New DHS Designation Highlights the Importance of Identity Management to the Nation
Generate Electricity. Supply Water. Transport Cargo and Passengers by Rail. Provide Identity Management Services.
One of these things is not like the others.
The first three are all things most people would consider to be “national critical functions” – what the U.S. Department of Homeland Security (DHS) defines as “The functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating impact on either the Nation’s homeland security, economic security, public health or safety, or any combination of these.”
But identity? While those of us who have worked in the space for years – and seen how many devastating attacks have occurred because of weak authentication and other inadequate identity controls – have argued that it needs to be a national priority, identity management is not a topic that has gotten adequate recognition.
On April 30, 2019, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released a set of 55 set of National Critical Functions, focused on identifying particular functions where the degradation of capabilities would create material risks that impact critical infrastructure and the country at large. The idea is for DHS to move from looking at critical functions on a sector-by-sector basis to an approach that looked at the most critical issues across sectors.
One of the Critical Functions is “Provide Identity Management and Associated Trust Support Services.”
Note that most of the Critical Functions are not related specifically to cybersecurity. The fact that identity management has been elevated to sit on this list alongside these other Critical Functions is quite notable – and a recognition of how important identity has become to our way of life and the security of our most critical assets.
In the months ahead, DHS will be working to create a “Risk Register” – identifying scenarios that could potentially cause national-level degradation to each National Critical Function, diving into the likelihood and consequence of each scenario, and creating recommendations on how to avoid the most devastating scenarios. There will be opportunities for the private sector to engage and provide input – most likely though the Sector Coordinating Councils (SCC’s) that DHS partners with to get input on key critical infrastructure security and resilience activities.
Much work lies ahead – but today, the designation of identity management as a National Critical Function is something to promote and celebrate.
About the Author: Jeremy Grant serves as the Coordinator of the Better Identity Coalition, which works with policymakers to improve the way Americans establish, protect, and verify their identities online. He is Managing Director, Technology Business Strategy at Venable LLP, and previously led the National Strategy for Trusted Identities in Cyberspace (NSTIC).