DOD Secures Network with Smart Cards

“What an amazing enabler it is for security,” U.S. Army Col. Barry Hensley said of the Department of Defense (DOD) smart card-based network security implementation. Hensley’s remarks came as the Smart Card Alliance kicked off its 6th Annual Government Conference by hosting a meeting of the Federal Smart Card Interagency Advisory Board (IAB) at the Ronald Reagan Building.

Hensley said the network security threats are real, and as the manager responsible for operating and defending the DOD’s 15,000 networks, he should know. Every six seconds someone, somewhere is scanning their network trying to get in, he said, and passwords present an unacceptable risk. “The problem with user name/password is once you get it, you’re in,” he said.

But he was enthusiastic in his praise for the success of the agency in securing its networks using the Common Access Card (CAC) smart card with a digital certificate implementation based on a public key infrastructure (PKI). “It’s amazing how we’ve cut them off at the knees just using CAC PKI. We are seeing ROI, so much so that we want to take it to the next level”,” he said.

Since 2000, the DOD has purchased and issued 12 million CAC smart cards, with a current user population of 3.4 million. Today 92% of eligible users are logging in using the smart cards and 98% of DOD’s servers are PKI capable.

The DOD CAC program is the U.S. federal government’s most advanced smart card credential program and the forerunner for the program mandated by Homeland Security Presidential Directive 12 (HSPD-12) that requires a smart card identity credential for all federal employees and contractors.

Mary Dixon, director of the Defense Manpower Data Center for the DOD, encouraged other government agencies represented at the meeting to move forward with their own programs to issue the Personal Identity Verification (PIV) cards and use them for network security. “It does work and we’re proof positive. Smart card credentials are the identity token of the future,” she said.

Other Highlights

HSPD-12. The GSA plans to announce a new shared services provider to issue PIV cards within the next two weeks, Michel Kareis of the GSA Managed Service Office announced. The GSA Shared Services contract will provide credential issuing support for 420,000 end users in 42 agencies and is one of the most important initiatives for ramping up the PIV program. The agency plans to have 200 fixed and 25 mobile stations deployed over the next ten months. Once started, the agency expects deployment capacity to ramp up by 10,000 units each month.

TWIC. John Schwartz, assistant director of the Transportation Worker Identity Credential (TWIC) program for Dept. of Homeland Security (DHS)/U.S. Coast Guard, announced the cost per worker for TWIC credentials and background checks will be $137.25. The credential is valid for five years. With the rule published January 25th now in effect, the organization has the legal authority to issue TWIC cards; however, the organization is still wrestling with decisions on biometrics and encryption.

DHS looks for credentialing interoperability. Tom Lockwood has been appointed as senior advisor for credentialing interoperability with the Department of Homeland Security’s Screening Coordination Office, Alliance meeting attendees learned Wednesday. In his new capacity, Lockwood will build on his pioneering success in developing common interoperable credentials for public and private sector first responders by working on key screening initiatives including fostering interoperability of credentialing systems for federal, state, and local governments. Lockwood has served as director of the Office of National Capital Region Coordination since May 2004.

State governments. “New Jersey is in fact looking at implementing FIPS 201 compliant HSPD-12 credentials for our first responders,” said Paula Arcioni, currently serving as the statewide information security officer at the State of New Jersey Office of Information Technology.

Arcioni also had some pragmatic views on what states should be doing about protecting people’s identities, though she stressed her opinions represented her own views and not those of the State of New Jersey. “Dead people shouldn’t drive and they shouldn’t vote but we all know that they do,” she said. “State and local governments need to step up to the plate to protect people’s identities. What they need to do is re-engineer identity systems for life in the 21st century.”

Eventually she sees states integrating breeder documents like birth certificates to support some form of widespread credentialing model for vetting purposes. She also sees practical steps that can be taken in the short term, like flagging someone’s birth certificate record when deceased.

Privacy considerations and Real ID. Ari Schwartz, deputy director of the Center for Democracy and Technology, representing the privacy community, supported the idea of driver’s license reform. In fact, he said, good security is essential to protecting privacy and the two are tightly linked.

“We are in an identity crisis,” he said. “Identity theft is bad for privacy, and one of the most important things privacy advocates talk about is that driver’s licenses are a part of the problem.”

Commenting on the DHS Notice of Proposed Rulemaking (NPRM) on the Real ID Act, Schwartz identified some remaining privacy issues. In his view, DHS needs to do more to set privacy sensitive policy for the states and does have the authority, though DHS feels it does not. DHS is promoting common access to a database administered by the American Association of Motor Vehicle Administrators (AAMVA), which would effectively create a centralized database and would give states with the weakest privacy and security practices access to private information collected by the strongest states.

Schwartz also criticized the current DHS plan because it creates security concerns about the license credential itself. The plan leaves the Machine Readable Zone (MRZ) without any security features. The DHS “lean” towards encryption is not good enough, and allowing a free read of the MRZ stripe would encourage its use for other applications and create databases full of information at risk.

“People say privacy groups are against driver’s license reform. That is not true. Privacy groups are trying to stop bad driver’s license reform,” said Schwartz.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.