ISMG Editors: Identity Security SpecialIdentity Security Expert Jeremy Grant on AI and Digital Identity Risks
In the latest weekly update, Jeremy Grant, managing director of technology business strategy at Venable LLP, joins three Information Security Media Group editors to discuss why the U.S. government is taking a back seat on digital identity issues, the risk artificial intelligence poses to digital identity and security, and top takeaways from the U.S. Cyber Safety Review Board's recent report into cybercrime group Lapsus$.
Grant and the panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; and Tom Field, senior vice president, editorial - discussed:
- Why the U.S. government is taking a back seat on digital identity issues and how it can steer efforts in the right direction;
- The risk AI is bringing to digital identity and steps to prevent social engineers from successfully employing AI-enhanced scams;
- Top digital identity and security takeaways from the U.S. Cyber Safety Review Board's recent report into now-defunct hacking group Lapsus$.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 18 edition on lessons learned from the Lapsus$ crime group and the Aug. 25 edition on the shifting cyber insurance landscape.
Anna Delaney: Hello and welcome to this identity security special edition of the ISMG Editors' Panel. I'm Anna Delaney. And this week, our discussions range from taking a hard look at the U.S. government's approach to digital identity for the implications of generative AI on identity and access management. And joining us as our guide across the slippery worlds of cybersecurity identity and AI is our very good friend Jeremy Grant, managing director, technology business strategy at Venable LLP. Jeremy, wonderful to have you back with us.
Jeremy Grant: Great to be here. Thanks for having me.
Delaney: We're also joined by ISMG superstars. Tom Field, senior vice president of editorial, and Mathew Shwartz, executive editor of DataBreachToday and Europe. Great to have this particular band back together.
Tom Field: It's a good group. Great to be here.
Delaney: Well, Jeremy, we'd first love to ask you, where are you virtually in the world today?
Grant: I am virtually at the Vasa Museum in Stockholm, Sweden, which if you can see behind me, is a place I got to visit about six weeks ago. It's a fascinating museum. I'd say unlike any other. It's basically a - I wouldn't even say replication - it is an actual 16th century Swedish warship that sunk about 20 minutes after it was launched, and then was dragged up from the bottom of the harbor in Stockholm about 50 years ago and restored. And so it's actually a chance to see what a warship from that time would have looked like. Although I hesitate to say it is a warship. And that because it's sunk after 20 minutes essentially was designed to be very narrow, very top heavy. And so the whole thing basically fell over once they had launched it. A good example of the need to perhaps beta test some things before you launch them to make sure they do the things that you actually want them to do. But that's where I am today.
Delaney: Very good. Well, I'm going to Stockholm in a couple of weeks. I'll have to pay a visit. Last time I was at the ABBA The Museum. We were tempted by the ABBA Museum.
Grant: You know, my wife and I were not like the biggest ABBA fans. So it was actually just around the corner from the Boston Museum, but we opted for the big ship, as opposed to the disco music.
Delaney: Good. Well, Tom, where are you?
Field: Well, first of all, I am aware, Anna, that you do a version of Waterloo, so perhaps we'll hear that sometime during our session today.
Field: For where I am, it's not quite so exotic as where Jeremy is. I am in the Salem Witch Dungeonn. I visited the town of Salem, Massachusetts, a couple of weeks ago with my family. Of course, that's where they had the Salem witch trials in 1492. And this is remnants of the actual witch dungeon where the suspects were kept between for trial and final disposition.
Delaney: Very spooky, indeed. Matt, witch trials in Scotland?
Mathew Schwartz: I feel a bit downmarket from discos, dungeons and big boats. This is the city centre of Dundee, like many city centres these days, it's fallen on hard times. But it was interesting to me because very recently here, the phone booths were being taken out. And I just thought, I may have already expected them to be gone. But they've been there. And I think for a while, you'll know this better than if they were advertising things like WiFi services, which I don't think anybody ever used. I think people got up to worse things in there. So interesting, I think, given the era.
Delaney: Yeah, very interesting. Actually, and where I was in Sussex, couple of weeks back, all the old phone booths are now sort of book repository. So you could just go in, take a book and add one to the collection, but they're the old red phone boxes. Not the nice ones.
Grant: What would Superman do in the modern era?
Delaney: Good question. Well, just to show you my backdrop, this is again from Sussex and it was a long ride to Rye Harbour Nature Reserve and a coastal walk. And it's home to over 4,000 species of plants and animals. So it's nice to get some sear. Well, Jeremy, we have a few questions for you. So at this moment, I'm going to hand over to Tom to begin proceedings.
Field: Okay. So witness will please take the oath. Jeremy, not long ago, you wrote an article for The Hill that was entitled Why Is Our Government Taking a Backseat on Digital Identity Issues, and the piece mentions that the White House left digital identity out of its implementation plan for the National Cybersecurity Strategy. Your opinion? What impact could this omission have on the overall cybersecurity landscape? It seems like a significant missed opportunity.
Grant: That was our take as well. So I think one of the projects that I lead from my perch at Venable was running an order connotation called The Better Identity Coalition, which has brought together a lot of companies, largely the buyers. Think about firms in tech and telecom and financial services, both traditional banking and fintech, health, that all need better identity systems. And I would say, when the National Cybersecurity Strategy came out in March, we were all collectively thrilled that it had a very robust section. It was strategic objective 4:5, about enhancing the digital identity ecosystem. So the take from the White House at the time was, "This is the strategy, what's really going to matter is the implementation plan." We were excited to see what would come out next. When it was released in July, they basically skipped from objective 4:4 to 4:6, as if digital identity had never been in the strategy. Now, in fairness to the White House, they stated, "This is an iterative document, there will be subsequent versions of it." And so, this does not mean that just because it was not included here, that there won't be something in the future. But I will say, this was the only strategic objective, and the entire strategy that got this treatment have been skipped over with the exception of one on privacy legislation where the strategy was very clear. The ball was in Congress's court. So in terms of what happened, it's a little hard to say. I think it is safe to say that maybe not all parts of the White House are equally enthusiastic, compared to some of the folks in the cybersecurity side, about looking to do something here. I do think that there's concerns about privacy and civil liberties. If the government does something broader on digital identity, that might be a concern. However, our point has been - and this was sort of the theme of the oped - choosing to do nothing is an active policy choice as well. And if there are concerns about privacy and civil liberties, and in fact, our coalition has articulated them a number of times, now is the time when some big things are happening in the digital identity space for the government to actually come in strongly. With the idea of outlining what good looks like, outlining where there are risks and taking some proactive steps to actually address it, doing nothing might actually put us in a worse place in terms of the outcomes we're going to see in five or 10 years, than doing something.
Field: Now you do suggest in that piece that there is an opportunity still for federal government to shape the direction of digital identity initiatives. How would you say government can steer these efforts in the right direction, as opposed to, as you said, doing nothing and perhaps having a setback even further?
Grant: Well, I think a lot of it comes back to what we think we should see in terms of follow up from the National Cybersecurity Strategy, which again, we thought that language in there was quite good. And just the fact that the White House would be leading on this. I think we've talked before: a big challenge in the U.S. when it comes to digital identity. And what we're really talking about here is what I would say challenges around remote identity proofing. How do we know who's online, when they're applying for a new account at a bank, at a government agency for something in the healthcare space. We have a big challenge in that, we don't have a national ID in the U.S. And we're not calling for that. But we do have a number of nationally recognized authoritative identity systems that are all stuck in the physical world, be it the birth certificate I got from the county in Michigan where I was born, the driver's license that my state DMV gives me, the social security number and the passport that the federal government gives me, all of those I can bring in to a physical building, and use that to prove who I am. But there are no counterparts to those in the digital world. And so what we have been advocating for is for the White House to lead an effort to bring together what I would call the big stakeholders at the federal, state and local level, who are issuing these authoritative credentials, all of whom have different efforts, I would say different levels of maturity underway to try and come up with digital counterparts. And again, take that time to define what good looks like, what are the outcomes we're looking to achieve, what are the risks that we want to anticipate and mitigate, and how do we have a plan to get from A to B? That's I think, where there's some important work to be done. I'll flag on that point. Just a couple of days ago, the Transportation Security Administration released 144 pages of draft regulations around what digital counterparts to plastic drivers' licenses will look like for purposes of compliance with the REAL ID Act of 2005. Again, TSA is very focused on what are the things that you'll have to do to accept a digital credential, say the TSA checkpoint. That's an interesting use case. It's kind of a nice to have in the online identity proofing world, we have basically the equivalent of a raging wildfire, where there's millions of victims and tens of billions of dollars of losses each year because of identity theft and identity-related cybercrime. How do we have a broader national effort to go beyond just this narrow place where the TSA is focused and actually look at solving this problem more holistically? Very well said. I'm going to turn this over to my colleague, Matt. dandy, your witness from the phone booth.
Schwartz: Jeremy, you co-authored a great post recently about what gender narrative AI means and especially for me, I thought you've started with this classic line, "Help me Obi-Wan Kenobi, you're my only hope." But as you mentioned in your post, what if this wasn't actually Princess Leia? What if this was a fake Princess Leia reaching out to Obi-Wan deepfake and Obi-Wan was being trolled by the Empire, everybody involved was duped. I think this is a great example of some of the risks. I mean, Hollywood, yeah, but some of the risks that AI is bringing to digital identity and security and our proclivity, perhaps to overlook those in moments of distress or adventure. Where do you think some of the big problems are right now? And we talked about a lot of possibilities and potential, but what do you see as near-term risks here?
Grant: Well, I'll say first, just from the perspective of historical accuracy, keep in mind that Star Wars was a long time ago in a galaxy far, far away. So perhaps they had not created generative AI, even if they had managed to sort out space travel and some other things in a pretty cool fashion. But I think that the risks that we're seeing these days, getting back to deepfakes, we've been talking for years in the cybersecurity space about this concept of zero trust, and it's a zippy term, with a bit of an arcane meaning in the enterprise. Let's just assume that people aren't trusted, and we want to verify who they are and their permissions each time before we let them access something. But I think zero trust is about to head to a bit of a darker meaning, which is, in a world where generative AI is advancing so quickly, we're soon not going to be able to trust any voice or photo or video that we see online. In fact, we're already seeing the technology being used to attack some remote identity verification systems these days. And at that point, the idea of, I guess what I would describe as proof of humanity, that is really a person at the other end of this and not an AI-driven bot that's just looking to scam somebody is going to become much more important. And so I think this is really going to be a significant challenge going forward, not just from a security perspective, but this broader question of, "What can we all trust as we're encountering different things online?"
Schwartz: Trusted Identity systems, not to feed into like a softball here, but what can be meaningfully done, given the fact that we're all human. And as I was saying, in times when you're approached by droids and told that you've got to save the space princess, and we are, "Show me the way you do social engineering remains a huge threat you're getting under these protections that we would normally have for ourselves, and AI-enhanced trickery, it gives fraudsters more possibilities. Are there any anti-fraud controls that you see maybe hopefully, in the near term that could meaningfully intercept these sorts of social engineering attacks? I think we have to accept, there's always going to be some level of those. But what can be done, do you think?
Grant: Well, I think there's two things we highlighted in the blog. So the first is AI is getting good at spoofing a lot of things. And might even be able to spoof some biometric systems. But the one thing that AI is not able to spoof is asymmetric public key cryptography. The idea of an identity that is bound to a private key, stored securely in hardware being in your device or a standalone token is something that I think is going to become much more important, going forward. Because it will be the one thing that look so much of biometrics and just everything else we're looking at is predictive in terms of we're analyzing a bunch of data points, it seems like it's you or it seems like it's a real person on the other end, but possession of a private key is actually a determinative factor. And so I think that will become more important going on because AI cannot spoof that, at least until we marry AI with quantum computing in about 10 years, and then we'll all be bowing down to the machines - that might be a good time for me to retire. The second thing we flagged is actually AI itself, which is that a lot of the same technology that can be used to launch these attacks can also be used to detect them. And in fact, a lot of what we're seeing in security these days, is a model where we're increasingly reliant on being able to ingest data from a lot of different sources sort of about the machine about the transaction, about things that we're seeing, and be able to analyze it for potential anomalies that show that there's actually a risk that something fishy is going on. And so I will say I'm not totally pessimistic about AI, but I do think it's a case where we'll actually need to fight fire with fire.
Schwartz: Fantastic. Well, fighting fire with fire. Anna, over to you.
Delaney: Very good. Well, Jeremy, the U.S. Cyber Safety Review Board recently released a report into lapses and now-defunct adolescent hacking group that amassed some multibillion dollar and multinational victims, such as NVIDIA, Uber and Rockstar Games. The data theft and extortion gang, the review board said, use primarily simple techniques like stealing cell phone numbers and phishing employees to gain access to companies and their proprietary data. So, Jeremy, what are the top digital identity takeaways you'd highlight from this report?
Grant: So I think there were two, and I happen to have the report here, I think, because I was going through it again earlier today reviewing some of the findings with the clients. One, it gives a great report. I think the number one takeaway, the number one recommendation was that it needs to be a national priority here in the U.S. to take significant steps to accelerate the adoption of phishing-resistant authentication, ideally, passwordless, and they specifically pointed to FIDO standards. And FIDO passkeys as a core part of the solution, a big vulnerability that lapses, who, as you pointed out, were just a bunch of sharp teenagers, were able to exploit, is that a lot of the legacy multifactor authentication that we've rolled out over the last 10 years, be the SMS codes, be the one-time password apps, be they the push apps where you get a push notification, and it says, "Anna, you're trying to log in?" Yes, all of those are phishable. Now - and we see this all the time - we come up with a security innovation and help stop attacks for a few years, and then the attackers innovate and they catch up. And we are now seeing - it's not exactly new, in fact, Google back in 2015 flagged that, hey, "If we can phish, if an attacker can phish a password from you, they can also phish that one-time passcode that you have." And so we need to start thinking about things that are more secure. But I think what we've seen from 2015 is that was a new novel attack, now you're seeing a bunch of 17-year olds be able to do some serious damage with it. It really has to be a priority to shift to truly phishing-resistant authentication. And back to the point I was making about AI before, FIDO is based on possession of a private key, it is something that can't be phished. And so I think that's much more important. The second thing they also talked about in there is SIM swap attacks. And the challenges that we continue to see with the mobile carriers around guarding against SIM swap attacks, where, essentially, a scammer will go in and either convince the phone company or perhaps in some cases, bribe somebody who works in mobile store to essentially transfer your phone from one phone to another. And then if you're getting those SMS codes, well, now they have control of the phone that is used to get them. And they pointed out when we're doing syn, when we're doing transfers, which of course we want to enable for consumers, they might just be upgrading their phone into the same carrier, they might be looking to port from one carrier to another. There's a lot of opportunities there for people to spoof identities, and so they had some recommendations around strong identity verification and authentication that they think the carrier should look to implement. So I'd say collectively was like a lot of things in identity. These days, it was a very identity-centric report, both in terms of diagnosing how the attacks happened, but also in the recommendations for how to fix things.
Delaney: Does it feel Jeremy like you're having to make the same defensive recommendations time and time again? CISA director Jen Easterly use the report to call for more widespread use of MFA. But that's not a new message. Are we making progress here?
Grant: We're making progress. But I will say it is a little tiresome at times, saying the same thing year after year. Although I feel like if I was saying this 10 years ago, I might have been the only one in the room, and saying and a lot of people were asking, "Why is it that we really need this stuff?" Whereas now, as you pointed out, the director of CISA Jen Easterly is personally leading the campaign to try to get the private sector to implement this technology. So I think we're definitely making progress. I think key leaders and decision makers get it right now. I think we're actually making really good progress on the authentication side in general, I think, with the increasing ubiquity of things like FIDO Authentication, we know how to fix this, we sort of know how this ends, I still think adoption is going to take years just because there's always a gap between when you have an innovation and then when we can actually get into consumers and businesses hands. And there is a challenge in that. How would I say this? Your average consumer is used to having a password. And if you actually let them go without a password, they might think you're making them less secure, even if you're really making their life simpler and making them more secure. And so I think there's some usability challenges that still have to be overcome. The identity proofing side, I don't feel like we're there yet. I mean, the fact that we don't have a comprehensive national approach there the way we do in the authentication space. The fact that we had this episode earlier this month where it was left out of the implementation plan for the National Cybersecurity Strategy. I think that's a new frontier of where more work is going to be needed. And where there is a gap right now between where security experts are. And we're, I'd say more broadly, a lot of industries in terms of the solutions that's needed, and seen government leadership willing to step up and help to accelerate the process to get us there.
Delaney: All right, good. Well, thank you, Jeremy. One final question for you, if I may, just for fun carrying on with the Star Wars goodness, I'd like you to either share something from Star Wars that is particularly great or awful when it comes to illustrating security concepts, or devise a new Star Wars character, which does the same. Jeremy I'll give you a break for a moment. These experts in the room. Tom, go for it.
Field: Last night, I happened to speak to a CISO at a university medical center. And she talked about having just deployed a new solution that helps detect the use of generative AI in content. I thought what a terrific solution that is particularly the university. So my Star Wars character is a droid that goes out seeking the use of generative AI, I'm going to call it GPT3 though.
Schwartz: Is it a killer droid? Is it a killer droid, Tom? Is it all black?
Field: Depends upon the content that gets found.
Delaney: Very good. Love that.
Schwartz: I love the lack of compartmentalization by the rebel force that tries to pick some frozen planet somewhere and just say, "Hey, probably nobody will find us. But if they do, oops, a lot of people are going to die." But I especially love the ability to steal a piece of equipment, say, Imperial transport shuttle, come up with the code that, "the shuttle looks a little old." All your codes outdated? Does the Imperia use step-up authentication? Does it seek a second or third form of verification? Does it say "Uh huh"? Don't think your engines are too dry? We're going to have a closer look here. They do not. So that's one of the little things is jumped out at me from time to time.
Field: There is no try authenticate.
Delaney: Well, my character is Jedi Sentinel, whose mission from an early age has been to safeguard online identities, and part of a superpower is her data shielding aura. So she emits an electromagnetic shield that envelops users within her vicinity, safeguarding their personal data and sensitive information from breaches. So I wonder if George Lucas has convinced Jeremy.
Grant: I was going to go with a semi-competent CISA for the Empire. I mean, the number of times that our R2-D2, while a lovable droid, I think is just a pretty standard issue droid, in that world can just walk up or I guess we'll, up to some sort of empire system, stick a little probe in and instantly access it and basically take the system over. This is an empire that for whatever they were able to do in terms of sheer power and fear and intimidation, consistently had some of the crappiest access control and cybersecurity practices that you could ever imagine. And it would have been a much quicker movie or set of movies, I think if they just had a competent system on the back end, which drives home the point which is that CEOs and boards keep ignoring information security, and they don't actually empower people where it counts. So they got what they deserved.
Delaney: Well said. Very true, and I'm looking forward to the next film. Jeremy, thank you so much. This has been immensely fun and very informative, as always, so we thank you.
Kirk: Thank you for having me.
Field: Thanks, Jeremy.
Delaney: And thanks so much for watching. Until next time.