 All right let's get started. Welcome to the Center for Global Enterprise Global Scholars Expert Identity in a Digital World. My name is Ira Sager. I am Vice President of Global Learning Initiatives for the Center for Global Enterprise or CGE. For those of you that are new to CGE and our global scholars program let me explain our mission. CGE is a non-profit research institute focused on the study of global management best practices, the modern corporation economic integration, and their impact on society. Our global scholars program is a worldwide learning community for business interested students, academic faculty, and business professionals. Through the Global Scholars program we offer online courses and digital internships as well as this and other expert connect webinar series. Participation in all our programs and membership is free. You can find out more information about CGE and our activities of the Global Scholars program on our website. Before we start today's program a few housekeeping notes. We will be recording this program and it will be available on demand from our YouTube channel. We'll leave approximately 15 minutes at the end of the session for audience questions. If you have a question for our panelists at any time during the presentation you can submit your questions using the Q&A feature at the bottom of your Zoom screen. We'll try to get to all your questions time permitting. In our last forum we explored India's ADHAR program, the first and largest digital identity system implemented on a national scale. For today's forum, Better Identity in America, a blueprint for policymakers, we look at the U.S. and efforts by the Better Identity Coalition to help U.S. policymakers and companies shape the next generation of digital identity verification tools. Leading our discussion is Dr. Irving Ladasky-Burger, a CGE fellow and former IBM Vice President of Technical Strategy and Innovation who will introduce today's presentation. Thank you, Ira. Good morning, good afternoon, good evening, everybody. It is my pleasure to introduce our webinar speaker today, Jeremy Grant. Jeremy is Managing Director of Technology Business Strategy at Venable LLC, which is a company that's very involved in advising all kinds of institutions on the impacts of IT on cybersecurity, identity, payments and related issues. Jeremy has a long history with identity security and privacy, having established the National Program Office for the National Strategy for Trusted Identities in Cyberspace at the U.S. Department of Commerce. And he's the leader of an organization called the Better Identity Alliance, which recently put out a report, which is one of the best reports I have seen on this subject of identity. So it's my pleasure to now give you Jeremy Grant. Jeremy. Thank you. Good morning, Irving. And thanks, Irving and Ira, and to everybody for taking time to listen to us today. So as Irving mentioned a couple months ago, the Better Identity Coalition, which is the organization started this year, put out a document called Better Identity in America, a blueprint for policymakers. And I'll be talking to you a little bit about why the organization started and what we're calling for today. So for starters, let me give you a bit of background about the coalition. It was launched this past February as an initiative of the Center for Cybersecurity Policy and Law, which is a nonprofit dedicated to promoting education and collaboration with policymakers on policies related to cybersecurity. The focus was to bring together leading firms from different sectors to develop a set of consensus cross-sector policy solutions for the U.S. that can promote the development and adoption of better solutions for identity verification and authentication. So some background in terms of what drove it, and it's actually really timely we're doing this right now in October. In that last year, the Equifax breaches it was announced really started to give people focusing on the implications of how we do identity, particularly when you had 145 million social security numbers that were stolen. One of the concerns with firms like Equifax, because we've leveraged them and their competitors for what people call knowledge-based authentication, a way to do remote proofing of who somebody is online by asking a few questions about themselves as it started to really raise some questions about how we do all of this. And this was not the first time it had been an issue. Two years before the IRS had had a major breach of the same knowledge-based question, where as you can see at the bottom of the screen, it said the hackers already had the answers to the questions. They had the keys. And after Equifax, we had some interesting things happening. Interesting things happened. The White House came out the same day as the former CEO of Equifax that we should replace the social security number. There was legislation introduced by Patrick McKenry in the house, who's one of the chief deputy whip, which means he's one of the highest ranking Republicans that would basically ban the major credit bureaus from using American social security numbers for any purpose by 2020, which as far as I could tell would grind our economy to a halt in about 48 hours because nobody could get credit. And so out of that, a lot of different companies started reaching out and saying, it seems like the government wants to do something. Nobody's really quite sure what's going to happen. So the coalition came together when a bunch of companies who are all asking us for an opportunity to actually try and come up with some ideas for what we should do. That was really the start of things. So today, our members include major financial institutions like JPMorgan Chase, US Bank, Wells Fargo, PNC, Bank of America, Quicken Loans, the largest originator of mortgage loans in the US, major payment card networks like Visa, MasterCard and Discover, FinTech firms like Cabogen on CEDO, Edna on the healthcare side and vendors, Symantec, Identia and Equifax is actually our newest member who after we published our report said this is actually really good, this does lay out what needs to happen next. So we're now actually with a couple other additions coming in, I think we'll be at 18 members by the end of the year. In terms of framing the challenge, I think anybody who's you know, followed internet identity for a while will certainly remember this cartoon. You know, 25 years ago, this was cute. On the internet, nobody knows you're a dog. But today not only is it still really where the challenge is, but I think we're actually seeing that it's being weaponized against us. And you know, trying to figure out how to deliver proper identity online is important to a lot of different issues, including security, privacy, delivering great customer experiences, ensuring compliance with different regulations, lowering transaction costs, all of this really wraps up into one big area, which is how do you deliver trust online? And trust is something that's really hard to get right. But identity wouldn't stun right. Believe me, there's a lot of ways to do it wrong. We might talk about some of that today. But when it's done right, it enables trust. identity becomes the great enabler, providing the foundation for digital transactions and online experiences that are more secure, that are easier to use for consumers, and that can protect people's privacy. The challenge as my old agency, NIST called out a couple years ago, is that digital identity presents a real technical challenge, as the process always involves approving individuals over an open network, and always involves the authentication of individual subjects over an open network. The processes and technologies that we use to establish and use digital identities offer multiple opportunities for impersonation and other attacks. Now, this has been our approach to data. I think everybody's been asked to come up with a unique security question that you might have to remember for the rest of your life, which, you know, is proving to be really practical, especially when you can't actually remember what the answer to a question was. I don't know about you, sometimes my preference is change. It's especially become an issue when adversaries already know the answer. So the notion, as we'll talk about today, that your social security number is actually a secret, and that only you would somehow know the last four digits of it, is quite, to say the least. On the authentication side, this hasn't worked well. I think we've all gone through different experiences where we've been told all the different rules that we need to follow to create a strong password. Let's be clear. Nobody can actually manage this for one password, let alone 20 to 30 or 80 or 120 or however many you have today. Any password that meets this criteria actually isn't that secure. Because the way that attackers get through isn't necessarily to try to crack your password by brute force, but instead they leverage phishing malware with key loggers, the fact that people reuse passwords across multiple sites, this is where all the bad things happen with passwords. And when you put criteria out like this, it makes your employees and your customers hate you. I think it's safe to say the password is the perfect combination of awful user experience and office security. So the cost of outdated identity solutions has been on display. And this is just some of the numbers we highlighted in our reports. Last year in the US, there were 16.7 million victims of identity fraud. It was nearly 17 billion stolen as a result of that fraud. Data breaches were up in the US nearly 45%. There were 179 million records containing personal information that were exposed in these breaches, which was a 389% increase over the previous year. And 69% of breaches were identity theft incidents. And I won't go on through all of these other than to say, there's a real problem that's out there. The other one I would highlight is the top right corner, 81% of our 2016 breaches were ones that exploited identity specifically as an attack factor generally using weaker stolen passwords. So we've got some real challenges today, we can't just keep saying that this is a matter of inconvenience that people don't like passwords, it's actually costing us real money, and it's causing attacks that are doing real money. So why has this been so hard to solve? Well, one of the things we talk about in our paper is what we refer to as the identity gap, essentially looking at the fact that, you know, taking a step back, a lot of times when we get into this discussion, it develops quickly into somebody saying, well, we should have a nationality, three more people yell at them about it. And, you know, from our perspective, the national ID discussion is not the one to be happy. We have a number of nationally recognized authoritative identity systems today. We've got the driver's license, the passport, the social security number, I've got a global entry card now since I'm overseas too much. Tell them we don't have good systems is that every one of them is trapped in the paper, which means that they don't really work for the kinds of transactions we did today. So when you've got a question like this, if you were trying to open up a credit card account in the last couple years, this was an attempt to get around the identity gap. The idea was, it will ask you what are in theory out of wallet questions that only you would know. And if you can answer a few of them correctly, hey, we have a good idea that's probably with you. Not everybody loved it. But, you know, the flip side was industry needed something to enable trusted digital commerce. And this was about the best idea we had out there. The issue now is attackers have caught up out of wallet questions aren't as secure as they used to be. I talked before about the IRS data breach where, you know, I didn't talk about it as much, but back in 2015, when they watched to get my transcript application, about 700,000 Americans had their information breach. Because the questions that they were asking turned out that had made the attackers already had. They weren't as secret as they used to be. And, you know, I think there's a reason for this. So it was late last year, actually, I think we've read a few Thanksgiving, the House Energy Commerce Committee held a hearing that actually was about to testify at. And they were looking at, you know, what has changed with Equifax and all these other mega breaches over the last few years. And the point that they raised, and I thought it was a good one, which was, you can't look at each of these breaches on the road. Every one of them, of course, is pretty serious. What you're now seeing is the same malicious actors are stealing all of these big data sets. And then they're combining them into one, analyzing them, trying to figure things out to build the profiles on different people, which then enables them to obtain more complete packages of identity information that they can use to cut through some of these knowledge based, you know, first generation solutions that we've been using for remote identity group. And so they were really trying to wave a flag, point out, we can't look at this in isolation. We've got to really look at this as more of a national issue. Among other things, social security numbers are no longer secrets. We can go in the dark web and buy them for under a dollar a piece. Let's not pretend that there's really any security value of the SSN. In fact, the one thing you should assume today is that some of these social security number has been breached multiple times. Where are we today? In an era where transactions are increasingly digital, our authoritative identity systems are stuck in the paper world. Solutions that papered over that fact helped for a while, but now attackers have caught up. shared secrets like social security numbers and passwords are no longer secrets. Industry innovation is helping to develop some better next generation identity solution, seeing passwordless authentication become a reality. We're seeing really interesting identity proofing tools that can scan and validate identity documents from a smartphone. But at the end of the day, government remains the one authoritative issuer of identity. And so in this next phase of making identity better, we believe that the government is going to have to have a role to play. So let's just talk about what better looks like for a minute. It really means four things to us. One, better security with less fraud and identity theft. There was a recommendation that came out at the end of 2016 from there was a commission on enhancing national cybersecurity that had been set up bipartisan, looking at making recommendations for the next administration. They flag what a problem it is with identity compromise in cyberspace and said, we should make it a national priority that will take steps that compromises of identity will be eliminated as a major attack factor by 2021. That's part of what we're talking about here. It also means better convenience for consumers, allowing consumers to open new accounts online with ease without having to go through duplicative burdens and world processes. With that, we think it means better confidence for both consumers and online service providers that the identities that are asserted online are reliable and trustworthy. And we think it means better privacy shifting the predominant model for identity verification from one based on firms aggregating personal data without opting consent to one where consumers proactively request that their identity be validated by parties with whom they've already had a trusted relationship. So in terms of how to get there, I mentioned at the start of our discussion in July, we released our policy group that lays out five core areas where government can and should help and a specific action plan detailing who needs to do what in Congress and the executive branch. Now, to be clear, government's not the solution here or at least not the only solution. And there isn't any single action or initiative that can solve identity. The taking is a package we're quite confident that this policy blueprints enacted and funded, it will make identity better in America. There's five key initiatives that are in there. And I'm going to focus just on the first two today given time limitations. But the first is to prioritize the development of next generation remote identity proofing and verification systems. The second is to change the way America uses the social security number. The third is promote and prioritize the use of strong authentication, getting us away from passwords into things that are stronger and more modern. The fourth is given that we're not operating here alone. We need to pursue international coordination and harmonization. Many of our members are multinational companies to be dealing with these issues across the globe. And they'd like to see, to the extent practical, relying on common standards frameworks approaches that can be used everywhere. And the fifth is as we develop better identity solutions, it's going to be important to educate consumers and businesses about the fact that they exist and explain to them just what it needs to have better identity. So let me talk about the first one for a minute. And you know, when we talk about the next generation remote identity proofing systems and the role the government can play in simple terms what we're saying is if I've gone through the process of having an agency that my identity wants, could I, as a citizen, ask the agency to vouch for me when I need to prove who I am to another party. Our legacy paper-based system should be modernized around privacy-protecting, consumer-centric model that allows consumers to ask the government agency that issued a credential to stand behind in the online world by validating the information from the credential. And you know, to give you a real-world example of what this means, you know, I tell the story, I've lived in Washington more than 20 years, but about two years ago I had to go downtown to apply for a real ID driver's license. Real ID for those who don't know it was a law that was passed in 2005 that set some pretty firm federal standards for what state driver's licenses have to look like. I will say it's been somewhat controversial and had some issues. The flip side is, if you have a real ID driver's license, you're pretty sure that person's real. And I went downtown and appeared in person in front of a government agent with my license, my passport, birth certificate, my social security card, a couple pay stubs, a couple utility bills, and at the end I got this plastic card. It wasn't really different from the card I had previously. So a couple months past, my wife and I decided we wanted to take a loan out on our house to finish our basement. I've got two little kids. They're lovely but loud sometimes and we thought it'd be nice to have some space for them in the basement. Went online, found the product I wanted. 2017 typed everything out. I'm like, yes, we're going digital. This is going to be great. And at the end they said, great, Mr. Grant. Thanks for filling that out. Your application is in order. Now can you please walk down or drive over to the nearest branch so you can walk in? You can hand us that plastic card and we can look at it and look at you for about 10 seconds and then we know you're you. And my question was why? Why is it in 2017 that we have to do it this way? Why is it I can't securely log in to the DMV and really knows who I am because they just saw me a few months ago and say, hey guys, can you do me a favor? Can you actually tell this thing, seven things about me that they want to know so we can get on with this transaction online? And I think the answer is it's not a technology issue in fact that would not be hard to build at all but from a business perspective that's not what DMVs do. Government agencies don't provide these kinds of services and that's the sort of thing that we think if consumers ask them to should change. So here's how this could work. You know let's take somebody named Stacey and then who can be referred to in the paper who's looking to open a bank account. So she provides your information online, they say yeah how do we know you're you. Here we might actually look to pin the social security administration to figure out if there really is a Stacey that's out there with her name, date of birth and SSN. She would specifically ask, I want the government to help me prove on me online. They would push the information to her and they would simply give a simple yes no answer does this information actually exist in our databases. SSN is not sharing who she is, they're just saying yeah we got this recording. Likewise we could do with the DMV where again she asked the government to help them prove it's her, they could do a simple exchange and they could you know provide a match there. Of note while we were writing this Congress passed what's commonly known as the bank red reform bill back in May as 2155 that's actually directing the Social Security Administration to establish this very service for any financial service transactions that are covered under the Fair Credit Reporting Act. Our view is this is a great start, we're actually having discussions with SSN, you know ideas around you know how to best implement it but we think it should be expanded beyond just what's out there and that is it's suited from the XERA side and that is a consumer. Do I really care you know if a transaction where I'm trying to prove on me is covered under a particular law or doubt. The other way that this could work and I think this is starting to look to the next generation is apps that would enable consumers to easily prove their identity. So then we'll take Stacy, now she's going to the water department this time just to mix it up. She provides your information and say we have no idea if you're really you. Now to request that the government helps to prove who she is, we'll use the DMV here. We're going to introduce the concept of a mobile driver's license app which would be an app on her phone that issued to her phone at the time the credential was issued. So there's a secure cryptographic connection between them. She would log in locally to the device. The device would then pass the cryptographic key to the DMV authorizing the sharing of information or the matching of information. It's a little bit of a different approach that among other things also makes you understand that the person who's holding the phone is actually the person who's issued gives you a little bit of a higher level of assurance. And here this is actually something going back to the commission report that this was specifically called that. That the government should serve as a source to validate identity attributes to address identity challenges online. And they specifically flag the role of the DMVs among other things. There is some policy precedent for this. We do think, however, privacy is an important question. In fact, this came up before the call when Irving was asking about, well, what is a militia going to say about this? Look, when it comes to privacy, let's state up front that the fact that we don't have good identity solutions is impacting the privacy of millions of Americans today. We've had it in epidemic breaches. And if we can get better identity, it's key to improving protections. But we think we need to go beyond that. We think government needs to embrace a privacy by design approach for these new systems to ensure that anything that we're putting out there is architected from the start to address privacy risks. The solutions really need to be embedded. The protections need to be embedded in the architecture. We think there should only be a situation where government would validate data that the consumer affirmatively requested and only for the purpose of specified. We think consumers should be able to choose to share or validate only certain attributes about themselves without revealing all of their identifying data. And so with all of this, we think that if we really want to make sure systems are secure on privacy preserving, this should be funded to lead development of a framework of both standards and operating rules that would apply to any new government driven attribute validation services that would ensure consistency across the 50 states instead of high gar from the start to make sure bad things don't happen. We, you know, talk about states and the role of the DMV. We think they're really in a good position to drive this today, you know, in part because thanks to the Real IDE Act, the driver's licenses backed by a very robust and, of course, an identity proofing process. One challenge is that state DMV systems aren't really built to support modern identity services. I think this is a bit of an exaggeration with a lot of states running DMVs off infrastructure that's 20 to 30 years old, and states aren't incentive to invest on their own in modernization to support digital identity. So this is one area where we've suggested that the government should step in. We did an analysis of recent DMV modernizations and, you know, what the average cost tends to be. There haven't been many. We think there's somewhere between two and a half and three billion dollars in unaddressed funding needs right now for DMV modernization. And so here we're calling for a new grant program of 200 million a year over five years to put some seed money into the state to help incentivize them to take this step. We do think it's important that, you know, with federal grant dollars, you can only spend it if you're following this new nest framework. There needs to be some strings attached to make sure that we're funding programs that prioritize best practices for security and privacy. And we skip through the next slide real quick, but then we think there's more work needed in R&D and standards as well. We're running a little short on time. And I want to just take a couple minutes to also talk about the way we think we need to change the way we use the social security number in the country. So, you know, I mentioned at the beginning after the Equifax brief, we saw some proposals let's replace it with something new, let's ban people from using it in certain ways. Our take is there's some things that you're overlooking here which is that you can't talk about the social security number is just one thing. It's really two. So, the first thing in the SSN is an identifier. So, if I Google myself Jeremy Grant, you'll see there's a lot of different folks who pop up including one guy who's a power forward in the MBA who doesn't even spell his name the same way as me, J-E-R-A-M-I, which has a whole discussion for another webinar another time. But there's only one that's me. So, the SSN is an identifier and that's how it was created. So, all the different Jeremy grants that are out there which one is me? Only one hopefully has my social security number. And identifiers are often the username or number they don't have to be secret. In fact, a lot of them are widely known and that's okay. I look at my Twitter handles at JGrants from DC. My email address is Jeremy.Grant at Venable.com. Those aren't secrets. They're identifiers that are out there. So, in fact, one thing we get into trouble with is when we start pretending that identifiers are secret should be kept secret which is an area we've gotten into trouble with the SSN. With that, the second thing the SSN is is an authenticator. Use to determine whether a person is actually claiming to be a particular individual is in fact that person. That's usually something that a person possesses or controls such as a password, a biometric, cryptographic key. It should not be widely known. So, from our perspective we think it's really important to frame proposals about the future of the SSN on the basis of its use as an authenticator or as an identifier or both. But it's really important when we talk about restricting the use of it or replacing it. What do you mean? You want to replace it as an authenticator or as an identifier? As an authenticator, the social security number absolutely needs to be replaced. Let's face it, it's useless. The idea that it's still a secret is a fallacy. However, as an identifier, identifiers can be publicly known. And we think because it's so embedded in so many different systems across the U.S., we'll actually need to preserve its use as an identifier. Not to say we don't look to reduce its use wherever feasible, but if you start to take away the security value from the social security number, the issues involved with replacing it get to be much more significant than simply modernizing our approach to it. So, to that extent, we specifically come out in the paper and say, look, let's not look to replace the social security number with a new government-issued identifier. The end result of this would be that you'd spend billions of dollars to create confusion for hundreds of millions of Americans as they try to figure out this new number versus this old number and how to manage it. And don't even start talking to me about, well, what if it was some revocable cryptographic thing tied to the blockchain because that'll confuse people even more in terms of how they actually access it and manage it. At the end of the day, you spend a lot of money, confuse people and not give much security benefits. Plus, any new identifier will require both the government and industry to map it back to the old social security number. So even about the chaos with errors in mapping and matching and whatnot, you know, we'd have some real issues. We do think, though, would make sense to have an executive order or legislation that would ban agencies from using the social security numbers on authenticator because there's so many laws and regulations that actually require different sectors to collect the SSN and retain it. We think a task force should be launched to review those and see whether any could be changed. And finally, we think it's important to acknowledge the role of the social security administration itself plays in the identity ecosystem because for years the message has been this isn't really their issue. They just give you a number, but they're real jobs to administer delivery benefits, which is true, but at this point they play a really significant role. And I think just trying to change that discussion to recognize that they also, you know, are the ones who issue what is the de facto identifier in the U.S. And I think step back and start to think about what that might mean that I think that you can help move us forward significantly. So with that, I've been talking quite a bit and I want to get to the webinar portion. So I'm going to stop the share and we'll go back to the webinar itself and I look forward to the discussion. Okay. Thank you, Jeremy for that excellent presentation where you cover a lot of material very clearly. That's why you were able to cover so much material. Let me ask any of the participants if you have a question please click on the Q&A link at the bottom of the screen and then you can enter your question. Jeremy, let me first ask you when, you know, MIT has a number of secure websites and to log into them, I can either use my MIT ID and a password or I can log in with my digital certificate which I have in all my laptops and my mobile device and the digital certificate recognizes the, I guess the browser and device and then it's linked to an application called Duo Mobile in my mobile device. So is that a much safer way of logging in than the usual password route? Yes, absolutely. And in fact, as you're mentioning what MIT has been doing with Duo, that was actually funded by one of the original NSIC pilots that we launched back in 2012. We funded Internet2 who, you know, is essentially a consortium of different folks in the academic space to look to drive better authentication security through the partnership that they had launched with Duo. And so, yeah, it's a much better way because it's, you know, depending on how it's used, it can either be used as a standalone or as a second factor on top of a password. But yes, you're suddenly, look, anytime you're adding a second layer on, that's better. I think one challenge we have seen in the last five years with the push to multi-factor authentication is that some of the solutions we've been pushing out can also be phished. And so one issue we've seen, whether it's SMS text that we're using or also push notifications is depending on how they're being used, those can be fishable because you might, let's say, you know, you can be tricked through, you know, clicking on us on a link in the spear phishing attack enter using the password. Great. Hey, we know you've got mobile authentication set up. So they will enter you're using the password into the real site while you're in the phishing site. You'll get the push notification and say, oh, you're trying to log in, Irvin. Oh, yeah, sure. Thanks. And when you do that, you're automating them taking over your account. Now, there are ways to mitigate that. And so I, you know, without getting too much into all the details, I'll say the one thing that we're seeing these days is javelin research talked about this year ago. It needs to push more towards what they call high assurance strong authentication, leveraging some sort of public private key pairs that aren't fishable. So I talk a lot, you know, about the work the fight alliance has done. In fact, we talked about that quite a bit in our paper as an industry standard where you have Microsoft, Google, Amazon, other big platform players all working together to ensure that you have un-fishable strong authentication, usually leveraging biometrics as a first factor just locally on the device, never central, to then unlock a certificate that then can log you in. Okay, very good. Let's see. One question that I also have. You know, like a month ago, we had a presentation by Iris Sharma who one of the leaders of India's ad-har initiative and as you know so well, that was very much a government-led initiative. And I really like your recommendation that since government, especially the IRS, government agencies, the IRS and the various DMVs have so much of our personal data they should be comfortable being authenticators. That's all you're asking them to do. Why are they so, why are the government agencies so reluctant to get involved in authentication in any way, shape or form? So I don't know that they're reluctant. I'd say they've never been asked to formally. I mean, look, if you talk to the DMVs, they're absolutely correct in saying the reason that DMVs are established is to issue driver's licenses, which authorizes you to operate a motor vehicle. They've never been told by the governors of the state legislatures that identity is going to be a mission for them. Likewise, the SSA, Congress, if you go see the House Ways and Means Committee or the Senate Finance Committee overseas, then they will say, this is not their mission. Part of what we're arguing is in 2018, things have changed. It needs to become part of that or somebody's got to do it because industry is not going to solve it alone. But Jeremy, as you said before, so tomorrow I'm flying to Nashville to get on the plane. I have to show, not just to get on the plane, to get past security. I have to show my driver's license. Yes. Now, so whatever. That that's not their mission. They have become a de facto proof that I am. Right. And I think that's the point we make as well is again, I mentioned earlier the discussion of the National ID card, I think is the wrong discussion. It's not something we need in the U.S. Nobody's calling for it. What we need are ways to leverage the authoritative identity systems that we have in the ways that we all transact business, which is increasingly digital. And so I think that's really the, you know, one of the crux of that argument in our paper is it's time to transform the mission. It's time to transform the way that the entities that do deliver credentials deliver them through, you know, ways you can actually leverage these plastic and paper things online. And that's what I think is starting to resonate. Yeah, but Jeremy, I mean, I don't need to tell you that there are lots of smart people in the Department of Commerce in MIST, where you were a member of. There are a lot of smart people in OSTP, Office of Science and Technology. So when you say, well, nobody asked them, usually they are the people who set up these strategies for the country. They don't need to be asked. So why in this case are they so reluctant? Something must be going on that makes them reluctant to act when it comes to identity. So a couple of things on that. One, you know, one way this is different from NSIC, which was drafted in 2010 and released in 2011, was NSIC had the view that the private sector could largely thrive. So we would just be able to have private sector identity providers that would somehow get certified and be able to, you know, be accepted everywhere, including by government. And I think one thing that we've seen, given the attacks on the private sector identity services that have been set up, that weren't leveraging government information is the government's going to need to play a role. I think that's one real way in which this strategy differs from the NSIC from a couple of years ago. I think there's, so I'll say, look, we've been having a lot of conversations. There's been great interest in our paper since it came out. I will say what might seem obvious to you or I was not necessarily obvious to a lot of other people. But the good news is, as we've had discussions with different policymakers and other stakeholders, as we presented it, they've said, this doesn't make a lot of sense. And we should give these ideas consideration. But as you know, in government, everything takes some time. So I think that's what we're dealing with right now. But I am, I would say, cautiously optimistic. The fact that Social Security Administration was directed by Congress to set up an attribute validation service this spring, and they're working on it now, I think is a positive sign. From our perspective, we want to see them do this really, really well and have it being a smashing success because we think it can provide a template for what other other agencies can do at different levels of government. Yeah. Now, one of the recommendations I saw for identity certification was actually in an excellent paper by the World Economic Forum two years ago, led by Jesse McMaster, who's actually going to be our next webinar speaker on December. Excellent. And what the World Economic Forum recommended is the notion of identity service providers that establish an ecosystem of partners, most of them from the private sector, but it could involve IRS and DMVs to together certify identities. Now, that hasn't happened. We don't have the notion of private sector-led identity service providers. I was consulting with Mastercard until a couple of years ago and I asked our CEO, excellent, why haven't we done that because he was very supportive and he said unlimited liability that nobody, nobody's going to sign up to certify identities if there is unlimited liability. Is that a correct issue here? And who do you ask is it to change that? So you mentioned before at the beginning of our discussion that I work in Venable, which is a law firm with the largest privacy and cybersecurity legal practice in the country, though I'm not a lawyer. It's a bit of a leading question that you gave me and that I'll say there's a reason I joined a law firm a year and a half ago. It's that I think this is a very important issue to advancing digital identity. And except from the work I do leading the coalition, we're involved right now with a couple of clients trying to bring some new thinking on the legal side to this very issue. So I will say there are good examples in different parts of the world where you do have a private sector ecosystem. Look, globally, you have the Kintara initiative which actually certifies, has a certification scheme to look at private sector identity providers that, in theory, lays out the way that you could have strong federation. The problem, frankly, is that there have not been enough online service providers who have been willing to adopt it. And so it's there, but the proof's in the pudding in terms of the number of users that you have. And so I think actually Kintara's done great work that might provide a foundation for how we go forward, but it's good to look at some new approaches as well. I think from my perspective, liability issues 15 years ago that derailed some of the first attempts by banks and others to do this aren't necessarily the same today in that we've got a lot more agreements in place for inter-party data exchange. And at the end of the day, identity information isn't necessarily that different from the rest of them. So without getting into too many details, I can say we're involved in a couple of projects right now with consortium of major players in different industries where we're trying to say, bring some fresh thinking on the liability side. I think it can be overcome. I honestly think some of the liability issues have been excuses from parties who just don't want to find a way to federate and cooperate. And so now that we've advanced the discussion a little bit more over the last few years, I think we're in a better position to start to get some real true federated systems up and running. So for example, I noticed that both MasterCard and Visa are members of the Better Identity Coalition and it's already worked with many bands and other institutions in managing you know, credit card approvals and risk management and things like that. So, you know, organizations like that seem like a natural because they already know how to do it plus they are already regulated. So yeah, and it seems like we don't like to be regulated. Listen, identity by definition is going to be regulated. Period. Just like my birth certificate has to be produced by a regulated government agency. I don't know who it is, but so why haven't those are and do you think there is a good probability that they will step up to the plate because this is a revenue source from them. Nobody said that when they certify an identity they don't get paid. So this is a good revenue source. So I actually really optimistic about what we're going to see from the private sector in that right now I'm seeing one, a consortium of major financial institutions looked at to build this with some real serious resources behind it Second, same thing happening in the healthcare space with patient identity. A lot of big players coming together. And third, the mobile network operators recently had an announcement around what they call Project Verify. In some ways it's been heartening to see as a guy who back in 2011 when we launched Endstick those were all parties it was hard to get to the table and I think a part of it might be I was calling and saying hey we're from the government we're here to help. But also it was a strategy that was a little bit ahead of its time in terms of where the market actually was and I think what I'm seeing in 2018 is all those industries and others have recognized how important digital identity is that they can really reduce their risk so they can find ways to offer new products in this space and there might be a revenue stream as you notice I've long said when I look at identity what's the most important thing and heartening back to the graduates validated attributes are the new plastics and entities that have them which include some of the entities I mentioned outside of government if they can come up with the right structure able to monetize those in a way that is certainly nice for the bottom line but also can help them deliver new services so all this could crash and burn of course all things always can it is complicated but there's a lot of interest and again a lot of new thinking coming in the one thing I'll say is while things didn't work the first or second time we tried to do this everybody learned from why they didn't work and I think that's an important thing is that yeah just because an initiative didn't transform identity doesn't mean that we didn't learn what we had to do the next time around no no I understand I mean I like to remind people the Surgeon General's report on cigarettes came out 1950s or 1960s and it wasn't until the 1990s that something happened so now we have some questions from participants here is a question from Segun at the Koya why can't we just use biometrics as an authenticator leveraging the secure mobile platforms that everybody uses so we can and in fact I mentioned the FIDO standard before that's exactly what that is but I want to make sure we separate things between authentication which is essentially proving that you're really Irving on the other end of the transaction when you're logging in in the second time and identity proofing which is when you're looking to an established account to prove that you're really who you claim to be that first time and so the biometrics on the devices I don't think do much for identity proofing other than some apps where I'll take my phone scan my driver's license take a selfie or a quick little video they'll do a face recognition match and then you can prove hey this guy's really holding the license and the face matches yeah this is probably him although I'll say the company's in that space you know some of them are members of our coalition they think we need to go further to go to the databases in the government to validate the attributes as well but in the authentication side the great thing about the FIDO alliance standards is you know I'm doing this webinar on a Windows machine I've got an Android phone downstairs that I use for one application I'm making this call for my iPhone they're all architected the same these devices have some really interesting features which is a number of biometric sensors fingerprint based iris spoils and they all have a secure element a trusted execution environment a VPN chip that's in the where I can basically protect the biometric and also generate and apply cryptographic keys and so you know FIDO is essentially you know the two-step of one local authentication to your device generally with a biometric which could be something else like a pin and then that unlocks a cryptographic key that's used to log you in so in fact I think next week at a forum we're putting out in their offices in DC in November 2nd they'll have Microsoft and Google showing how you could use an Android phone to log into your Windows machine or vice versa you know ways you can use things like Windows Hello with the biometric feature and FIDO standards so log into a website with your face without ever having a type of password we're close to the post-password world it's happening today I think you're going to see a lot of other adoptions rolling out over the next year now that you know most of the standards work has been done and so I'm actually we focus a lot less on authentication than our paper in part because our view is industries made some good steps to solve it and I want to say industry you know we've had governments from around the world at the table at the FIDO Alliance as well with the participating so we're we're closer to solving that problem authentication is getting easier it's the identity proofing that's getting harder listen your positivity is very hard to hear February had another question actually Irving I would like to ask a question of Jeremy Jeremy it's Ira I'm curious what kind of reception you're getting beyond your members are mostly in the financial services healthcare you know industries where the CEOs are used to dealing with sensitive data and and certainly with consumers that regard I'm curious what kind of reaction and understanding of this issue because it's really an issue that cuts across industries do you get that kind of understanding in connection with CEOs of other companies and other industries they really understand this issue or they sort of position it as something that they're IT their computer the computer cert security expert should handle is there a recognition among CEOs that this is something that really needs to be dealt with you know I'd say it's evolving so it's getting better every year look I'll say when we launched this this coalition we weren't necessarily looking to have it be so heavy heavy in terms of financial services but I think one thing we're seeing right now is that industry is acutely focused on this more than other sectors because they're feeling the pain more directly I mean I just got I mentioned before we started the call I got back real late last night from Las Vegas I was out of the money 2020 conference that's my identity conference these days because everything you want to do with the future of payments in fintech depends on knowing whether somebody's a dog at the other end of the trans act and so I think given you know the trends we've seen in that particular sector over the last three or four years yes there's nobody in financial services who if not at the CEO level at least at a pretty high strategic level is focused on this healthcare as well I think they're getting there in part in the U.S. there's you know some new rules coming out from the Department of Health and Human Services around the next generation of how we do digital health that make identity a real priority you know other sectors you know retail or you know you know what I call you know tech giants are are focused on this somewhat but you know they're focused where they have pain points certainly authentication is a pain point nobody likes putting consumers through password processes and you know as I mentioned with things like Fido a lot of the tech giants are you know really making it a priority to get the on passwords but you know I think a lot of it really depends on where you're running into problems and so it's been a little bit mixed I can't say we've talked to any companies where they've said you're not focusing on something that's important we don't like the approach you've taken but you know you get attention where industries are you know dealing with something that's you know much more to you and Jeremy one question that I've had is in a mature industry let's take civil engineering you know that engineering has been around for a long time if if a building collapses or something happens to it and upon investigation you find out that the contractors knowingly didn't use good materials they are open to gigantic civil or even criminal liabilities correct yes so how far are we from a time where if I'm interacting with a retailer and somehow my identity gets stolen data gets stolen I mean remember we've had issues was it target that had a gigantic breach years ago mm-hmm and what is over time you start holding the company not the CIO but the company like you would a civil engineering accountable for any breaches if upon investigation you find out that there were things they could have done that they didn't do can you imagine getting to that point I'd say we're already there you know target you know their CEO and a lot of other folks got replaced in the way to that breach same thing with Equifax and I'll tell you every you know not that it's good to see that happen but one thing that I think you know some of the breaches of a few years ago did we've started to get board attention and sea level executive attention on managing cyber risks to the point that look a lot of the you know the work we do outside of the coalition is also focused on you know trying to help different companies manage cyber risk and you know the fact that these are now sea level and boardroom conversations the fact that many boards now have a cyber security element to you know their risk committee I think is quite important so I think look between existing regulators where the FTCs coming after breaches and especially hey you watch one of your peers get fired that's a good message that you might need to start taking this seriously I still do think there is what's that I think class act have you seen class action lawsuits based on you know again you work in a law company so are there some action lawsuits if enough people lose data and are heard by identity theft and so on has I I don't think there's I don't think there's been a major breach where there hasn't been a class action lawsuit and in fact sometimes you'll even see a lawsuit filed if there's just a report of something and you don't actually know what happened so I do think that companies have plenty of incentives although look the flip side is a lot of them take this as a risk equation and say well what's the cost of defending and paying a class action lawsuit versus investing now by the way from my perspective that's the wrong discussion to have it really should be focusing on how you can ensure your enterprise and your customer data is secure but it's taking time I think for companies across sectors to wake up to that if you're a building contractor you cannot say what's the value or you've seen less you know still that is under regulation because that's criminally that's criminal negligence correct yes I think the one thing that's different with cyber risks though is the threat vectors are constantly changing and so it's you know building codes are pretty strong we've got standards there it's you know pretty cut and dry either you you built the code or you didn't and I think one of the challenges with mitigating cyber risk is that the attack factors are constantly changing so you might implement something that you think is secure and two years later it's not Jeremy I this is my opinion that's because civil engineering mechanical engineering when it comes to car and airplane they've been around for a hundred years so these things have evolved I am just about positive that this will be the case a few decades from now in the world of digital infrastructures because it's so prevailing I mean I cannot imagine the the digital economy continuing to advance unless something like that happens is that correct city well I hope that's the case but I'll give you a much darker future or at least you know frightening because the unknown so I just finished the book science fiction book on a long flight to Singapore in fact that I had called void star where one of the themes in there is you you know 50 years in the future you have these massive artificial intelligence entities that are launching on their own very sophisticated attacks against systems and you have other AIs here to try and react what they're doing to defend against them and so it's literally a battle between AIs that are out there all trying to get supremacy and we're already you know it's funny we see this now if you go you know walk the floor at the RSA conference or other cybersecurity shows lots of new products leveraging artificial intelligence machine learning to try and anticipate what it's when the attacker might do react in the fly make decisions well guess what the attackers are going to use that tool as well so I hope where that's not our future but it's at least one possibility the humans are accountable in my opinion so Ira do you have any questions yeah I'm curious and this I think Sigeun also brought this up one of the things in our discussion of the ad hoc program was the recognition that they have saved billions of dollars through their national identity system cutting a lot of waste and corruption that is that possible with the the blueprint you're putting forth it's not something that you oh yeah so talk a little bit about about how that could apply to the U.S. system or U.S. policy makers how they would apply that well I'll say when I was in government we actually funded a big study that we did jointly with the Internal Revenue Service looking at that very topic because one of the questions came up you know hey if we actually have digital identity what what can we save and so we brought in you know a group of economists from a nonprofit and you know started to basically pick apart what does it cost the IRS when you show up in person what does it call them to deal with a call what does it call if you mail cost when you mail something into them and what would the cost be digital and the answer was that if there was a vibrant identity ecosystem the IRS alone would probably save around 300 million dollars a year that was a high and it was a range I think from like 100 to 300 but real cost savings if you can enable new online transactions because you have digital identity and so you know the issue we have today is that there's a lot of transactions be they in government or industry that aren't online like that loan I was trying to take out last year simply because of the fact that the risk model is such that we're not going to allow you to do it online because we don't know who you are at least not at the right level of assurance so I think there's real savings that are out there it's not just about better security better trust better convenience everybody wants to do digital commerce for a reason it costs a lot less but you know one of the questions we asked was couldn't authentication be a revenue source for authenticators like the IRS and the DMVs because it's a small micro payment for each authentication but if you do billions of small micro payments after a while they begin to look like real money has that been looked at? Well well at a minimum I think one thing that's emerged is that any new services that the agencies are going to stand up for the private sector to ping the private sector will pay for so I mentioned before Congress back in May told the Social Security Administration to set up an attribute validation service they also stated that industry will have to pay for it and that work will not start on it until the SSA actually collects 50% of the costs and industries use that's fine we're paying commercial providers for this right now and if you can give us better data more accurate data we're happy to pay for this as well now separately logistics of trying to figure out what the cost will be and what the volume will be turns out to be quite confusing but we're working through that right now so no I think this is an area where if not as a profit center they will at least be able to develop cost reimbursable services and certainly in the private sector there's hundreds of companies that sell the stuff today. Great. Hey Jeremy I'm going to ask one last question I loved your slide on the passwords we all go through that I know I have a list of written down all my passwords nice secure place right on my desk which is Do you remember do you remember get a password manager I know that I realize that certainly not the best practice but I'm curious what does the world look like for the consumer when we have identity authorization and verification systems is it a pain free world well it certainly has less pain look one I really think we're on the cusp of the post password world right now on the authentication side with things like Vito standards and other other solutions taking hold that leverage a combination of local match biometrics and you know device identification and some people certificates on them and I think you know you always are going to have a little bit of friction when you're doing account opening but it's not hard to envision a world a couple years from now where rather than show my license to the bank in person I have a you know mobile license that's stored securely on here somehow we can talk about different models that when I'm applying for an account online or I'm looking to check out somewhere it's really easy for me to assert those government backed identity attributes about me again it's not a technology challenge it's really a question of just changing some of the models that identity service providers offers it so I'm pretty optimistic actually I'll say you know what one closing comment when we pulled this coalition together one of the thoughts was let's not try to rewrite and stick let's not come up with a high in the sky world of what things should look like in 10 years let's try to actually look at things that we could accomplish over the next two or three years that would make a material difference so one question we get a lot is well you didn't solve this problem or you didn't solve that problem in the blueprint and the answer is absolutely we were not the solve every problem in identity coalition we're the better identity coalition we do these five things we can make things better great well thank you this has been wonderful great great presentation thank you for your time Jeremy and thank all our viewers if you would like to listen to this recording it'll be available on our YouTube channel and everybody I don't know if you wanted to add any closing comments I just want to thank Jeremy for a wonderful presentation and a wonderful discussion thanks appreciate you all hosting this today this was a great talk yeah great thank you thank you very much bye everyone bye