(Digital) Identity Crisis: The US Needs a National Strategy for Digital Identity to Enhance Economic Competitiveness and Mitigate Cybersecurity Risks

In 2011, a major payment card network revealed that the US accounted for half the world’s credit card fraud despite accounting for only one-quarter of global credit card transactions – making its fraud rate eight times higher than the rest of the world.  The cause was our continued dependence on magnetic stripes on payment cards while the rest of the world had embraced smart card technology – which protected payments information with a secure chip.  Only after the 2013 breach of retail giant Target did banks and retailers finally agree to migrate from magnetic stripes to chips, enabling America to significantly reduce payment card fraud. 

Today, the US is in a similar place when it comes to digital identity. Every peer country in the world has either created robust digital identity infrastructure or has launched a national initiative to do so.  Most are in response to a global explosion in identity-related cybercrime, making it an imperative for every country to secure its identity systems. 

• The EU is creating a European Digital Identity (EUDI) Wallet that will allow Europeans to store their IDs in smartphone wallets in a way that is secure, privacy-preserving, and easy to use.
• The UK has launched a Digital Identity and Attributes Trust Framework focused on enabling standard-based digital identity solutions that can work across the public and private sector.
• Canada has created a comprehensive Pan-Canadian Trust Framework (developed jointly between the government and the private sector) to accelerate the use of privacy-preserving digital identity solutions.
• Australia has created a National Strategy for Identity Resilience and is advancing legislation to accelerate the creation of state and territory-issued digital credentials.
• India, Taiwan, and Singapore have all invested in robust identity infrastructure. 

To be clear, the US should not look to clone any of these approaches. But we do need to prioritize digital identity and create a distinctly American approach to addressing deficiencies in digital identity infrastructure that aligns with our values. 

That means eschewing controversial ideas such as a national ID, which is not only a political non-starter but would also fail to solve the problem.  Instead, we should embrace a simpler approach that focuses on closing the gap between the nationally recognized, authoritative credentials we have today in the physical world–such as state driver’s licenses and ID cards, passports, and birth certificates–and the lack of any digital counterpart that Americans can use to prove who they are online.

America’s legacy paper-based systems should be modernized around a privacy-protecting, consumer-centric model that allows consumers to ask the government agency that issued a credential to stand behind it in the online world.  In practical terms, this means accelerating the creation of mobile Driver’s Licenses (mDLs) and other digital credentials that allow Americans to effectively replicate the in-person identity proofing process they completed to get a physical ID when they are trying to prove who they are online. 

The US stands alone among its peers in lacking any comprehensive initiative to prioritize robust, privacy-preserving digital identity infrastructure.  The impact of doing nothing is significant.  Much like our refusal to migrate sooner to chip-based payment cards led to Americans being victimized by fraud at eight times the rate of the rest of the world, the absence of robust digital identity infrastructure is leaving Americans exposed to a wave of identity-focused cybercrime.

The impact of inaction is already being felt:

• FinCEN recently revealed that $212 billion in transactions flagged in 2021 Suspicious Activity Reports (SARs) were tied to some form of breakdown in the identity verification process.
• The Government Accountability Office (GAO) reported that between $100-$135 billion in pandemic Unemployment Insurance (UI) benefits was lost to fraud during the pandemic. Funds were stolen both by organized criminals and state-sponsored actors, with compromised identities being used to enable the bulk of the theft.

So many services in health care, government, financial services, and e-commerce depend on knowing who is on the other side of a transaction.  In 2023, the ability to offer high-value transactions and services online is being tested more than ever, due in large part to the challenges of proving identity online and the ease with which our adversaries are able to exploit these challenges. 

The lack of an easy, secure, and reliable way for entities to verify identities of people they are dealing with online creates friction in commerce, leads to increased fraud and theft, degrades privacy, and hinders the availability of many online services.

Among our rivals, China–while certainly not a model for the US to follow–is developing a dystopian digital identity system based on its “social credit” model and aggressively pushing for its architecture to be standardized in the UN’s International Telecommunication Union (ITU). Our lack of a competing vision leaves the US without a formal perspective on what “good” digital identity should look like on the global stage. 

In 2019, DHS designated Identity Management and Associated Trust Services as one of 55 National Critical Functions “so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Despite this designation, identity has gotten scant investment and attention; it is the only one of the 55 National Critical Functions that is not backed by some sort of formal government effort to ensure resilience and drive progress. Each year that passes without a comprehensive initiative to prioritize more robust, privacy-preserving digital identity infrastructure puts Americans at greater risk than the rest of the world and threatens our international competitiveness.

With the rise of artificial intelligence (AI) now enabling new types of attacks on digital identity (such as cheap and highly convincing deepfakes that can fool remote identity verification tools), the security and economic risks are more acute than ever.  It is imperative that the US develop a strategy to ensure we have digital identity infrastructure that can mitigate and stay ahead of these threats. 

By prioritizing digital identity infrastructure, we can prevent costly cybercrime, give businesses and consumers new confidence, improve inclusion, and foster growth and innovation across our economy. 

The views expressed in this article are those of the author and do not reflect either way the views of Venable LLP.