Why Advancing Digital Identity is Critical to U.S. National Security

Every year, cyberattacks increase in severity and intensity as more and more of our collective human life is conducted online. Between 2021 and 2023, cyberattacks rose by 72%, the fastest rise on record. The nature of these attacks is also changing: the average reader might still think of “hacking” in terms of digital theft and petty web vandalism, but we now see frequent, sophisticated, state-sponsored cyberattacks that impact physical, real-world targets – including critical infrastructure and sensitive operations - such as stealing personal data of millions of people and taking down hospital systems.

This trend poses profound risks to the basic safety and security of U.S. citizens, and 2024 has already given us a frightening example. In January, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) told members of Congress that a China-backed hacking group known as Volt Typhoon was working to infiltrate U.S. computer networks. The group sought access to water treatment, electrical, and transportation systems, with the goal of “inciting societal panic” and compromising U.S. threat response capabilities. 

Cybersecurity is National Security

These attacks show just how impactful cyberattacks can be and how imperfectly we secure even the most critical digital systems. As CISA head Jen Easterly told legislators, “Chinese cyber actors have taken advantage of very basic flaws in our technology … We’ve made it easy on them.”

One such flaw is the lack of verifiable digital identities that control access to everything from email servers to dams and steel mills. Current identity verification is too easily spoofed because it often relies on pre-Internet authentication concepts that are impractical and insecure in today’s threat environment. More advanced verification systems are offered by just a handful of large, centralized providers, creating single points of failure, such as those exploited in the OPM data breach of 2015. On this topic, DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment commented that "[if] an adversary has the credentials of a user on the network, then they can access data even if it's encrypted.” As a result, the top recommendation from the House Committee of Oversight and Reform was to move federal information security efforts toward zero trust.

To close such vulnerabilities, one tool holds particular promise: a digitally native ID system, built from the ground up to securely bridge the physical-digital gap that America’s enemies are eagerly exploit. When we increase users’ and software agents’ abilities to demonstrate who they are with high assurance to a variety of different systems, we also increase security with more granular controls over who can access what. This moves us away from singular accounts that can access large troves of sensitive data, and towards a zero trust, need-to-know basis per account, closing many outstanding security gaps in nationally important systems.

Critical Infrastructure and the Changing Threat Landscape

The OPM database is by no means the only digital “crown jewel” in the US government’s IT infrastructure. In 2013, the White House identified 16 categories of “critical infrastructure” fundamental to national security. These include three broad categories of government and civilian systems: Communications and Data; Transportation and Energy; and Public Health and Emergency Response. 

All three of those categories have been targeted by sophisticated cyberattacks, some of which can grant attackers long-term access to systems. This was the goal of the notorious Russian-backed SolarWinds attack, and of the more recent Volt Typhoon incursions.

The compromise of these systems makes America vulnerable to a vast range of threats, from subtle to dramatic. The U.S. itself pioneered the subtler sort of attack with Stuxnet, a worm that altered control software and destroyed physical centrifuges Iran used to enrich uranium. America’s enemies might use a similar playbook to alter automated systems in a defense manufacturing facility, leading it to produce inoperable weapons. More acute and targeted cyberattacks could also cripple hospital operations during a disaster, or disrupt hydroelectric dams and interrupt power to millions – or even unleash devastating flooding.

Critical Infrastructure and the Changing Threat Landscape

These growing vulnerabilities are the product of a mix of technological and social changes. An increasing number of digital systems are built to allow remote access, in some cases as a product of the shift towards working from home. Even more widespread is reliance on remote “cloud computing” for data or processing. When they’re compromised, those remote services can give intruders major access to critical data and operations.

At the same time, the current confusion of access and identity systems makes these systems easier for bad actors to penetrate. Many digital identity systems rely on analog infrastructure, particularly drivers’ licenses, as their ultimate source of truth. But those pre-digital systems don’t carry all of their security guarantees into the digital world.

More advanced digital identity systems overwhelmingly rely on a very small number of commercial providers, creating a huge concentration of risk. In a 2023 incident, for instance, China-based attackers compromised Microsoft email systems by forging identity authentication tokens using a stolen “signing key." 

Microsoft has generally excelled in its role as an identity manager for critical systems. But its centralized control also makes hacks of truly immense scale more of a threat. As Adam Meyers of security firm Crowdstrike has said, “having one monolithic vendor that is responsible for all of your technology, products, services and security ... can end in disaster.”

From Bits to Atoms: Digital Identity in the Physical World

Many possible cyberattacks rely on identity credentials to gain initial access to systems: According to Verizon, 91% of phishing attacks seek to compromise identity credentials. In turn, 81% of data breaches make use of stolen identity credentials.

In our day-to-day lives, we frequently rely on outdated authentication methods, such as simple username-password combinations that can be easily stolen. Many would likely be stunned by how many critical systems have fewer protections than their Amazon accounts.

But what if user identities could not be remotely compromised because proof of identity was linked to physical objects, rather than only clonable strings of characters or spoofable digital tokens? This is one of the many security features provided by Verifiable Digital Credentials (VDC), which can combine cryptography and modern hardware innovations to create vastly more secure digital credentials than the current baseline.

Fundamentally, a Verifiable Digital Credential is the digitally native version of your driver’s license/identification card, professional license, or certifications, which contains verifiable cryptographic signatures from the issuer of the credential, making it provably authentic and tamper-evident.

The “cryptographic signature” isn’t just a picture of a handwritten signature, nor the cursive letters that show up in DocuSign or similar services. Instead, it’s machine-checkable evidence that a statement was made by the right entity, such as when the DMV uses a cryptographic signature to indicate that the holder of a mobile driver’s license can operate a vehicle. Unlike pictures of handwritten signatures or scans of plastic ID cards, cryptographic signatures cannot be feasibly generated by AI and are designed to be future-proof, even against quantum computers. 

Through these new security features, digital IDs can be built from the start to assure the safety of the physical-digital frontier where many compromises occur, while ensuring privacy and user control. Breaking the protections of the secure element of a cell phone or key fob requires a high level of sophistication, such as using an electron microscope directly on the physical chip, and which is a longshot for most attackers.

Requiring a specific device to access a digital service can be used to ensure a particular person’s physical presence – for instance, in front of the control panel of a hydroelectric dam – rather than a simple badge. This is known as an “authentication factor” in guidance from NIST, and is a widely adopted requirement to layer into security programs across federal, state, and private sector systems. Digital IDs can provide many additional improvements to identity authentication and assurance in one package.

Security Across Digital Borders

The U.S. has over 430 federal agencies, many hundreds of state agencies, and more than 200,000 government contracting firms, each with their own IT systems, technology stacks, and personnel. Significant cybersecurity risks lie at the edges of these systems: Anything from a missing USB stick to an expired contractor access card can compromise our national security. 

Verifiable Digital Credentials (VDCs) can help with security at the edges by providing robust ways for users and software agents to demonstrate who they are and their privileges across any environment. This is a key enabler for zero trust architectures, which allow for the granular specification of a user’s access rights - rather than “trusting” them after logging in once. VDCs can enable zero-trust interoperability because they are based on data formats and sharing protocols currently being refined by global standards organizations, such as NIST, the International Organization for Standardization (ISO), and the Internet Engineering Task Force (IETF), and the World Wide Web Consortium (W3C).

These standards allow many different government agencies and bodies to provision verifiable digital credentials tailored to their needs, which incorporate baseline privacy and security features. They are also usable across different agencies without the need to create a new IT super-authority.

Technology that Incorporates Market-Based Innovation and Democratic Values

VDCs can be customized for specific use cases to provide better user experiences and security properties. It is possible for many vendors to implement VDC solutions in parallel that can talk to each other, reducing vendor lock-in and increasing IT agility. In contrast to relying upon one monolithic IT system, a dynamic ecosystem of vendors each specializing in their own use cases can allow agencies to leverage competitive market forces to provide the best solutions at the lowest cost to the taxpayer.

For example, while one firm may specialize in VDCs for physical building access, another might create an identity for software packages to help prevent the next SolarWinds catastrophe. Agencies responsible for our national security will be able to pick the best-in-breed solutions for their specific problems at competitive price points.

The use of open protocols to structure a competitive market for verifiable digital credentials can create an industry that boosts domestic cybersecurity strength. These solutions can also extend to private sector use cases, ensuring a strong commercial base, as was successful for the microchip industry.

Further, when security and privacy are incorporated at the shared protocol level, all implementations can start with the same baselines for ensuring against cyberattacks, unlawful surveillance, and the creation of risky data honeypots.

This architecture can work globally across public and private sectors to increase security, protecting against cyberattacks. It can ship with base technology that encourages individual freedoms while proving of little to no value to autocratic regimes. For instance, enshrining user privacy in the foundational technical standards could render the implementing systems unusable for mass surveillance of private activity, or the implementation of “social credit” systems.

By fostering an industry of best-in-class digital identity technologies, America can retain a leadership position in the global development of digital identity infrastructure to support the security across all of its critical infrastructure sectors and beyond.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.