White House stalls on digital identity mandate, despite billions in fraud
President Biden previewed an executive order in his 2022 State of the Union meant to address identity theft and fraud in public benefit programs. As Biden gears up for his 2024 address, the order still hasn’t been released.
Two years after the White House teased an executive order on identity theft in public benefits during the 2022 State of the Union, such an order hasn’t materialized, leaving stakeholders frustrated at the lack of action to address vulnerabilities and prevent fraudsters from siphoning off government money.
“We continue to work in this area very rigorously across government,” Clare Martorana, the federal chief information officer, told Nextgov/FCW at an event this week when asked about the state of the executive order. “This is top of mind for all of us. We want to make sure that we accelerate people’s use of digital [to access government], but safely, securely.”
The order as it was previewed two years ago was said to be focused on preventing fraud in government benefits programs, which spiked during the pandemic, in part due to identity theft. The Government Accountability Office estimated in September that up to $135 billion in unemployment insurance alone went to bad actors during the pandemic.
“We are working to identify a number of actions that we believe will have a positive impact on digital identity and identity verification,” Caitlin Clarke, senior director at the National Security Council, said at an event in January. “We will be looking to have more work in this area coming out soon.”
Clarke noted that identity is often either the culprit or target in cyber incidents, with bad actors exploiting identity and access management vulnerabilities and targeting identity information to monetize and use it to further additional fraud and cybercrime.
Specifics remain unclear. The Office of Management and Budget declined to respond to questions for this story about the state of the executive order or reasons for its delay. The White House did not respond to outreach for this story.
Political optics, Login.gov and the ‘abysmal’ lack of progress
A 2022 White House fact sheet designated Gene Sperling, White House senior advisor and American Rescue Plan coordinator, and the Office of Management and Budget as responsible for making recommendations on preventing public benefits fraud that will be incorporated into the promised executive order.
According to sources familiar with the development of the order, Sperling has been driving its development. He told reporters last spring that it “should be out soon,” although he noted that getting legal sign-off can be a lengthy process.
The order’s creation has largely been conducted behind closed doors, not open even to other senior White House officials, according to the sources familiar with its development, who added that Sperling has also restricted the cross-agency engagement typically done for policy development.
Identity proofing solutions can be politically touchy, as was evident in early 2022 when the IRS faced bipartisan pushback over its use of facial recognition via vendor ID.me.
Those political optics for any forthcoming order have been on Sperling’s mind, according to sources familiar with development of identity policy. Challenges surrounding the government’s single sign-on service, Login.gov, have also factored into the delays.
Although 47 agencies and states use Login.gov, some agencies have been reluctant to do so.
The IRS, for example, still hasn’t added the service as a gateway to the agency’s online accounts — even after it said it planned to do so in 2022 — as IRS tech officials have hesitated to trust Login.gov’s security features.
A draft of the executive order from early 2023 indicated the White House planned to give a leading role to Login.gov.
But weeks later, the General Services Administration’s Login.gov team landed in hot water for not meeting government digital identity standards, due to their lack of facial recognition capabilities, and for misleading agencies about their compliance. GSA has since announced it would add facial recognition capabilities to Login.gov.
It's unclear whether and how the focus of any potential executive order has shifted since.
“Meanwhile, the problems tied to identity theft and identity-related cybercrime continue to compound,” said Jeremy Grant, former senior executive advisor for identity management at the National Institute for Standards and Technology, who now runs a trade association focused on digital identity issues, the Better Identity Coalition. “The lack of progress here has been abysmal."
“The lack of any easy, privacy-preserving way for Americans to protect their identity online is being actively exploited by organized criminals and hostile nation-states like China, Russia and North Korea,” said Grant.
The Better Identity Coalition wants the government to push for identity proofing systems, including mobile drivers licenses, and to have more agencies provide attribute validation services that can be used to triangulate if someone is who they say they are on the internet. Others say that the government also needs to better help victims of identity theft.
The White House’s own 2023 cybersecurity strategy included action items to invest in digital identity solutions and update related standards. But the strategy’s implementation plan left out digital identity.
“Weaknesses in [identity] are a threat to our national and economic security,” said Carole House — formerly a director of cybersecurity and secure digital innovation at NSC who now works at Terranet Ventures — who also spoke at the January event.
“It’s a major vulnerability that demands coordinated, strategic action led by the White House,” she said. “Yet we've seen no evidence of coordinated architecture and structure for the kinds of efforts that are needed to create the fabric for the future of a digital economy.”