Canadian Leadership in Digital ID: The solutions are here but we must act now
- COVID-19 has made cybersecurity even more crucial to Canadians, as workplaces and processes must be safe and secure while operating online. Collaboration among private and public sector stakeholders is critical to apply cybersecurity solutions to this crisis and future crises.
- Canada needs to develop a skill base in cybersecurity to ensure that we are safe from cyber threats, and have the talent needed to build a robust world-leading cybersecurity industry.
- Cybersecurity will become an international market, so Canada has a large opportunity to shape the emerging standards that will define the industry’s future.
Canada’s governments must realize that the solutions to cyber threats already exist and need to be adopted now. The Canadian cybersecurity industry must be supported to grow and build, and to make Canada a robust and safe place for digital identity. Canada must build an ecosystem of players, including banks, governments and telcos, to adopt solutions that keep Canadian consumers safe. The solutions exist so we must act now.
COVID-19 has brought a lot of processes and workplaces online, sometimes for the first time ever. What does this mean for cyber threats and cybersecurity in Canada? And what must we do to prepare for future crises?
The spike in digital adoption as Canadians continue to get used to their new processes has resulted in an increased knowledge of how important cybersecurity is. With the rise in data breach threats, consumers understand that more attention needs to be paid to how their information is shared online by their employers, health providers, governments and telcos.
Ensuring that these processes and workplaces are safe and secure from cyber threats is not just a question of convenience, ease of access or speed, but a question of citizen health, well-being and safety. The advancement of cybersecurity in Canada is being fuelled by Canadians and organizations understanding that their identities need to be verified in a safe and secure way immediately, as well as the harm that cyber threats have on their day-to-day lives.
“Ensuring that these processes and workplaces are safe and secure from cyber threats is not just a question of convenience, ease of access or speed, but a question of citizen health, well-being and safety.”
Building the right cybersecurity and digital identity tools is a massive responsibility, and one that is shared between the public and private sector parties with the right expertise. The ink was not even dry on the Government of Canada’s stimulus program before reports of a text scam began circulating. However, the solutions to these current threats already exist.
COVID-19 has resulted in wider spread adoption of methods to solve these issues and invest more into cybersecurity, and verification networks like Verified.Me have become essential tools for this. Delivering these services against the razor-thin deadlines that this pandemic demands has been critical to keeping workplaces running against the threat of cyber-attacks.
Preparation for future crises requires the collaboration of public and private stakeholders to help build and improve solutions. Verified.Me’s partners are working together to share their cyber threat expertise, examples and insights to help them face those challenges. Consumers for each of these partners continue to benefit from this shared information.
To prepare for future crises, we need to come together and build cohesive and holistic solutions that address today’s cybersecurity and digital identity concerns. We have been stronger together during COVID-19 and we must remain so moving forward.
What threats and opportunities does cybersecurity present for the Canadian economy?
Consumers understand that things are changing. There are more breaches where rogue employees can steal data and share information like your name, address, Social Insurance Number and income. This allows others to impersonate you, file tax returns, create accounts, and take out loans in your name. There are instances where a billion documents, including passports and drivers licenses, have been copied to the dark web. This is a significant threat. Customers are feeling vulnerable and want to feel safer. We have not built privacy and security around identity or made it easier to prove who we are, and this is a problem we have to solve to keep consumers safe – this creates an immense opportunity.
“We have not built privacy and security around identity or made it easier to prove who we are, and this is a problem we have to solve to keep consumers safe – this creates an immense opportunity.”
Right now there are many entities coming together to build solutions and solve these problems. This is a massive economic opportunity with an additional advantage coming in the form of productivity gain. Instead of spending time conversing with a bank or government call centre to prove your identity, you can cut that time down by using verified digital identities. The productivity gain of moving through this process quickly is a massive improvement for Canadians across the spectrum.
Through the Digital ID and Authentication Council of Canada (DIACC) we have many companies with innovative solutions that understand it takes an ecosystem to get this done. There is recognition that if you combine the strengths of different parties to collaborate on digital ID technology and systems, it sets a high bar that is difficult for malicious actors to beat. Healthcare is a good example where there are significant opportunities to improve how we authenticate service users’ ID. To access your health records now, you prove who you are in person by showing your health card and you are given a PIN. If you forget your PIN it is resent through a link to your email, which could easily be intercepted and misused by bad actors. This is not very secure. Instead of this system, we could easily change things so that to recover your password, you can log into your bank and prove you have your phone. This is much stronger than an email link. So, we have to think about these kinds of approaches for consumers, because health records and banking data are very important, and no one wants others getting into their private records.
“There is recognition that if you combine the strengths of different parties to collaborate on digital ID technology and systems, it sets a high bar that is difficult for malicious actors to beat.”
Our federal and provincial governments realize this is important and recognize that they have a role to play. Large Canadian banks have also come together and said “this isn’t something that will move the line in our revenue, but it’s something we must do to keep our customers safe online.” So, they have joined in launching our Verified.Me service.
What type of system to validate digital ID do you envision for Canada’s future?
Since digital ID proves who an individual is, it must be owned by the consumer. It is the consumer who must be placed at the center of the system and be enabled to choose what they share, when they share it, and with who. Doing this requires an ecosystem. We can draw together different players. For example, a government can say, “This is John Doe and he matches his driver’s license.” A bank can also say “a user is logged in to John Doe’s account right now.” And a telco can say “the user is on John Doe’s phone and it is located here right now.” All this data is a simple transaction. And the last step that is required is John Doe putting his face in front of his banking app on his phone or inputting his PIN number, and being asked to confirm that it is OK to share his mobile and banking data to prove that he is actually John Doe.
“Since digital ID proves who an individual is, it must be owned by the consumer.”
This approach increases productivity and decreases the risk of fraud, and that is what consumers want. They want to be able to access services from different providers – such as governments, banks, health providers, and others – and want to avoid the risk that others can too.
This is something we are currently able to do, but we must do so in collaboration with a variety of partners. So collaboration within the cybersecurity ecosystem and with different players – governments, banks, telcos, and others – is key.
How are companies responding to the need to digitize and secure their operations?
The reality in the market is that companies are not necessarily looking at how digital ID technology works, but recognizing its value as a service. For example, healthcare companies have realized that by using digital ID services they could validate a customer’s identity and let them have access to their lab results in real time. Similarly, when a financial services company is looking to lend money for a car, if a user can prove their identity and credit score with a couple of clicks, a loan can be approved within seconds. Landlords can lease an apartment in seconds versus paying an agent one month’s rent to prove that a tenant is who they say they are, and not a criminal. We can cut a significant amount of time by letting customers share their data with consent, and minimizing what they share. A landlord doesn’t need an entire credit report, it only needs to know that a tenant’s credit is over 600, for example.
“The reality in the market is that companies are not necessarily looking at how digital ID technology works, but recognizing its value as a service.”
All these applications are very significant and we are seeing interest growing. Companies are seeing the value these capabilities offer and signing up for cybersecurity and digital ID authentication as a service.
We have well over 1,000 companies that want to sign on to such services because it will make their processes better and more secure. We are seeing big and small tech companies saying: “I could use this.” Rental car agencies in Quebec, for example, recognize that looking at a driver’s license is no real security for renting an expensive car. We worked with British Columbia to put chips inside identification cards so that you can tell if it is valid, but this takes years to do. We can do a lot more with an ecosystem of partners working in digital identity.
What is the biggest challenge faced by the cybersecurity industry in Canada and how is the country unique in its approach to cybersecurity?
Our biggest challenge is getting everyone to work together. We must recognize that it is not one party or group that can do this on its own, it is a combination of security actors and parties that must make it safer for citizens. The approach we are taking— where we do not copy data or make repositories, where we put responsibility in the consumer’s hands to consent to sharing their data— is very important. Where Canada is standing out is through privacy by design. Consumers are in control; they can log in to government platforms using your banking log in details, and they are going to be kept safe. The government will not know which bank they use, and banks will not know what service they are accessing. The privacy principles that have evolved in Canada are driven by both the government and private sector, and Canada is becoming a showplace for the world in how the cybersecurity ecosystem is putting citizens at the centre and cooperating to get this done.
“Canada is becoming a showplace for the world in how the cybersecurity ecosystem is putting citizens at the centre and cooperating to get this done.”
With services like Verified.Me, Canada is becoming a cybersecurity leader for other countries, and we love that. Once we fully implement such technology in Canada and we build a skill base around it, cybersecurity becomes an export commodity where we are able to show the world how to do it. We are putting the citizen and privacy at the centre of the system, and then it becomes a standard that is interoperable globally. Identity is not going to be something that lives only in Canada. When a citizen goes to the US, opens a bank account somewhere else, or sends money abroad, they will be able to prove their identity. Cybersecurity will become an international market, so driving the standards from Canada and being involved with those standards is very important.
What can the government and the private sector do to build up the cybersecurity industry and keep Canadians safe?
We have to be good at commercialization. The government has to pick Canadian companies to get going on this. In the US, we are getting great funding from the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T), who like our model and how we are operating securely. Canada has to understand that the next war will not be fought with tanks and missiles, it will be in cyberspace. We need a skill base and people who can develop these technologies to keep Canadians safe. Selecting solutions from both the private and public sectors, and working together to scale these solutions will give us an innate capability as a country. If we start buying cybersecurity from other countries, it will not be a good thing for Canadians. The government must understand that cyber capabilities need to be local, and we need to make sure we have a robust cyber industry where citizens are going to school, learning and getting jobs in cybersecurity to keep Canadians safe.
“Canada has to understand that the next war will not be fought with tanks and missiles, it will be in cyberspace.”
Governments are realizing that the cyber sector is now here to stay, and the only way to capitalize is to build an ecosystem of players, banks, governments, and telcos working to build a solution that lets consumers control and share their data the way they need to. We must also encourage Canadian industry in cyberspace to help protect identity, make use cases, and make it easy and safe for citizens to get things done online. And Canadian companies working in the sector need to be encouraged to grow and build. A robust set of cybersecurity companies that are building these solutions need to be supported by our governments to make Canada the place it needs to be in cybersecurity. Finally, this is happening now and the time to do it is now. We are seeing more threats and breaches, and it’s becoming harder to close those doors. A single rogue employee can get hold of and release data that has long-lasting effects on a company. The time to get this done is now, and we do not have to wait because the solutions exist. We are following the DIACC standards, and we should be adapting and evolving instead of waiting for some holy grail in the future. We should be solving these problems with Canadian companies today.