Federal officials this week said that new phishing preventative pilot programs, quantum-resistant cryptography, and other identity authentication measures need to be further implemented and standardized across Federal agencies.
Ensuring that the identity verification process is as “robust” as possible is critical to preventing phishing – a type of cyberattack that uses fake communication to steal sensitive data or spread malware – shared Federal officials during a Nextgov/FCW event on Aug. 14.
Increased security protocols or methods outside of things such as personal identity verifications (PIV) may need to be used, said Ryan Galluzzo, the digital identity program lead of the National Institute of Standards and Technology’s (NIST) Applied Cybersecurity Division.
“If you can defeat the identity proofing processes, you’re going to get issued a legitimate credential, and so that’s going to undermine the authentication process,” said Galluzzo. “So, really figuring out how we can make the identity proofing process as robust as possible, but also make sure we’re maintaining various breeds of capabilities for organizations and agencies, right?”
Developing more secure, cryptographically backed digital identity solutions to integrate into a comprehensive cybersecurity strategy can improve identity verification, explained Galluzzo.
Solutions include the implementation of phishing-resistant authentication methods such as public key cryptography and passkeys, transitioning from reliance on physical documentation of things such as driver’s licenses to a digitally secure credential, and implementing continuous evaluations of identity and security controls to ensure effectiveness.
Developing and implementing post-quantum cryptographic algorithms and standards can help prevent threats posed by quantum computing, a technology that uses quantum bits to perform complex calculations far faster than classical computers.
Making sure that each part of an agency or organization has equal security coverage is critical, Galluzzo added. The NIST Cybersecurity Framework (CSF) received an update earlier this year that emphasizes full organizational security, he said.
“How do you structure processes around [cybersecurity protocols] so that you can apply all these things consistently and manage them as an organization from a risk-based perspective,” said Galluzzo. “Because you can do each one of these things in a silo, you can do real good identity in one part of your enterprise [and] not good identity in another part of your enterprise, where you can apply controls consistently to one part and not another – you’re going to create incidental pathways for attackers to fall out.”
Other agencies, such as the General Services Administration (GSA) are advocating for other alternative phishing-resistant authenticators where public or Federal infrastructure keys (PKI) – a system that manages digital keys and certificates to secure online communications by enabling encryption and authentication – may not work.
Things such as Fast Identity Online (FIDO), a security standard that enables password-less authentication through biometrics and hardware devices, can help with alternative practices.
“One thing we wanted to do to help agencies was to create these smaller proof of concept cohorts,” said Babur Kohy, the acting director of GSA’s Office of Technology Policy’s Identity Assurance and Trusted Access Division. “There are multiple ways that you can go about piloting different products based on your technology stack, based on your user base and use cases within the agencies.”
“Our role government-wide was to help navigate that landscape, both from the pilot standpoint, as well as managing that cohort and then bringing a brown bag series into the mix, because we’re as good as what we know. And what we realized early on was we needed those brown bags because technology has advanced, and we need to stick with it,” he continued, in reference to recent FIDO pilot projects across agencies.
Other practices utilized by GSA to increase ID security include a recent “major redesign” of IDmanagement.gov, which acts as the central repository for workforce identity resources. Updates included providing more content and resources for cybersecurity education and implementation guidelines, Kohy said.