Proof of Concept: A New Era for Digital Identity?
Also: CISA's 18% Budget Increase; Software Bill of Materials Challenges Anna Delaney (annamadeline) • July 18, 2022
In the latest "Proof of Concept," Grant Schneider and Jeremy Grant of Venable join editors at Information Security Media Group to discuss progress being made at the U.S. federal level in developing legislation around digital identity, the significance of an 18% increase in funding for CISA in fiscal year 2023 and the challenges of expanding the use of software bills of materials.
See Also: Critical Gaps in Securing Identities: Survey Results and Analysis
Anna Delaney, director, productions; Tom Field, vice president, editorial; Grant Schneider, senior director for cyber security services, Venable; and Jeremy Grant, managing director of technology business strategy, Venable, discuss:
- Progress at the U.S. federal level on improving the Digital Identity Act of 2020;
- The significance of increased funding proposed by the White House that allocates $2.5 billion for CISA for fiscal year 2023, an 18% - or $377 million - increase over what was requested in fiscal year 2022;
- Progress and challenges around developing and advancing the software bill of materials or SBOM.
Prior to joining Venable, Schneider served as the U.S. deputy federal CISO and the U.S. federal CISO and as senior director for cybersecurity policy on the White House National Security Council. Before that, he served for seven years as chief information officer for the Defense Intelligence Agency.
Grant was the founding leader of the National Program Office for the National Strategy for Trusted Identities in Cyberspace and senior executive adviser for identity management at the National Institute of Standards and Technology. He led the White House’s initiative to catalyze a marketplace of secure, easy-to-use, privacy-enhancing identity solutions for online services through government and private sector partnerships.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the May 23 edition on how we can improve industry collaboration and the June 22 edition on the corporate risk of using social media.
Anna Delaney: Hello, thanks for joining us for Proof of Concept, the ISMG talk show where we discuss the cybersecurity and privacy challenges of today and tomorrow with industry leaders, and how we can potentially solve them. I'm Anna Delaney, director of productions, ISMG.
Tom Field: I'm Tom Field, I'm senior vice president of editorial at ISMG. Anna Delaney, where in the world are you, today?
Delaney: I'm in London that feels like the Bahamas. It's hot enough to be solving tropical. It's very good. We like that summer's here.
Field: That we're finding you at home is news in and of itself.
Delaney: It's dull. Because the last time we recorded this, we were both in New York for our Northeast Summit. And since then, you've been back to New York to host our Healthcare Summit. How was it for you this time? Anything to report on?
Field: Yes, I was in New York earlier this week for our first Healthcare Security Summit since the fall of 2019. We had robust attendance at the event, excellent speakers. Here we are midyear of 2022. Every event is somebody's first event back from pandemic. So there's that excitement. And we had terrific topics. We talked about cyber insurance. We talked about unique threats to healthcare entities, including the ransomware surge and documentation of cyberattacks that have resulted in loss of life. And everybody's favorite topic: medical device security. So we had an excellent panel of speakers and sponsors and discussions on our stages throughout the day. I hosted another roundtable discussion on our favorite topic of software supply chain security, happy to see people again and kudos to our colleague Marianne McGee for putting together such a lineup of speakers and topics.
Delaney: But on the ransomware threat: I read today that ransomware attacks on U.S. healthcare organizations increased 94% from 2021 to 2022. And it's worth remembering that just four to 7% of the average healthcare providers' annual IT budget is focused on cybersecurity. And that's pretty gloomy picture. Was there any hope that you gained from this event?
Field: About ransomware? Hopefully, the criminals move on to something else. Now, as long as it's successful, it's going to continue to work. And it is successful because the criminals know they've got the healthcare organizations over a barrel. This is about treating and saving lives. And when it comes down to paying a ransom of whatever amount that might be, too often organizations are going to do that and hope that this goes away. Now, we know better. But it's a successful business model. I don't have a lot of hope that that's going to change soon.
Delaney: But in terms of defending ourselves?
Field: There are some positive things happening. I think a medical device security, I think that the message has come down that security needs to be built in and embedded from the start when you're creating these devices. All the players now understand this and are working together well. I'm encouraged that you've got healthcare organizations that have come to think a higher level of maturity and their security postures and leadership. I think that these shifts are being captained by some smart leaders.
Delaney: ISMG was focused on keeping content relevant and fresh. And for some time now, we've tried to steer clear of terms like pandemic effect, and how has COVID-19 impacted your business. But in the healthcare sector, we can't avoid still talking about COVID-19. How much of COVID-19 was part of the conversations that you had?
Field: It is in some ways that are related to the ongoing digital transformation. And for many of these healthcare organizations embarking on robust cloud migration strategies that they hadn't done before, not to this degree. So, there is talk of the new freedom for healthcare providers, being able to provide remote digital healthcare and means of securing that. It's not so much impacted pandemic in terms of we're not talking about the loss of business because of surgeries that weren't performed. We aren't talking about trying to align this new hybrid workforce. We're getting into some more positive progressive impacts of the pandemic, which is a nice relief to have these conversations.
Delaney: For sure. We have our Government Summit coming up in Washington. What are you looking forward to?
Field: Going back to Washington, D.C., as a similar refrain. It's been three years since I've been back there. So, going back to D.C., but we've also got some excellent speakers, including some people that we're going to be talking to here before too long, but in addition, we've got speakers from CISA, NSA, the FBI, and the Secret Service from the Department of Defense. So, we're going to get into some terrific conversations about critical infrastructure protection about the nation-state threat landscape, and further repercussions of Russia and Ukraine, we'll talk about ransomware, and I'm looking forward to catching up with some of these government agencies on where they are and conforming with President Biden's 2021 executive order. So they're going to be some fresh conversations about zero trust security and MFA. And about our favorite, the SBOM (software bills of materials). Could be a terrific event. Looking forward, that will be July 26.
Delaney: I won't be there. But I'll be watching virtually. Looking forward to that. And you have the CISO of the U.S. Army, which is cool.
Field: The agenda and list of speakers evolves by the hour. It seems that this is going to be a significant event. And I would put that out there to our audience here. This is going to be in Arlington, Virginia. It's an event that free registration, please check out our sites, look at the agenda and the speakers. It's a terrific day to spend among some of the top thought leaders in the industry, and talking about the topics that are relevant to everybody in the public and the private sector that we will be talking about over the course of the next year. There's no better way to immerse yourself in topics and speakers and spend some time at this event. If I might give that little plug.
Delaney: Well said. Let's introduce our first guest. We're delighted to welcome back the exceptional Jeremy Grant, managing director of technology, business strategy at Venable. Great to see you, Jeremy.
Jeremy Grant: Great to be here. Thanks again.
Delaney: So, Jeremy, it's been an interesting time for anything digital identity, and we saw that improving the Digital Identity Act was on the agenda for the committee on oversight and reform markup meeting last week. What do we need to know? What's the state been like?
Grant: It's been a lively week, I think both in the House and the Senate on the digital identity front. As backdrop, as we're talking about the pandemic and people getting out of the house again for the first time and showing up in-person events. One of the things the U.S. government has been grappling with, both with regard to public distribution of benefits and government services, but also the fraud we've seen in the private sector has been massive fraud that skyrocketed during the pandemic, as organized criminals took advantage of court deficiencies in identity infrastructure to spook people and claim benefits in their name and the estimates of the fraud. Some say tens and hundreds of billions, it's a lot of money. So, with a focus on trying to figure out well, how do we address some of these deficiencies in digital identity infrastructure. There's been a great bipartisan House Bill, led by Bill Foster and Illinois Democrats and John Katko, a New York Republican called the Improving Digital Identity Act that's been out there for a couple years. Not to get into every detail, but to move legislation through the House, it gets rid of bills get referred to certain committees that have jurisdiction, it was hard to get the committees of jurisdiction to pay attention to this bill, until recently. And so I think the big news this week, were two things. First, in the Senate side, you got to pass the bill through the House and the Senate to become law, if you remember your old civics lessons or Schoolhouse Rock. We saw two senators, Kyrsten Sinema from Arizona, who's a Democrat, teamed up with Senator Cynthia Lummis, a Republican from Wyoming to introduce a Senate counterpart to that bill. And then on Thursday, July 14, in the House, that same language was marked up in the House Oversight Committee that has jurisdiction. So, you're suddenly starting to see some momentum here, where the main committee that needs to move on has embraced it in the House, and we have a bipartisan bill in the Senate. We don't want to get optimistic just given how hard it is to get something through Congress. But you're starting to see Democrats and Republicans together, recognize the importance of action here and also starting to take some action to advance the bills forward.
Delaney: That's good to hear. Talk us through the events of the past couple of years that have led to this breakthrough.
Grant: A lot of it came from going back to the 2017 Equifax breach. So, we've talked before one of the projects that we run out of Venable is industry coalition called the Better Identity Coalition, which arose out of a lot of questions people were asking after that Equifax breach, specifically around how are we going to do digital identity, going forward, for leveraging solutions from companies, what people would call knowledge-based verification where I'm done is asking, "Anna Delaney, you say you're Anna, but, what's your mortgage payment? You took out a car loan four years ago with Chase, what are you paying? What street did you live on in 2006?" That was sort of the standard at the time in 2017. For how to figure out who was who online. And the thing I can say about those knowledge-based systems is they worked for a while, but the attackers caught up with him to the point that most of the banks I work with these days in our coalition say if somebody answers one of those quizzes too quickly and too accurately to sign, it's probably a fraudster. They have the keys to those answers now. And so it led to broader questions around how do we figure out who's who online. And I think that at the heart of the coalition's policy blueprint that was actually published — in a recording of this in the 15th — four years ago today, that's a big deal. Was this recognition, we need to ultimately close the gap between the credentials, the government issues, which are stuck in the paper and plastic world, and the digital world. We're all trying to transact online. That blueprint got a great bipartisan response. It then led to the introduction of a house bill, and now we're starting to see momentum pick up in the Senate and with committees in the House that matter taking this up.
Delaney: So, momentum is picking out. What are we likely to see next?
Grant: There's still a few things that have to happen. I will say that the House bill got marked up, but they did not have the final vote on it. Not to get too far in the weeds, but they all had to run from the committee to the full floor of the House to vote on about 600 amendments tied to the National Defense Authorization Act for the year that funds the whole defense department. So, they're going to come back and vote on it. And then we're hoping, perhaps in the Senate, we'll see a similar type of markup, given some of the momentum we're seeing.
Delaney: Good. Jeremy, what digital ID trends are you watching elsewhere in the world? What piqued your interest recently?
Grant: I think that the two things that I'm getting asked most about that people are talking about: one is a topic that we've talked about on some other ISMG interviews, which is the passkey announcement from FIDO, where it's a way to finally address some of the lingering usability concerns around FIDO authentication, which everybody's recognized as sort of the gold standard from a security perspective, but a little hard to deploy in terms of a lot of it involves people managing private keys and our devices, which isn't the easiest thing to do. So, the announcement from a couple of months ago that Apple, Google, and Microsoft are all collaborating in FIDO Alliance to come up with a standardized way to sync your passkeys, your FIDO keys across devices. Lots of questions about that a lot of excitement in industry and governments, but also questions around how it's going to work. And then the other thing we're starting to see, at least in the U.S., with mobile driver's license, is starting to get adopted by a handful of states. The early use cases are focused on in-person applications, like what do I do if I'm going through a TSA checkpoint? And could I use my phone instead of my plastic card? But the real interesting ones, getting back to some of the things about our identity coalition has been focused on how do I use that to prove who I am online, instead of, some other product trying to guess who we actually go back to the authoritative source and have a digital counterparts that physical credential. So, some good activity happening there. The next couple years are going to be lively in that regard.
Delaney: Fascinating times. Thank you very much, Jeremy. It's been informative, as always. Tom, over to you.
Field: Let's talk with Venable's other Grant. We have got here with us today, the former federal CISO and current senior director for cybersecurity at Venable, Grant Schneider. Grant, always a pleasure to see you.
Grant Schneider: Tom, great to be here with you and Anna again.
Field: Following up on what Jeremy Grant was just talking about: House Appropriations Committee has approved a $417 million budget increase for CISA for 2023. How significant is that? And where do you see these potential funds being distributed?
Schneider: It's a significant amount above both what was appropriated and in 2022. And then also an even more significant amount above the President's request. And so, it'll be interesting. Like Jeremy was discussing the process, there's still a process with the Senate. So, we'll see how these numbers hold in general, but the fact that there's been a lot of bipartisan support of enhancing and increasing CISA's budget is a testimony to the understanding of the importance of cybersecurity. Some of this is going toward directed programs inside of CISA. One of the questions I have is, how is this going to be able to leverage these funds to support their various missions around critical infrastructure in our nation as a whole, but also from a former government standpoint, how are they going to be able to support departments and agencies that are working to implement the cybersecurity executive order mandates and make enhancements across their cybersecurity? We're not seeing the same types of increases at other agencies that we're seeing at CISA.
Field: We'll be able to have these conversations with CISA at our upcoming government security events. I look forward to that. Grant, earlier today, I was talking to an identity vendor, and they mentioned they were going to a county government conference next week where the county government people think MFA is a bad word. I'm wondering what they're going to think about SBOM, when that gets introduced. As you know, CISA is currently facilitating a series of public listening sessions to build on existing community-led work around the software bill of materials on specific SBOM topics. How do you think these discussions are going? And do you have any concerns about what you've seen or heard so far?
Schneider: Yes, we will. I think the discussions have been productive and informative. They're exactly that. They're listening sessions, I've sat in a number of them this week. And the great thing is we're bringing a lot of different people and a lot of different points of view. And CISA has worked to put some alignment around, when are we talking about how we share and exchange data? When are we going to talk about what this means for cloud service providers? What I'm getting out of it is there's a lot of work to be done here, we were still at the early stages on software bill of materials, and it's going to be an important tool. And it's going to be a tool for a variety of different use cases. But most people come at it with their particular use case in mind. So, I think that makes it a bit of a challenge of how you pull the various points of view together. And how do we move as an industry forward, this isn't something that CISA is ultimately going to drive and own. They're going to set some requirements, the government will set some requirements, but industry is going to be at the lead of hurting the other industry cats and making progress here.
Field: I've been in a lot of discussions with small roundtable groups about software supply chain security, it's clear that organizations of all sizes, all sectors are challenged, just to know what they have for code within their organizations. Asset inventory is a huge issue. What's your advice to organizations on where they can begin to get a better handle on software security and software supply chain security?
Schneider: Your point is well taken. Asset information has been a challenge for IT organizations, as long as they've had assets. It comes down to, and also much of cybersecurity does, the foundations and the fundamentals. I do think with software security, we're going to need most organizations to understand what products they have either through their licensing agreements, you can have automated tools that will understand that products, the challenge is becoming and this is where SBOM comes in the components of those products that you have, and what are they made up of, because even the software that you license, or that you purchase from a vendor includes open source or modules that are reused for good reasons. And that's a good practice that we want to continue to see and encourage because it drives up efficiency and drives down costs and does a lot of things. But it also creates this unknown of what's in my package. And more importantly, and we saw this with Log4j, if there's an issue, and you don't know where it is, that issue can suddenly become wide ranging, and a lot of different organizations and a lot of different places. And Log4j is the perfect example there.
Field: Grant, my simple take is that SBOM has become like information sharing. Everybody wants to receive information, we're reluctant to give it up. I don't know that we're resolving the mutual benefit here anytime soon. What's your take on SBOM so far?
Schneider: I think the analogy with information sharing is probably good. Because the other part of it is different for everyone. Some people think SBOM should be public, and other people are concerned about their intellectual property or the secret sauce and their code, and what those implications may be if it's public, so other people only want to be able to provide them to people who have acquired their software. So, there's a lot of different points of view. We have a long road ahead of us, I think is my bottom line on SBOM. There's a lot of work to be done. And we're going to need a lot of collaboration and information sharing to get from point A to point B.
Field: Excellent. Grant, Thanks so much. Appreciate it. Anna, back to you.
Delaney: Let's bring the party together. Summer holidays are upon us. Are you taking a break? Where do you go to unwind to get away from the stress of work? Jeremy, you got to start us off because you've got a good story.
Grant: Yeah, so I got less than a week back from two weeks in Portugal. I will say the plunging euro is making things wonderfully affordable, although probably harder for the Europeans.
Delaney: So, Jeremy, did you switch off your phone? Did you avoid taking calls?
Grant: It was largely unplugged. I'm a two-phone kind of guy. I got the party phone — the personal phone — and then I have the one with the work email. And yes, there's no need to mix those two together. So there was a little bit of check-in here and there, deal with a few things. But no, this was a largely blissfully unplugged vacation.
Delaney: Very good. Grant, do you take time out?
Schneider: Yes, the end of the month, or the first week of August. I'm going to spend a week sailing on the Chesapeake Bay with both of my daughters. Looking forward to spending a little bit of time with them and hopefully find some spots where my cell phone doesn't work. So that I too can unplug.
Delaney: I was going to say that's a good idea. Lack of Wi Fi there. Tom, you are also a fan of the water.
Field: But I had a big storm hit here yesterday. It knocked out my phone. So, all of a sudden my phones weren't working. I didn't have to go anywhere. My break is hanging out with the three of you today.
Delaney: What's on your summer reading list seller? Bill Gates? Jeremy, do you have a long list that you work through?
Grant: I needed a new book now because I plowed through a few of them while I was gone. Sea of Tranquillity by Emily St. John Mandel was a great book. We've done well on the beach last week.
Delaney: Grant, it's fact or fiction?
Schneider: Some of both. I need to go through the stack of books in my room and pick a couple to take. One that I've always meant to read and haven't is Old Man and the Sea by Hemingway, so I think that's going to be on my list this summer.
Delaney: Very apt. Tom, that was a big book. Did I spy a big book?
Field: I am revisiting the first Stephen King book I ever bought in the fall of 1980, which is Firestarter. And I haven't read it since the fall of 1980. Give you a sense of how old this is. When you open it up and says books by, there are only six.
Delaney: That's awesome. So no cybersecurity reading for you this summer?
Field: All day, everyday.
Delaney: That's all we have time for. This has been fascinating and brilliant and an absolute pleasure. Thank you, Jeremy Grant and Grant Schneider for your insight and it's goodbye from us.
Field: Until next time!
Delaney: Until next time! Thank you for watching.
