authentication should be sought and implemented to limit the fraudulent use of exposed personal information. Several alternatives are already needed in the private and public sectors.

Harnessing the power of the consumer device

In search of efficient cross-channel multifactor authentication approach – where a citizen is required to provide two or more independent means of identification – agencies are faced with a number of authentication options to develop their mix of solutions, from KBA to token-based, on the go by the most recent biometric authentication options. One notable approach is device-based identity verification which provides an integrated view of identity and identity reputation by examining data inherent in the device itself. This approach can be used to assess the degree of trust between digital interactions and voice calls.

For digital applications, device-based identity resolution solutions can enable agencies to decide not only whether a device has been linked to unsafe behavior in the past – using behavioral analysis. device – but also whether the device is likely in the hands of the person who owns it. These risk decisions are determined by combining online, offline and device-based elements – including IP, browsing, phone activity, and connections between digital fingerprints and people or households – and corroborating them against authoritative offline and online consumer data to form a clear link between a device and a physical identity.

For call authentication applications, agencies can apply deterministic real-time inspection of incoming calls and calling devices for a pre-answer authentication alternative.. Using a deterministic-probabilistic hybrid identity authentication approach, a system can identify a citizen through advanced telephony system scans – using the physical call device as a property-based authentication token – without needing any information of any kind from the caller to authenticate them. Compared to previous identity query methods, this pre-response approach can reduce fraud.

Device-based identity verification solutions bond and maintain persistent identifiers and attributes for people, devices, and locations. By harnessing the power of every single consumer device, verification and authentication approaches can not only support omnichannel fraud mitigation, but also disarm personal information breached at any scale.

There is more to do

Prior to its release last night, details of the executive’s action remained scarce and did not include identity resolution alternatives that can resolve breached PIIs and hamper the post-breach fraud cycle. Sanctions against Russia may support national security imperatives, but they also risk masking the cracks by failing to recognize the glaring loopholes that have been widened by the SolarWinds breach.

Chris Inglis, who is expected to be appointed national cybersecurity director in the coming weeks, is expected to take a holistic approach to cybersecurity for the federal government to fully recover from an attack of this magnitude. Actors inside the ring road recognized the problem in 2019: a report from the Government Accountability Office find that most of the agencies reviewed said they were unable to implement NIST Proof of Identity recommendations until the standards agency issued additional guidance to move away from knowledge-based verification methods and that “federal agencies are likely to continue to struggle to strengthen their identity [sic] proofing process. “

The agencies clearly recognize the problems caused by KBA and ask for help. The SolarWinds breach is an opportunity for Inglis, the president, and other stakeholders across government to seize the day and push federal agencies toward new identity resolution practices already adopted elsewhere. The SolarWinds violation cannot be undone, but the civilian data it has posted can be disarmed. It is only when this is done that the administration can really close the chapter on SolarWinds.

Tom McNeal is Vice President of Partner Channel and Public Sector at Neustar.

About Marion Browning

Check Also

Voter Apathy a Major Problem in Oyo State —Odekunle, Chairman of OYSIEC Forum

Dr. Olusegun Odekunle is the Chairman of the Oyo State Independent Electoral Commission (OYSIEC) Polling …

Leave a Reply

Your email address will not be published.