Real-ID data surge raises real dangers
Connecting state and local government leaders
Troves of digital identity documents amassed to comply with Real-ID will raise the stakes for states struggling to protect their IT systems and data.
State and local government organizations are bursting at the seams with sensitive data. The Real-ID Act of 2005 set standards for issuing identification like drivers licenses and requires states to “capture digital images of identity source documents so that the images can be retained in electronic storage in a transferable format.”
States must collect and store a wealth of new digital information as residents update their drivers licenses to be compliant with Real-ID. Drivers are handing over passports, birth certificates, Social Security cards, bank statements and other personal identity documents to their local motor vehicle department to scan and create digital copies. As these DMVs face a data collection and storage burden, the records they collect will be an attractive target for criminals, who only need to crack one system for a big payoff in personally identifiable information.
As the Real-ID program hits its stride, here are five questions every state should be asking:
1. Is our data safe from insiders? Employees and contractors likely poise the biggest threat. Insiders are increasingly savvy and know the kinds of measures that are in place to protect data -- and how to avoid them. They have plenty of ways to steal data: saved to a USB, uploaded to personal cloud storage, emailed using a personal account and more. Since many agencies struggle to secure widely available data, insiders don’t have to overcome many obstacles to get access to a cache of information.
2. Is our data safe from external attacks? Attackers are getting smarter and sneakier, especially as new tools and techniques spread widely. As attacks grow more sophisticated, agencies must watch for subtle signs of an attack, such as users logging into the network from new places, using unrecognized devices or accessing data in ways it hasn’t been tapped before. External attackers can slowly siphon data from a network by disguising it as ordinary web traffic and then “live off the land” by using native tools that exploit vulnerabilities to continue exfiltrating data.
3. Is our cloud data secure? Many agencies are eager to move their information to the cloud, only to realize that their data security problems have moved with them. Don’t assume that data stored or migrated to the cloud is safe -- the cloud is just someone else’s computer. Cloud storage is even more vulnerable to attack: Misconfigured cloud data stores can leave information open and accessible to the entire world instead of just to agency employees.
4. What are we doing to solve the cybersecurity employment gap? North America has half a million open cybersecurity positions, making it extremely difficult, if not impossible, to fill all the available security jobs. Automation based on machine learning is critical to helping agencies bridge the human talent gaps and defend agency assets. If a ransomware attack hits the network at 5 p.m. on a Friday, technology will be the first line of defense.
5. Do we rely more on luck than strategy? Luck makes a poor cybersecurity strategy. Agencies that have not been hit by a cyberattack may grow complacent. In the age of exploits for hire, anyone can be a hacker and any organization can be hit. Attackers lie in wait, biding their time as they lurk undetected in networks, moving laterally across systems, before escalating their attacks and stealing data. Agencies may have attackers in their networks already.
When it comes to protecting data, agencies must focus on access. If and when cybercriminals land on the network, IT managers must make it harder for them to remove the data. Defenders live in a world of uncertainty, and reducing that uncertainty -- quickly identifying threats and coming to conclusions quickly -- is key to defense. Agencies should aim to secure their data to a “least privilege” model and grant access only on an as-needed basis. Data usage should be monitored to identify when something goes wrong.
The breadth and depth of tools attackers have at their fingertips make a cyberattack a near certainty. Whether they like it or not, state DMVs are the stewards of this critical personal data, and they owe it to the 225 million U.S. drivers to take the steps needed to ensure this information does not fall into the wrong hands.
NEXT STORY: Army leans into biometric ID