Biden's cybersecurity order could help banks deter fraud

President Joe Biden issued an executive order on Thursday that could — if implemented by the incoming administration of Donald Trump — help banks and credit unions reduce fraud and financial crimes by improving the process for verifying government-issued identity information from customers and applicants.

The order specifically calls on the Social Security Administration to consider upgrades to its digital services for verifying identity information provided by banks, and it leaves the door open to additional federal agencies that also issue identity documents to implement similar services.

The order also seeks to enable more states to adopt digital driver's licenses, and instructs the federal government to start accepting such digital documents as a form of identity verification. Together, the changes could lead to greater adoption of digital identity sources that could help banks and credit unions cut down on fraud.

Beyond these identity matters, the order also sets into motion initiatives across the federal government that, among other things, could provide banks with better and more timely information about novel cybersecurity threats.

Here are some of the parts of Biden's Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity that could affect banks and credit unions:

Government ID verification set for upgrades

Since 2019, the Social Security Administration has operated the electronic Consent Based Social Security Number Verification, or eCBSV, service, which provides a digital interface banks and credit unions can use to verify that a person's Social Security number, date of birth and name all match the agency's records.

Under the order issued Thursday, this system could get an upgrade, and other agencies might also adopt similar improvements. The order calls on the head of the Social Security Administration to establish "a new or significantly modified routine use of records" for identification verification purposes.

The order does not specify what types of upgrades the service should get, leaving it instead to the head of the bureau to decide. In September, the Government Accountability Office released a report that found major deficiencies in the fee structure and scale of the program. In response to this report, upgrades could be targeted at making the program more efficient and more broadly attractive to institutional users who pay to access it.

The order also allows the director of the Office of Management and Budget to designate the head of any other agencies deemed appropriate to consider building such a service. While not explicitly named in the order, this could include the Department of State, which issues U.S. passports — a key identity verification document used by many banks and credit unions.

Any system that the Social Security Administration or other agency offers for digital identity verification should, according to the order, be available to government agencies, U.S.-regulated financial institutions and payment integrity programs.

Federal government to accept digital identity documents

In the name of reducing fraud against public benefits programs, the executive order instructs agencies that administer such programs to start accepting digital identity documents as a form of identity verification and encourages federal grantmaking agencies to issue grants to states seeking to develop mobile driver's licenses.

While few states currently issue digital driver's licenses, a federal policy that holds digital documents as a standard for identity verification could lead to more states adopting digital licenses and other government agencies issuing their own digital IDs.​

The order also instructs National Institute of Standards and Technology, or NIST, to, within 270 days, issue implementation guidance on supporting remote digital ID verification. While this guidance might be tailored toward government agencies seeking to support digital ID verification, it is also likely to set a standard that banks and credit unions can follow.

All these efforts in turn could provide banks with potentially more secure means of verifying the identity of customers, potentially mitigating fraud and financial crimes.

Treasury could notify individuals of public benefits fraud

The order instructs the Treasury and General Services Administration to research, develop and conduct a pilot program for technology that notifies individuals and entities when their identity information is used to request a payment from a public benefits program.

The technology is meant to give individuals and entities the option to stop potentially fraudulent transactions before they occur and report fraudulent transactions to law enforcement entities.

While the technology might not directly affect banks, it could create a standard for informing consumers about fraud conducted using their identity that banks and credit unions are expected to follow.

Promoting end-to-end and email encryption

In an effort to secure federal communications, the executive order instructs agencies to encrypt email messages and, "where practical," use end-to-end encryption. Changes to email encryption must take place within 120 days, and agencies must enable end-to-end encryption by default within 180 days.

The change comes less than a month after the Cybersecurity and Infrastructure Security Agency, or CISA, issued guidance to senior government officials and politicians to adopt end-to-end encrypted communications, which means ditching regular phone calls and text messages, neither of which are end-to-end encrypted.

When a channel lacks end-to-end encryption, law enforcement and unauthorized criminal parties can listen in. This wiretapping ability, and particularly its abuse by cybercriminals, recently arose when U.S. officials discovered that Chinese hacking group Salt Typhoon had accessed a large number of Americans' metadata in a surveillance sweep that compromised nine telecommunications firms.

The attack has shattered confidence in the aged infrastructure and protocols that undergird regular phone calls and text messaging. At a December press conference, Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters that the telecom networks that support calls and texts "are not as defensible as they need to be to defend against a well-resourced, capable, offensive cyber actor like China."

Adapting federal networks for better threat hunting

The executive order enables CISA to gain timely access to data from cybersecurity software installed at federal agencies including the Treasury, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation.

The changes are relevant to banks because the federal government regularly communicates with companies in critical infrastructure sectors, including finance, about cyber threats that may affect them. The changes enabling CISA to collect better threat intelligence could lead downstream to better and more timely threat intelligence shared by the government with banks and credit unions.

The order specifically requires CISA to install means of collecting data from endpoint detection and response, or EDR, solutions installed at federal agencies and their operation centers. This will bolster threat hunting efforts at CISA, which involve analyzing network and computer logs to learn about cybersecurity threats as they develop and evolve.

Moves toward post-quantum encryption

The executive order will help banks identify products they can use that support post-quantum cryptography, a new generation of encryption algorithms and secure communication technologies. These technologies will enable banks to secure their data from decryption in the future by quantum computers that will be capable of breaking classical encryption.

The order specifically instructs CISA to, within 180 days, release and regularly update a list of "product categories" that widely support post-quantum cryptography. This list could help banks identify products they can use to secure their own communications and data.

In support of moving toward post-quantum cryptography, the order also sets up requirements for both national security and civilian agencies to adopt Transport Layer Security, or TLS, protocol version 1.3 or later by January 2030.

TLS is a fundamental protocol for securing internet traffic. While earlier versions of TLS support post-quantum encryption, the latest versions are more secure and faster, and research on how new encryption standards will impact TLS has focused on version 1.3.