Carahsoft Webinar Election Security Campaign
Video Transcript
Abby Stevens:Good afternoon everyone. My name is Abby Stevens and I'll be our moderator for the session of Carahsoft's Election Security Readiness Week. In a world where every vote counts, we appreciate you taking the time to learn more about how we can be ensuring the integrity of our technology systems.
On behalf of Carahsoft Technology Corporation, I would like to welcome you to our 1Kosmos webinar election security campaign. And at this time, I would like to introduce our speaker for today, Christine Owens, Field CTO with 1Kosmos. And Christine, I will give you the floor.
Christine Owens:
Great. Thanks so much, Abby. All right, let me share my screen. And make a full screen. Okay. All right, here we go. So thank you for joining. I know it's lunchtime. I know it's probably, I don't know, been a hard week. I know it has been for me, probably for everyone considering what we've seen in the news lately. So thank you for joining so that we can talk about election security readiness and what 1Kosmos can do for you, which is truly know who's behind the device.
So if you haven't already figured this out, we do identity verification. We can also take that identity verification and bind it to a strong credential, and we're going to talk about all of those use cases. Today I'm going to actually focus, election security is a very broad topic, I'm going to focus really more on campaign organizations and their security infrastructure. And the reason is because what has recently been in the news about how bad state actors have been attempting to or have gotten access into campaign organizations, that really scares me. And it's not because they're taking information out, which they probably are, or they're probably at least reviewing the information to see what each side thinks. Maybe they're going to leak some information, who knows? But it's more because they can get in and they can alter the information within campaigns, and that can also really play a huge effort into changing what happens in the campaign. If you, for example, completely delete some of your themes in the campaigns or if you change what the theme is without people really understanding that it's been changed, those are all things that can, actually small pieces that can actually change that greater hole of how the election within the US is run.
So this is really near and dear my heart. If any of you have ever seen me speak, for example, I was at FedID, and this is something that I've really talked about because I'm very adamant and I'm also just really excited to make sure that we stop any sort of tampering of our elections through cybersecurity.
So let move on. All right, so what do we do when we prove identity? We take a biometric, usually it's our face. We take an ID card, usually a driver's license or a passport, and we visually inspect the two and we say, "Oh, this looks right. You're good to go." That doesn't work anymore. It's not a good way to verify an identity. A really good example that we have with a current customer who's a Fortune 500 company is that they have been doing this for years and they have been giving very expensive equipment to people after they do this visual inspection of the face with the driver's license or the ID card and they say, "Oh, okay, this looks good here. Take our very expensive item and go use it and then bring it back to us." What happens is a lot of the time people don't bring it back because they're using fake IDs, but visually you can't see that it's a fake.
So we here at 1Kosmos, we think let's take that human interaction out of it insofar as the human makes the determination and we want to put in machine learning algorithms to make sure that that biometric, and the biometric on the ID card, well that they match. Or that ID card actually matches the template that it's supposed to match to, or even that the information on the ID card matches the information that we find in databases on that person. So just to set the stage, that's where we're going today, we're going to talk about remote automated identity verification.
So what do we need when it comes to campaigns and their organizations? We need to make sure that we can match the verification of the identity, make sure that they are more likely than not that user who they say they are, with the risk that they aren't, but also we have to have a lot of mandates around that, and we have a lot of compliance mandates when it comes to collecting PII and verifying individuals.
So what is that? The first one is, quite frankly, the biggest in the room, data privacy regulations. So 1Kosmos is a global company, so we are adapted to what I would say is the granddaddy of them all, GDPR, that privacy regulation that essentially says that person's PII is their data, it's not ours at 1Kosmos, it's not necessarily your data either, it's that user's data and they should be able to determine what to do, what they want with that data, whether it's to share it with a campaign staff organization or to share it with 1Kosmos, but they should understand what happens after that data is shared.
Within the US we have a couple others that are really big players. One of them is CPRA. That's California's privacy regulation. It's built on GDPR. And the second one is BIPA. That's an Illinois regulation. And what that does is it governs what an organization can and cannot do with collected biometrics, and really explains what needs to be done if a user no longer wants their biometrics within an organization's systems. So those are things that every organization has to really think about when they're doing identity verification and collecting evidence. But that identity verification is a really important piece.
And then the second thing that organizations need to think about is their lack of visibility and control in the matter. There's a couple of things that I think about in this. One is some organizations today they're doing identity vetting, but they're doing it in a manner that doesn't necessarily comply with privacy regulations. So maybe they're having documents emailed to them or uploaded to their sites, and then how are they storing that information? How are they validating and verifying that information? Are they encrypting that information with strong encryption both at rest and in transit? Those are all things that are really important and that organizations need to get control of when they are collecting PII from end users.
But the second thing is that organizations also have a lack of visibility and control of their users within their system if they haven't vetted them. And that's something that we hear at 1Kosmos want to fix. We want to make sure that every credential that is used within an organization system is backed by a verified identity, and we want to help you get to that point where you have verified identities, strong credentials, and a higher level of assurance that the people within your organizations are who they say they are, and that bad actors aren't trying to tamper with our elections through campaign systems.
And the last thing is we have continued cybersecurity threats. Not only are bad actors attempting to get PII to be able to claim that they are somebody else and use things such as deep fakes or the dark web to be able to fake out and make people think that they are somebody else. But the other thing is they're also trying to get access into campaign systems. So we have both sides of that as coins. And again, a strong verified identity bound to a strong credential is what's going to be able to create that level of assurance, reduce the risk in a campaign's systems, and make sure that we feel better at night. And we're not staying up going, "Oh, who's in my system?"
So how do we verify an identity? I like to call this the triangle trust. So really what it is we take a holistic view when we are determining whether or not someone is who they say they are and how likely it is that it's, so generally we start with a magic link. That magic link goes to a phone or an email. So we're verifying that that phone or email actually exists, that it is bound to the person who's interacting with us. If they're using the 1Kosmos app to do identity verification, then we can actually bind their SIM card to the app, which means when they come back for future interactions, we can make sure that that app, and that information within that app hasn't been stolen or sim swapped because we create that binding.
We generally collect documents, identity documents. It could be something like a driver's license, it can be a passport, it can be other documentation that is determined by NIST Special Publication 863. That is what governs our identity vetting solution. So in that we have over 4,000 document types that we can validate within our system through templates. And we also, within those documents, we have about 190 countries represented. Basically what we have attempted to do is be able to identity vet anyone from any country.
Then we can take that document and what we do is we use OCR and we pull off the information on the face of the document, and if that document has either a barcode or an NFC chip, we pull the information out of there. We compare those two things, and then we take all of that information and we can compare it to sources of truth such as AAMVA, which we use for driver's license, or we can use other authoritative sources to match that information that we have gotten from the end user, from what they've given us and also from what they've entered into, for example, their email address, but also from what's on the face of their documents and within the barcodes.
And then finally we have is what we call a LiveID. Essentially what that is it's a snippet of a selfie. That's a video. We make sure that there's movement. We look at micro movements within the video. We look at the depth perception of the video to make sure that there's not a deep fake screen. We look for the color, the pixelations, the warmth of the skin. We look for a lot of different things to make sure that that more likely than not is not a deep fake that's in front of us or just a static picture. And then after that, we take that biometric that we collect, we compare it only to the biometric on the identity document, and then if also included in either the barcode or the NFC chip, we compare all those biometrics to the biometric. In the other piece, we do a one-to-one match, maybe a one-to-one-to-one matching, but we make sure that we're really only comparing what is given to us because we want to make sure that we keep equity and we can make sure that people are validated properly.
And then finally, once we do all this, we do a data triangulation. We do a holistic view of everything. We say, "Yeah, this probably is right, this is more likely than not, is the person who they say they are." And then we can give that end user a reusable identity. What that reusable identity is, in the US, we call it a digital identity wallet, in the standards world, we call it a verifiable credential that's built on W3C standards. But in any event, it is basically that end user's information stored with 256, AES-256 encryption on a private and permissioned blockchain where only the end user can get a hold of it because only the end user has the private key. They then get to decide where and how they share that information in the future. And those are things that we're going to talk about upcoming, about ways that we can reuse that identity.
So organizations, especially campaigns, need to modernize their systems. We need to make sure that they have strong security measures in place. Because campaigns are critical infrastructure, all election systems are actually considered critical infrastructure inside the US. And so especially campaigns, which is something that we've not really don't always think about as critical infrastructure, it is, because a campaign is what determines who wins, how well that campaign does determines who wins.
So how do we modernize security systems of a campaign organization when it comes to barricade identity? The first thing is we need really good user experience. We want to tailor the experience that the end user has based on the risk profile that the organization decides. And then we also want to make sure that the end user completely understands what it is that they're to the system, why they're giving into it, how the information is going to be stored for how long, if it's going to be stored somewhere, and what they can do to revoke that consent if they want. Those all go back to the privacy concerns that we have with CPRA, GDPR, BIPA, but it also goes into just privacy concerns that the general population has. They want to make sure that not only they're in control of their data, but also if they give that data to you as a campaign, that you're going to make sure that you take really good care of that data.
So next, adaptive verification is important. So what that means is being able to be more flexible and user-centric for the verification process. So if a user uploads a document and it doesn't go through properly or it's too blurry, we can ask the user for that document again or an additional document that might work better. That doesn't mean that if an end user uploads a fake document that we give them a second chance, but if an end user needs more help, we need to be able to help them so that they can get through the verification process so they can get access to whatever things that they need in the campaign organization.
And then finally, we want to make sure that we have advanced and enhanced security. What that means is when identity verification occurs, especially per an NIST 863 at an IAL2 level. So an Identity Assurance Level, II, what we want to make sure is we want to make sure we understand the risk associated with the user that we are collecting the data from, and we want to make sure that we can properly overcome that risk.
So if I am a campaign organization and I have volunteers who need access to not a lot, maybe just to a list of constituents so that they can call or a list of constituents to go and knock on the doors, they don't need that much,, they don't have a lot of risk. Hopefully that organization has micro-segmented their systems and that end user can only get access to these particular lists. If that's the case, then we don't really need to do a strong vetting solution. It doesn't need to be the whole shebang. Really all we need to do is something small like maybe a biometric plus an identity document. We compare the face on both to make sure that they match. And then we take that document and we compare to the document templates that we have on file to make sure that it's a valid ID and that there's nothing out of place, which we would call it a fake. And then if there's a barcode or an NFC chip, we compare the data that in that barcode or NFC chip to the face of the document because that right there is a pretty good level of assurance to determine, oh my gosh, that person is more likely who they say they are. And quite frankly, we don't need to spend a lot of money to verify that identity.
Now, if the campaign is giving access to everything in their system or to the majority of their system because it's a high level staffer, in that case, we probably need to do a little more identity vetting on them. Maybe we need to do what we do for the volunteer, but also take all of that information and check databases. Maybe we need an additional document beyond a driver's license such as a passport to really hammer home that that person is more likely than not who they say they are, especially if that user is in a remote position and not in person.
So speaking of that, CISA has given some bulletins, and the FBI, about how North Korean citizens have been essentially catfishing organizations by claiming they're US citizens and getting jobs. Campaigns especially need to make sure that if they're hiring remote employees, that they're doing a very good job of doing a remote identity proofing as well before they give those people a credential.
So there's that level of risk that every organization has to think about, and that's something that we, 1Kosmos, can help because we are experts in this field. This is what we do day in and day out with a ton of different organizations. But also we just want to make sure that everyone is safe and secure when they are interacting with other organizations digitally. And we want to make sure that the organization can have a high level of assurance that the people who interacting with them are who they say they are.
So then finally, when it comes to what campaigns need to think about when their bringing in verified identities is that integration, integration is not always easy. So 1Kosmos, we are built on standards and also we're built to regulations so that not only do we have consistency within our APIs and SDKs, but we also want to make sure that we can share the results if the end user allows for it.
So what does that mean? We collaborate. We collaborate a lot. We collaborate with our customers to see what methods are best for them and integrate new things into our platform if they are asking for it. Because what we have found is that if one customer wants it, probably multiple customer wants it. We collaborate with our peers in the industry in standards organizations such as FIDO or on the Kantara Initiative board, and we follow W3C standards. So we want to make sure that not only are we understanding what the regulations are, but we're helping create those, not just regulations, but also standards so that we have a seat at the table.
And then finally, we just like to collaborate with anyone who wants to talk to us. So we talk to the government a lot about the standards that they're creating. And we also talk to the vendors that we integrate with, those are generally the major IDPs. So we make sure that we can integrate pretty quickly into any IDP so that you as an organization can get what you need from the verified identity.
Next, we have standardized practices. So we adhere to our standards. We actually help create those standards. And we think it's really important because we want to make sure that if an end user comes to us to create an identity within our system, that they can reuse that identity as many times as they need. We want those identities with the verifiable credentials to be used, not just for your organization or campaigns organization, but we also want it to be used with the federal government. We want it to use with state governments, we want it to be used when they need to get benefits. We want it to be used for healthcare purposes. Really any organization that needs a verified identity, which by the way is most organizations nowadays, we want verifiable credentials to be used because we believe that it is an important part of the future.
And finally, speaking of the future, we want to make sure that innovation and adaptation occurs. So we here at 1Kosmos, we spend a lot of money on R&D. We make sure that we understand what the current cybersecurity threats are, and we want to make sure that we're one step ahead of them. Deep fakes is a really big deal. Deep fakes is a massive cybersecurity threat. We understand deep fakes, we understand what's on the dark web right now, and we are working to make sure that we are one step ahead of those bad guys, but also we want to make sure that we adapt to whatever is occurring currently. So for example, regulatory changes can occur. BIPA has just been updated in Illinois. So we need to make sure that our system stays in line with those regulations. We also need to make sure that if what we're doing today actually doesn't work tomorrow against the bad guys, then we need to make sure that we can pivot really quickly and change that, so we have a full platform to be able to pull the levers of where we need to be based on what the cybersecurity threats are.
So I've been talking a little bit about 1Kosmos more talking about threats. What is it that we do here? We enroll identities. That's really important. When we enroll identities, we usually verify them. We use that triangle of trust, we get the holistic view, and then we can take that identity and that verified identity. There's a husky that is gone loose in my neighborhood, this isn't good. So there's a verified identity and we can bound that to a strong authenticator. Generally we say use a passkey, a FIDO authenticator, use something that's phishing resistant. But at a minimum, we really think that organizations should be using MFA. And in fact, in many places within our platform, MFA is required. It's mandatory. We also don't charge extra for MFA.
So what do we do? Again, we have identity enrollment and proofing. We take that verified identity, bind it to a strong authenticator. We prefer phishing resistant authenticators, but then holistically that creates a digital identity. That digital identity can be reused time and time again. It can be reused within the 1Kosmos space. So any organization that has 1Kosmos can actually use any of the digital identities that we have in our private information blockchain, but we also can use it with some other relying parties. There are some IDPs that actually accept their Bible credentials today, or we have an open API that we can push identity verification such as IAL2 to that IDP for example, so that the IDP knows that that person more likely than not is who they say they are. And either the IDP can bind that identity to a strong credential or they can use one of our credentials that we provide, including LiveID, which is just your face. It's pretty easy.
Another thing that we really, really, feel very strongly about is our privacy promise. We take privacy seriously, and we are a privacy first company. We believe that any information that we collect from an end user is theirs. It's not ours. We don't resell data, we don't reuse data. In fact, we don't want the data. We take the data, we hash it with SHA256, we encrypt it with AES-256 encryption, and then we give the private key to the end user that then goes on a block and a private information blockchain that is encrypted again into AES-256 encryption.
Now, if the organization needs more than just the fact that that person has been IAL2 certified or validated to whatever level that organization wants or needs, then we will transmit that information, but only after the end user is notified in consensus of transmission. So we like to process, delete the data from our system and make sure that whoever needs the data is given that data after the end user, the person whose data it is notified and understands what's going to happen with that data.
So we have a whole platform. And actually, we can tear apart our platform and talk about the different things. I actually don't have much time, but we identify and onboard once. So we do an account enrollment. The account enrollment not only occurs in 1Kosmos, but we can also push it to an organization's IDP.
Next, we have user-controlled identity through our reusable identity. So that's our verifiable credential that that user can use as many times as they want, as long as they consent to doing it. And then we have an authentication mechanism so that we can transact anywhere and anyhow. Our authentication and actually our identity verification platform is Omni-channel. So you can do it on your mobile phone, you can do it on your device, as long as there's a web camera or some sort of camera, we can do it for you. We tend to advise customers to use what we call identity-based authentication. So that's LiveID that uses your biometric and it checks for liveness. That's one key which is used for shared workspaces. It's a biometric authenticator that is only on shared workspaces. It doesn't go with the user, but the user has an account. And then the other thing is WebAuthen. So Touch ID and Face ID.
Now if the organization needs Legacy MFA, for example, TOTP, using an authenticator, we will allow for that too. We can do whatever it is that the customer needs and we help the customer determine what the best authenticator is for them based on a risk-based approach.
And finally, I think I've said this many times, we believe in privacy preserving as a company, we actually like to quickly deploy our product because we find that the faster our product is deployed, the higher ROI an organization gets. So we have, for example, SDKs for mobile and web. We actually have a really strong account recovery process that can combat against Scattered Spider, and we don't need a phone, we can do all of this on the desktop or a laptop. As long as there is a webcam, again, we do not store PII that 1Kosmos can get a hold of, that storage is only done in a private and permissioned blockchain where the end user gets the information or gets the private key to be able to access and control their information.
And then finally, we're built to standards. We really believe in standards and we love them. To name a few, FIDO is one of them. We also are built to NIST standards and we have ISO and SOC compliance.
So thank you so much for chatting, not chatting, for listening to me today. I could go on and on about making sure that organizations are safe and secure, especially when it comes to election security and making sure that the bad guys and the bad state actors stay out of our elections. So I really appreciate you taking your very precious lunchtime to listen to me talk. Thanks so much.
Abby Stevens:
All right, well it doesn't look like we have any current questions, so I can go ahead and close this out so everyone can enjoy their lunchtime.
Thank you again, Christine for being with us this afternoon, and I want to thank all of our participants who joined us today. We hope you found this webinar helpful and enjoyable for your organization. We'll be sending out a follow-up email including the on-demand recording, as well as any resources to the email that you registered with. If you have any further questions or would like to request more information, please feel free to contact us via the information on the slides. Thank you again and have a great day.