No Certainty Yet for Identity Assurance

September 2008
By Charlotte Adams

 
Bob Lentz, deputy assistant secretary of defense for information and identity assurance, emphasizes its importance to all information technology activities while speaking at AFCEA’s Solutions Series conference on identity assurance.
The need for assuring identity is clear, but the path to achieving it is not.

As the armed forces move into the brave new world of information sharing, one of their biggest challenges will be identity assurance—proving that the parties to a virtual transaction are who they say they are, or simply that the person trying to enter a secure facility does in fact have a right to be there. Many current technologies already handle this task, including public key technology and biometrics, but many problems exist as well, such as duplication of effort within the federal government, lack of funding and even understanding what identity is.

Another aspiration is for “federation,” or the achievement of a “single identity” for Defense Department, federal and commercial transactions. While the idea of federation is held up as a Holy Grail by some, it is criticized by others. Given the challenges faced in basic areas such as vetting job applicants and establishing trust and interoperability between agencies, this goal may be a long way off. Nonetheless, a prerequisite for “federated identity assurance” is “finer-grained, role-based access to networks,” according to Bob Lentz, deputy assistant secretary of defense for information and identity assurance. “Identity assurance is the bedrock to everything we’re doing,” Lentz stresses. He hopes to have an identity assurance road map to the White House level in the near future. Ultimately, he foresees a transition to risk-based access control.

 
Richard Hale, chief information assurance executive for the Defense Information Systems Agency, recounts how many identity assurance measures offer both risk and opportunity. 
One point emphasized by many of the speakers at AFCEA’s June 26-27 conference on Identity Assurance, the latest in the association’s Solutions Series in Washington, D.C., is the high level of hostility in cyberspace toward the U.S. government, the U.S. defense industrial base and business in general. As Richard Hale, chief information assurance executive for the Defense Information Systems Agency (DISA), put it, his goal is to ensure “dependable mission execution in the face of cyberattack.” This includes trying to keep a secret while sharing it, he said, conceding that these aims may sound like “diametrically opposed concepts.”

As far as risk goes, even children’s worlds are not immune. Hale cited an example of theft at Habbo, an online hangout for children. In this supposedly benign environment, one child stole another’s virtual furniture and moved it from one “room” to another, Hale said.

Keith Ward, the director of enterprise security and identity management at Northrop Grumman, echoed Hale’s sentiments, warning of the “advanced persistent threat.” This is not the traditional hacker but instead comprises sophisticated intruders with commercial or intelligence agendas, according to the company. The threat of intellectual property theft from cyberattack was a driver in that company’s effort to come up with a common approach to physical and logical access control. According to Ward, intellectual property represents 65 percent of the value of the U.S. gross national product.

His company’s enabling technology is a smart card solution. He explained that its “One Badge” project was a difficult undertaking, not only because of the expense but also because of the diversity of access control systems within the company, which has grown to its present size by acquiring some 150 companies. The new badge will be compliant with federal identification (ID) standards and interoperable with federal badging systems; will include an employee’s name, photo and unique badge number; and will use multifactor authentication, including cross-certification to an internal public key infrastructure (PKI) and biometrics. Ironically, one of the most difficult questions proved to be the look of the card. It took more than 12 months to achieve consensus on a badge layout, Ward said.

Identity is more than a name, which Hale demonstrated by showing a slide with photos of many Richard Hales. He described identification as the use of attributes to understand who a person is or to refer to a person. But the problems and pitfalls of identifying a person have been around for hundreds of years, he said. The idea of lessening risk via devices such as wax seals, couriers and letters of credit existed long before certificate authorities and PKI. Indeed, the Internet and automation have increased risk, as so many parties now are involved in online transactions.

The use of biometric data such as fingerprints for identity assurance and access control in the United States is in its early days, Hale continued. While it would be nice to use a biometric signature to unlock one’s private key, how would you protect the biometric data directory, he asked. As a later speaker pointed out, such a database would be a high-profile target. Hale also stressed the need to avoid fragility in the security infrastructure. When his own common access card (CAC) locked up because of a middleware problem, he had to drive from Pennsylvania to West Virginia to find the one person in the area who could unlock it for him.

But it is not enough for agencies to identify their own employees. Tom Lockwood, a senior adviser for credentialing interoperability for the Department of Homeland Security (DHS), recounted how doctors from the Johns Hopkins University operated boats in the aftermath of hurricane Katrina because they could not be authenticated for a couple of days. The moral of that story is the need for some level of cross-certification of nonfederal entities, he said.

Some successes in identity assurance have occurred, speakers noted. For example, where the Defense Department uses CAC cards for computer access, attacks on user names and passwords have gone way down. But now it is important to encourage other agencies and contractors to use the devices, too, said Neville Pattinson, director of government affairs for Gemalto, a security company.

 
Greg Torres, director of security in the Office of the Undersecretary of Defense for Intelligence, offers that the department expects to begin implementing a baseline standard for facility access early next year.
The Defense Department also is on the verge of standardizing the rule set for access to the department’s facilities, said Greg Torres, director of security in the Office of the Undersecretary of Defense for Intelligence. He expects to be able to start implementing a baseline standard as early as January 2009.

While that step will help to plug one hole, other challenges exist at the basic level of vetting potential employees, Torres said. It is important, for example, to establish very early in an investigation that a person is who he or she says he or she is. Torres asked why investigators coming to a neighborhood to ask about John Doe do not show residents a picture of him and ask them if that is John Doe.

Last year the U.S. military established a Joint Security and Suitability Reform Team to see what improvements could be made in the investigation process. It was decided that the team should “totally reform how we do investigations, and merge and synchronize that so that security investigation is not separate from suitability investigation,” Torres said. One aim is to use information technology and automation to “vet people over time”—to look for anomalies, for example, so that it will be “more difficult to hide in our inefficiencies.” Improvements in the vetting process, together with technologies such as biometrics, soon will make exploitation of an inefficient system “virtually impossible,” Torres predicted. The intent of the reform team, moreover, is to “have a federal process we can all use,” which would reduce redundancy in investigations.

But even within the Defense Department, policies and operational issues can make it difficult to use the CACs effectively. A questioner pointed out that at U.S. military hospitals and clinics overseas, local volunteers and foreign-born members of nongovernmental agencies who need access to the facilities cannot obtain CAC cards. And, even doctors and other workers in surgical areas or pharmacies have to rotate on a single machine, as “swapping a CAC card in and out is simply impractical.”

Another issue is the lingering of obsolete access control technology such as magnetic stripe cards, which still are the only way to enter the Pentagon, one attendee complained. Pattinson replied that magnetic stripe cards are used because the current infrastructure was set up to support them, even though it is possible now to copy the security technology in seconds, erase it or change it. Magnetic stripe technology “can be totally defeated and is completely insecure,” he asserted. The bottom line is that the will and budget must be there to change the infrastructure.

While CAC may be a big improvement on its predecessors, not everyone sings its praises. “[CAC] is broken in so many ways, it’s laughable,” said Dr. Stephen Kent, chief scientist for information security with BBN Technologies. In particular, he said, the e-mail ID is the one over which there are “the most lax and least stringent controls.”

Experts predict that future network infrastructures will involve huge databases with an increased demand for access and a need for stronger security. Among the questions that arise is the fiduciary responsibility of a computer to its owner if the machine is interacting with various elements of a network infrastructure. This question was posed by Tim Jurgensen, the owner and manager of the Identity Alliance, a security solutions firm. Furthermore, he asked, how will documents be signed, what will the signature mean and what weight will it carry across different domains? We need a definition of what identity is that addresses identity from a legal standpoint, he said.

In future infrastructures, would it even be a good thing to ensure that people have a single electronic identity that is capable of traveling across multiple domains? If so, who would create the IDs? Would they be maintained in a single repository? Although a single, global identity might be convenient, it is “just not palatable to people,” asserted Sam Hartmann, chief technologist at the MIT Kerberos Consortium. One big issue is correlation, the ability to collect different items of information that someone has provided in order to access networks, and thereby to know more about that person than he may want to reveal and even to anticipate that person’s plans. If databases become large enough in the future, Hartmann predicted, a need will develop to look at multiple identities.

Even now, the best way to control the possibility of correlation and invasion of one’s personal privacy is to have multiple identifiers, agreed BBN’s Kent. He expressed skepticism about the ability of people to manage complex network access decisions in some future environment, given that almost no one in the United States now can program a videocassette recorder. The profit motive driving vendors is likewise incompatible with assurance, he said. “What worries me about some of the more grandiose identity management things I’ve seen proposed frequently,” Kent said, “is that somebody is looking to become the identity king because they feel a lot of money can be made … their motivations are not beneficial to me.”

Hartmann likewise conjured up a future with large databases and a lot of shared access. “It’s not clear to me that people are going to be very good at making [access control] decisions,” he said. Is it practical, for example, “for me to be prompted every time someone wants to access my medical record?” The decisions that people will have to make about authorization will become more and more complicated, he predicted, adding that it is a problem we even now do not know how to solve. He stressed the importance of education, especially the need to teach about risk evaluation.

Biometric identification relies on signatures that cannot be changed—fingerprints, irises and the like. It involves taking a behavioral or physical characteristic of a person and processing it via automated methods to determine identity in real time, explained Walter Hamilton, chairman and president of the International Biometric Industry Association.

But current optical fingerprint reader technology leaves much to be desired, according to Ross Micheals, a supervisory computer scientist at the National Institute of Standards and Technology. With new technologies, first impressions are key, he said, pointing out that optical fingerprint devices are sticky and warm to the touch, which leaves some people with “hygiene concerns.” Three-dimensional, contactless fingerprint scanners would be superior, but they are still in the research and development stage.

Although advocates of biometrics assert that the technology will be able to close the door on identity theft, the U.S. public is not convinced, he continued. The cultural stigma of having to be fingerprinted has not died out. Biometrics “seems to be held to a higher level of concern than Social Security numbers or credit card numbers,” whereas nonbiometric data may be more vulnerable, Hamilton complained. But the banks “pooh-pooh” biometrics, and the infrastructure does not support it, he said. Still, Hamilton expressed the view that the current centralized database with information on terrorists “will be enhanced with the addition of biometric attributes.”

Biometric technology, he conceded, needs beefing up. For example, sensors need to be capable of “producing good data input” under “adverse environmental circumstances.” Sensors also need to reduce the risk of misidentifications and spoofing. Furthermore, biometric data must be implemented in a system that is cryptographically supported, making it very difficult to steal and abuse.

Hamilton argued that the United States needs a biometrically enabled Social Security card and a guest worker program with a biometrically enabled identity document. Almost every ATM machine in Japan is biometrically enabled—tens of thousands of them—and almost 80 percent of cell phones in Japan use a fingerprint device to authorize use of the phone, access monetary value stored in it or retrieve personal information or address lists from it, Hamilton said. He argued that the United States is far behind in this critical technology.

Meanwhile, the armed forces, police departments and the Federal Bureau of Investigation seem to be leading the way. The U.S. military is using biometric tools in the theater of war and is working to make the devices smaller and lighter. The Chicago police department has an automated fingerprint identification system, as do Los Angeles County and the city of Miami.

 

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.