Can government distribute public benefits and fight fraud at the same time?

Editor’s note: This is a guest post from a former employee of a White House office who was working for the federal government at the time of the phenomenon that he has described in this piece. Technical.ly publishes it today with the hope of contributing to discussions that balance the importance of COVID-19-related relief for individuals and businesses with the reality of fraud that the Justice Department has acknowledged — and all without the politicization and hyperpartisanship that has characterized much of the US’s experiences with navigating the pandemic and distributing this aid. Do you agree with his assessment? Would you like to share your own opinion on the topics of federal funding, public-private collaboration, identity verification technology or anything else the author discussed? Let us know your thoughts by emailing sameer@technical.ly.

America’s public servants have done an amazing job delivering stimulus payments and relief checks throughout the COVID-19 pandemic. This work has done much to keep families and businesses away from the brink of economic catastrophe.

I witnessed this important work during my years as a civil servant, under administrations from both parties, in the White House’s Office of the Federal Chief Information Officer.

And yet, as policymakers and auditors look back on this time, it is now clear that the US has experienced what some experts deem the largest fraud event in modern history.  Even as the Department of Justice continues trying to track down and prosecute those who’ve committed fraud, the sobering reality is that much of what was stolen may never be recovered.

This speaks to a historic unspoken tradeoff: Get public benefits out fast, assume a certain level of risk, and factor in a “tolerable rate” of fraud; or create a process with lots of friction and, limit fraud, but fail to meet the moment and distribute benefits where they’re needed.

In reality, this is a false choice. The way the US has approached consumers’ identity management is fundamentally flawed and broken.

With the advent of cutting-edge technologies that use graph-based analytics and supervised machine learning, public agencies working hand-in-hand with private sector security partners can deliver benefits quickly and with minimal complication — all while weeding out bad actors attempting fraud.

What should we do to achieve this goal?

To start, we need a national approach (though not a national identity document). We now live and work in a global economy, and we need to do more to demonstrate leadership. We need an approach that tackles root causes and is emboldened to drive change now.

That’s why, at the state and federal levels, government agencies should better synchronize their antifraud efforts; Our adversaries are networked and collaborating, yet government efforts to combat fraud are stovepiped. We need a national Center of Excellence (CoE) to identify and share identity fraud signals that can be accessed across states and federal agencies. This CoE would include inputs coming from industry sectors to inform how the threat landscape continues evolving in tandem with our adversaries.

Additionally, the US should take steps to digitize frequently used identity verification documents, including driver’s licenses, birth certificates and social security cards. This will make digital identity verification easier by orders of magnitude.

Third, the US should enable organizations that verify identities to check existing sources of government data, such as numbers for social security, taxpayer identification, alien registration and passports. This may require some adjustments to current laws and regulations, as well as vendor accreditation, and associated safeguards. Still, in doing so, we could accelerate efforts to stop fraud.

Finally, the US government should formally designate identity management services as critical infrastructure. The Cybersecurity and Infrastructure Security Agency includes identity management and associated trust services in its list of national critical functions deemed so vital “that their disruption, corruption or dysfunction would have a debilitating effect on security, national economic security, national public health or safety or any combination thereof.”

With a largely digitally enabled economy, the leading threat vector that cyberattackers exploit remains poor identity and access management controls. That we haven’t sufficiently invested in building and orchestrating the necessary identity infrastructure to combat the threat makes no sense. We need investments and safeguards in this area to revolutionize how identity is constructed, asserted, reused and protected across physical and digital channels.