Alan Turing Institute reveals digital identity and DPI risks in Cyber Threats Observatory Workshop

Digital identity systems are showing growing vulnerabilities with commensurate risks for the development of DPI.

The Alan Turing Institute launched the Cyber Threat Observatory last year, focusing on monitoring cyber threats to digital ID systems.

It has conducted an in-depth analysis of Common Vulnerabilities and Exposures (CVEs) for national identity systems, across four foundational domains of Digital Public Infrastructure (DPI) — digital identity, finance, health and government.

A half-day workshop hosted online via Zoom is scheduled for June 19. The workshop will focus on findings from the Alan Turing Institute’s Cyber Threat Observatory for National Identity Systems. Key insights and emerging trends are identified, with presentations from industry experts and country partners including Argentina, Sri Lanka and Zambia.

Registration for the Cyber Threats Observatory Workshop can be found here.

In the institute’s Cyber Threat Observatory report, it found risks for digital identity rising the most, with CVEs increasing from 290 in 2020 to 569 annually by 2024, which reflects both increased adoption of digital identity and its growing exposure to threats.

From early 2020 through mid-2023, the number of CVEs associated with Digital ID systems increased steadily, with occasional periods of volatility, from early 2020 through mid-2023. However, from late 2023 onwards there was “a marked acceleration,” according to the report.

The trend indicates that threat actors could be targeting identity mechanisms such as authentication, session management, and role-based access systems.

The policy implication for governments translates to a need for more detailed cyber incident reporting across all critical sectors, the institute recommends. An issue is the “weakest link” problem. A well-resourced sector like finance might invest in strong security, but their dependence on, say, a national ID system means they are still vulnerable if that ID system is weak.

The institute believes this calls for viewing DPI security as a public good. Improvements in one sector’s security, such as “hardened” digital ID protocols, could benefit other sectors’ security. Integrating security and development teams is recommended as is promoting a culture of shared cyber responsibility.

Digital ID, government, healthcare, and finance must advance together on the cybersecurity maturity curve, the report says, as a weakness in one can undermine the public’s trust in all.

The report also classifies CVEs by attack vectors: Network, Local, Adjacent Network, and Physical. Remote Network threats were dominant, particularly affecting finance and digital identity platforms. But Local and Physical attack surfaces, especially in health and government, are increasingly relevant due to on-premise systems and biometric interfaces, according to the Cyber Threat Observatory.

As national ID platforms, e-signature gateways, and authentication services continue to move online, they expand both citizen access and the reach of adversaries. The steady increase in Network based CVEs suggests an “urgent need” to harden Internet-facing components, particularly IAM interfaces, OAuth/OIDC flows, and session-token endpoints, against volume-driven risks, the report suggests.

“Any lapse in these areas could compromise foundational DPI services, from delivery to digital voting,” the Cyber Threat Observatory warns.

While Physical attacks within digital ID systems are low, the persistent presence of such attacks is of “disproportionate importance,” according to the report. This is because such breaches can have irreversible consequences, particularly for systems involving biometric data, hardware tokens (such as smartcards) or cryptographic key stores.

“A successful Physical vector compromise can undermine the trustworthiness at the root of an identity ecosystem, reversing the validity of every transaction, signature or claim derived from it,” it says.

In addition, as digital ID systems expand their presence – to mobile apps, kiosks, and cross-sector service delivery channels – the attack surface becomes larger and more diversified. “Biometric data, identity tokens, and session cookies become high-value assets sought after, not just by opportunistic attackers, but by well-resourced threat actors,” the observatory warns.

Identity systems now function as “amplifiers of risk” since their compromise can spread across service layers, affecting healthcare access, financial authorisations, and legal documentation processes. However, by addressing common weaknesses, sharing knowledge, and enforcing security governance across the DPI spectrum, foundational digital infrastructure can be better safeguarded, the report summarizes.

Article Topics

biometrics  |  cybersecurity  |  digital ID  |  digital identity  |  digital public infrastructure  |  national ID  |  Turing Institute