Security for Security's Sake Is Just Going Through the Motions
Last year, as the April 15 tax deadline approached, I realized that I did not have my W-2 statement from the Navy Reserve. I knew it was no problem because all of that information was “easily” available at MY-PAY online. That was simple—“simple” being a very relative term—when I had a Common Access Card (CAC) and reader. However, as a retired 0-6 without a CAC, there was no “simple” button available to make this process work.
Evidently, I was supposed to have registered—in person—an email, phone number and several other personal items at the personnel support detachment (PSD) where I processed my retirement. Because that did not happen, I was unable to register and recover a password, user name or any other data. After major flailing, screaming and pleading, I was told that I could make a copy of my driver’s license, sign that paper and state that I was the person on that license, and then blindly fax that information. Then they would mail my W-2 to the address on the license. Ironically, as I faxed the document filled with personal information, I punched in the wrong fax number and sent that information to who knows where. Great security! Although a week late, I eventually received a copy after a day and a half worth of struggle. If an 0-6 with former access has that much trouble with the system, how does it work for dependents or a retiree? We do not issue them expensive CACs or “CAC lite” at more than $100 per card per year total life cycle. Houston, we have a problem.
We use a CAC to access networks that have our fingerprint, our token, our certifications and a host of other information. This allows the identity managers in our system to determine who we are—something they give us. We combine this with a personal identification number (PIN) or user name and password—something we give them—to provide two-factor authentication. This is common in so many different areas of our lives that we take most of the hassle factor for granted. However, are we really whom we say we are? If I have your CAC, your password and PIN—which in most cases I can obtain by just looking under your blotter for the yellow sticky where it is written—I have full access to the network as you. Is it really secure?
For those systems without CAC access—which is many of our networks—to feign security, we have implemented processes that are beyond unreasonable and force members to change their 14-character password every 30 to 60 days. Requests for password changes often occur more frequently than the actual process of accessing the website, which means that the password expires and has to be reset every time. Passwords have so many restrictions that it is no wonder people write them down for that easy access. One site reported that 80 percent of its technical support calls were for password resets, which is a significant use of resources.
To access pay records, TRICARE online, Army Knowledge Online or a host of other sites, one must have a CAC or have presented him/herself in person at a PSD, a military treatment facility or some other government location of a person’s inconvenient choosing. However, with budget cuts and base consolidations, many people are not near one of those facilities and yet still need access.
We now have policies across government that use a commercial best practice allowing for National Institute of Standards and Technology (NIST) level-three remote authentication and identity proofing using approved technologies and systems without a CAC. In some cases, the technology already has been purchased, so why is it not being used? It has been stated that no use case or business owner has requested the implementation. If customer service and taking care of the military family and our veterans is really important, I cannot imagine a better use case or requirement. Why do we make it so difficult for people to access the very sites that are supposed to make their lives easier? It just does not make sense.
Realizing that strict standards were required, NIST issued a special publication that describes the requirements (NIST SP 800-63 for Level 3) for this type of remote identity proofing. The Defense Information Systems Agency (DISA) access control Security Technology Implementation Guide (STIG) provides examples of how a solution, similar to that provided by companies such as Equifax’s Anakam Identity Services, can leverages a combination of something you know—a high-entropy password—with something you have—a one-time password device—to enable access to for official use only (FOUO) information, personally identifiable information and electronic protected health information (ePHI) as contemplated under the Health Insurance Portability and Accountability Act (HIPAA) that conforms to MAC III and II. The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and DISA have issued policy statements and managed successful pilots of this technology, and the Department of Veterans Affairs purchased this technology three years ago to allow for this exact process, but to date it has not executed this capability.
Even with the existence of an approved technology and policy for remote access verification, we still require our members to present themselves in person. Imagine, if we implemented this technology, how it would facilitate better care and service at a much lower cost. It seems to be a great way to manage security effectively, mitigate the risk compared to the operational value and allow us to do what we need to do. We should not just go through the motions; we need to make security work for us—and keep our networks and our information safe and usable.
Capt. Joseph A. Grace Jr., USN (Ret.), is the president and chief executive officer of Grace and Associates LLC and a former chief information officer for Navy Medicine. The views expressed are his own and not necessarily those of SIGNAL Magazine.