Socure SVP & GM of Government Matt Thompson joined Brian Chidester on the Government Huddle Podcast to discuss Socure’s approach to digital identity and his lessons learned from serving as a US Army Ranger at Joint Special Operations Command under General Stanley McChrystal.
We also have a summarized version below that hits some of the highlights of Matt Thompson’s conversation.
Q: Matt, first of all, thank you for your service and I appreciate you being on the podcast to talk with me today. This episode is a special one because it’s September 11th, 22 years after the attacks. What do you remember from that day specifically?
A. I was at Virginia Military Institute and was in class when it happened. I remember some cadets running down the hall in the engineering building and telling people to turn on the TVs and look at the news. I think everyone was collectively in a bit of shock. For those of us that were already in the process of preparing for military service, it made that commitment more real.
Q: How did seeing that happen impact you in terms of making your transition into the military?
A. I had been preparing for service as an infantry officer. For those of us entering the military, 9/11 ramped up the expectations that we would be battle tested a lot faster and sooner than our predecessors. It created this mental shift of training for the sake of learning a skill to training for the sake of learning something that you have to employ in combat. And the reality that there’s going to be real lives on the line as a result of the decisions you’re making. It heightened the intensity of training and preparation.
Q: You had the privilege to serve under General Stanley McChrystal. I’ve been around you when people reference his book Team of Teams, and your response is that you lived it. When people say “Team of Teams”, what does that mean to you?
A. This was the work of General McChrystal and his direct leadership team to transform the culture within Joint Special Operations Command (JSOC). I had the benefit of serving as part of that group during three of my four combat deployments and got to see the impact of this culture transformation in the book Team of Teams. The best starting point for a lot of leaders is to build a more agile and adaptable team culture.
The principles of Team of Teams are based on building trust, common purpose, shared consciousness, and empowered execution so that you can adapt to this rapidly changing environment. You can build a bond where people are working and communicate effectively so that they’re getting more things done without everything having to go through a centralized chain of command for reporting and approvals. Under McChrystal’s leadership, he changed the paradigm around decision-making and the speed of execution. At the time, our most elite units were getting beaten by the Taliban or Al Qaeda, and we needed a way to adapt to defeat them. I have brought the Team of Teams philosophy into every civilian organization I’ve been privileged to lead, and it’s had a dramatic, positive impact.
Q: You helped co-found ID.me, which helped you into the digital identity space. Could you tell the listeners a bit about why you helped found ID.me?
A. I had a great challenge of proving that I had served in the armed forces once I left service. A lot of businesses and employers wanted to give some type of discount to people who served in the military, but there wasn’t an ID card or easy way to prove that you had served.
There was also a rise in “stolen valor” where a lot of fraudsters got easy access to the military benefits they weren’t eligible for. I set out to solve that challenge and made that my priority. I spent a few years working in the military community, but I found that the problem was much broader than just the military community: we all have a challenge in proving our identity online. In fact, businesses and government agencies are defrauded at scale by organized criminal networks and nation states. I expanded the mission to focus on the entire American population.
Q: You’ve said that it’s really hard to talk about digital identity verification without talking about fraud. Could you talk about the three primary types of fraud? First-party fraud, third-party fraud, and synthetic identity fraud?
A. Third-party fraud is where I’ve taken Brian Chidester’s personally identifiable information (PII) and used it to impersonate you. This information is accessible through multiple channels because of all the data breaches that we’ve had. It’s not very hard to get access to people’s name, date of birth, address, Social Security number, etc.
Synthetic identity fraud is on the rise and has been in financial services for the past decade. We’re seeing it rise in government programs where someone has manipulated or fabricated real identity elements to put them together in order to create something that looks like a real identity, but is not associated with a real human being. That’s a Frankenstein identity.
First-party fraud is where someone is a bad actor: they write bad checks, submit false chargebacks, and do other types of fraud.
Q: What are some of the more pressing challenges that leaders in government are facing when it comes to digital identity verification?
A. Right now, the biggest challenge is how modern digital identity verification systems need to operate – identity proofing as many good people with as little friction as possible while preventing the evolving types of fraud attacks that are happening across government programs. Everyone is aware of the magnitude of the problem. During the COVID-19 pandemic, we potentially lost hundreds of billions of dollars. We’ll never really know the true number, but the number is large.
The challenge is that the government has to solve for 100% of the population, unlike Capital One. That’s really hard to do. You have to find a way for all constituents to access digital identity through some channel. But there’s a balance where you can put less friction on the majority of people while also preventing as much fraud as possible. There’s a limiting belief that if there’s not a 100% solution, then no solution should be put in place.
I think we need to put the best identity verification solutions in place for a given channel. We can create different paths so that government mission owners service as close to 100% of the population as possible, but there is no one size fits all approach to digital identity verification. We need to find the best solutions for different channels and different approaches to verifying who people are.
Q: There’s a myth out there that maybe there needs to be a human involved for identity verification. The truth is that the more automation you have, the better the customer experience is – there’s less wait time and fewer time taxes in the process. It also saves the government a substantial amount of money. Is that what you’re finding?
A. You are always going to need to have capacity for people that prefer to do business in-person. That can’t go away and should be part of governmental functions. However, today we can verify the vast majority of the population through online or mobile channels and do it in a way where we have a lot of certainty that they are not a fraudster. The identity verification technologies that solve for this are getting much more accurate and resilient. The flip side is that this is a constantly evolving space where the bad actors are evolving as well. You can’t use static approaches, you need to have dynamic approaches because the population looks different over time, both from a constituent and fraudster perspective.
Q: When I think about dynamic technologies that are being used by fraudsters, my brain goes immediately to artificial intelligence. How are AI and Machine Learning having an impact on the space?
A. The headlines are focused around deepfakes and how easy it is to produce realistic copies of voices and other biometric data. Those can pass some of the biometric verification technologies in the market today. We’ve got to look holistically at identity elements and not just use a single point of identity verification or identity authentication.
Q: How can the government keep up with dynamic change?
A. I was working with one state on how they need to modify or think about changes to their contracting to accommodate for machine learning applications. While a lot of their contracting has been set up for SaaS companies, we still need work to do to make it AI/ML-friendly. Adversaries are using AI/ML to overcome the controls that are in place, and if similar technologies are not being used by the government, [the government] is going to struggle.
Q: How did the shift to digital during the pandemic help fraudsters?
A. Fraudsters knew they had an easy target that could be exploited. To tie the Team of Teams model into it, the fraudsters were well-networked and decentralized. They’re good at quickly sharing techniques. There needs to be a large culture shift, similar to what General McChrystal led us through at JSOC, where we became more networked against the adversary, better at information sharing, and better at decentralized execution.
Q: And there are more than just individuals committing fraud, correct? There are nation states involved that are attacking public benefits?
A. The former category exists, I call them “pickpocketers”. There are a lot of people that are pickpocketing the government because it’s easy and there hasn’t been a lot of repercussions. There were far more people who got away with fraud than those that were actually prosecuted. We also need to shut down the attacks that are happening at scale by organized criminal networks. There’s work by the FBI and other law enforcement agencies to go after those enterprises, but a lot of them are overseas as well.
The best remedy is to improve our controls and the identity fraud detection software we’re using so it’s not as easy for them to do what they did. The government also has a stewardship responsibility to make sure it’s not easy to use PII to enroll in an account or go after a benefit. If I steal Brian Chidester’s information, Brian gets notified. Then Brian has to go clear his name and prove it wasn’t you. There’s a lot of time being wasted for people having to fix when someone fraudulently uses their identity.
Q: How do you think the greater push for transparency will affect digital identity going forward?
A. I’ll start with something prominent: user centricity. We need to design these solutions from the user’s point of view. We need to empower the user to understand what data is being collected and how it’s being used. We’ve got a long way to go in terms of rebuilding trust in digital service delivery because of the lack of transparency we’ve had. There’s an opportunity to regain trust by being clear about privacy and giving control to the individual with respect to their identity information.