Why CIOs Are Turning to Digital Credentials for Cybersecurity and Cost Savings

The role of Chief Information Officer involves managing everything from networking and IT to data systems and cybersecurity, all while technology continues evolving.

State CIOs are responsible for securing government networks, reams of public data, and public benefits systems, at a moment when advanced state actors have become increasingly aggressive and subtle. Hacking and phishing now regularly impact even Federal government systems, and state CIOs are expected to fend them off on a public-sector budget. This comes after the COVID-19 pandemic released a broad surge of attacks against benefits systems, such as unemployment assistance. 

These conditions have led to accelerating turnover: nearly half of all state CIOs have been new to the role since 2022, and the median length of a state CIO’s term has declined from 30 months to 23 months over the same period, according to a recent study by Deloitte and the National Association for State CIOs. 

The good news is there’s a powerful new tool on the CIO’s side that can reliably confirm identities online: verifiable digital credentials.

Read More: SpruceID’s in-depth Introduction to Verifiable Credentials.

Digital Identity: A Foundational Layer for Security and Privacy

The challenges facing state CIOs can be divided into three categories: ensuring accurate identity on state systems, protecting citizen privacy, and securing government networks.

Trustworthy digital identity has many benefits, but above all, it has become arguably the most important factor in cybersecurity. According to Crowdstrike, more cyberattacks now rely on the theft of valid identity credentials to compromise systems than malware. 

Verifiable digital credentials are designed to mitigate these threats at their root. The cryptographic signature that validates a VDC is embedded in the phone’s secure element—a hardware-based vault specifically built to resist tampering. Extracting it is not just extremely difficult and costly; it’s practically infeasible with today’s technology. And even in the unlikely event of compromise, the credential is cryptographically bound to the device, rendering it useless anywhere else.

Identity fraud of a different sort can undermine state unemployment insurance programs or other benefits. Improper state UI payments, including fraudulent payments, ranged from 7% to as high as 25% from July 2021 to June 2024, according to the U.S. Department of Labor.

Much of this is enabled because of the transition to online services, where stolen or “synthetic” identities can pass through some systems undetected. Identity credentials built for digital trust, such as the Mobile Driver’s License (mDL), can reliably prove a holder’s identity and residency over the internet, presenting one path to mitigating fraudulent claims. 

At the same time, digital identity can increase the privacy of state residents by reducing the amount of data being transmitted, thanks to a mechanism known as selective disclosure. That means mDL adoption can prevent state agencies from becoming unwitting data hoarders. This creates an even more virtuous cycle because less identity data is available to steal, which means hackers have less raw material for impersonating real people.

Read More: Privacy-protecting identity verification

Digital Credentials for Next-Generation Access Control

The goal of most network compromises and phishing attacks is to steal data that can be used in other malicious ways. Usually, that’s personal data that can be used for identity theft – and a state’s records are something like a hacker’s Holy Grail. That’s why CIOs polled by NASCIO in 2024 said their second-highest priority was preventing bad actors from accessing data-rich systems.

A big part of the problem is that state intranets managing this data still often rely on password-centric identity and access control. This makes them vulnerable to phishing – manipulative “social engineering” that tricks humans into entering a password or other data into a fake portal, handing them over to an attacker. Those attacks have been massively accelerated by the availability of generative AI, which enables massive scale and “hyper-personalization” that make phishing more effective.

As with public-facing applications, VDCs have the potential to massively undercut phishing attacks on state workers and systems by replacing passwords and other “knowledge-based” access controls with cryptographic signatures. The use of digital credentials for log-on and access control is still nascent but could either leverage public VDCs like mobile driver’s licenses or use different employee credentials issued by agencies or departments.

Large Scale, Low Cost

Device-tied access control systems are nothing new, of course – random-number keyfobs and similar solutions have been widespread in defense and other sensitive settings for decades. The deeper advantage of VDCs is that they can provide similar assurances at a much, much lower per-user issuance cost.

First, that’s because VDCs don’t require additional specialized hardware, instead leveraging the smartphones that state workers already have. Second, a mobile driver’s license issued by your state’s DMV will be sufficient added security for many roles, and those will come at little or no added cost to state offices.

Before long, new state employees will simply arrive on their first day with digital credentials in hand. Nearly 6 million Americans already have mobile driver’s licenses, early adoption driven by the simple convenience of leaving behind an old-school paper-stuffed wallet. Those first 6 million adopters are from about a dozen U.S. states that already have mDL programs up and running, and the number stands to skyrocket as more states come online. 

Interoperability Without Lock-In

The open, interoperable, and standards-based nature of VDCs has other advantages compared to older purpose-built identity systems. Much like the World Wide Web can be read through many different browsers, a growing ecosystem of vendors can provision VDCs to the same standard. That competition will help keep costs down, whether for issuing more specialized credentials or building the front-end systems to accept and validate VDCs.

Maybe even more important, though, is that an open-source system prevents vendor lock-in. Whether credential issuance or systems-level work, the basic plumbing of VDCs is universal and interoperable. If anything goes wrong with one vendor, another team can easily pick up the ball and run with it. Signing up for the added security of digital credentials doesn’t mean being dependent long-term on any specific team.

Now is the time to start thinking about the potential for digital credentials in your state’s cybersecurity stance. If you’re interested in learning more and maybe even expanding your horizons of what’s possible, get in touch with us. We’re happy to provide feedback and guidance wherever you are on the security journey.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.