Real-ID data surge raises real dangers

 

Connecting state and local government leaders

Troves of digital identity documents amassed to comply with Real-ID will raise the stakes for states struggling to protect their IT systems and data.

State and local government organizations are bursting at the seams with sensitive data. The Real-ID Act of 2005 set standards for issuing identification like drivers licenses and requires states to “capture digital images of identity source documents so that the images can be retained in electronic storage in a transferable format.”

States must collect and store a wealth of new digital information as residents update their drivers licenses to be compliant with Real-ID. Drivers are handing over passports, birth certificates, Social Security cards, bank statements and other personal identity documents to their local motor vehicle department to scan and create digital copies. As these DMVs face a data collection and storage burden, the records they collect will be an attractive target for criminals, who only need to crack one system for a big payoff in personally identifiable information.

As the Real-ID program hits its stride, here are five questions every state should be asking:

1. Is our data safe from insiders? Employees and contractors likely poise the biggest threat. Insiders are increasingly savvy and know the kinds of measures that are in place to protect data -- and how to avoid them. They have plenty of ways to steal data: saved to a USB, uploaded to personal cloud storage, emailed using a personal account and more. Since many agencies struggle to secure widely available data, insiders don’t have to overcome many obstacles to get access to a cache of information.

2. Is our data safe from external attacks? Attackers are getting smarter and sneakier, especially as new tools and techniques spread widely. As attacks grow more sophisticated, agencies must watch for subtle signs of an attack, such as users logging into the network from new places, using unrecognized devices or accessing data in ways it hasn’t been tapped before. External attackers can slowly siphon data from a network by disguising it as ordinary web traffic and then “live off the land” by using native tools that exploit vulnerabilities to continue exfiltrating data.

3. Is our cloud data secure? Many agencies are eager to move their information to the cloud, only to realize that their data security problems have moved with them. Don’t assume that data stored or migrated to the cloud is safe -- the cloud is just someone else’s computer. Cloud storage is even more vulnerable to attack: Misconfigured cloud data stores can leave information open and accessible to the entire world instead of just to agency employees.

4. What are we doing to solve the cybersecurity employment gap? North America has half a million open cybersecurity positions, making it extremely difficult, if not impossible, to fill all the available security jobs. Automation based on machine learning is critical to helping agencies bridge the human talent gaps and defend agency assets. If a ransomware attack hits the network at 5 p.m. on a Friday, technology will be the first line of defense.

5. Do we rely more on luck than strategy? Luck makes a poor cybersecurity strategy. Agencies that have not been hit by a cyberattack may grow complacent. In the age of exploits for hire, anyone can be a hacker and any organization can be hit. Attackers lie in wait, biding their time as they lurk undetected in networks, moving laterally across systems, before escalating their attacks and stealing data. Agencies may have attackers in their networks already.

When it comes to protecting data, agencies must focus on access. If and when cybercriminals land on the network, IT managers must make it harder for them to remove the data. Defenders live in a world of uncertainty, and reducing that uncertainty -- quickly identifying threats and coming to conclusions quickly -- is key to defense.  Agencies should aim to secure their data to a “least privilege” model and grant access only on an as-needed basis. Data usage should be monitored to identify  when something goes wrong.

The breadth and depth of tools attackers have at their fingertips make a cyberattack a near certainty. Whether they like it or not, state DMVs are the stewards of this critical personal data, and they owe it to the 225 million U.S. drivers to take the steps needed to ensure this information does not fall into the wrong hands.

NEXT STORY: Army leans into biometric ID

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.