For Security, the Eyes Have It

… and so do the Fingertips as biometrics evolves.

Passwords will become passé as the military moves toward fingerprint reading, iris scanning and voice recognition as gateways to many of its information and weapon systems. As a result of legislation enacted last year, plans are moving forward to use biometrics for identity verification wherever possible. The goal of the coordinated effort is to shore up information assurance throughout the armed forces by replacing the vulnerable password system with technologies that identify “you as you,” according to security experts.

Biometrics-based devices measure, analyze and store unique biological data such as fingerprints, retina and iris characteristics, voice and facial patterns as well as hand geometry. Some research is even being conducted into identifying users by their keyboard typing techniques. The scanned information is converted into a digital format, and software identifies specific data that act as match points. Unlike token devices such as smart cards that can be lost or stolen or passwords that can be forgotten, observed or cracked by hackers, biometrics identification methods are virtually fail-safe.

U.S. Defense Department leaders believe that these techniques address a concern about U.S. operational systems left on a battlefield that could be used by an adversary after troops have been pulled out of the area. If biometrics identification is required for operation, the systems are rendered useless to anyone other than approved personnel.

Early last year, the U.S. Army, recognizing that its information systems continue to face an increasing number of security threats, announced a biometric information technology and information assurance initiative within the Office of the Director of Information Systems for Command, Control, Communications and Computers. In April, the Army Biometrics Office was established and charged with formulating policy for the acquisition, testing, evaluation and use of biometrics products for the service’s information and information-based systems.

Last July, the Army was designated as the executive agent to lead, consolidate and coordinate all biometric information assurance programs for the U.S. Defense Department. The service is working on behalf of the assistant secretary of defense for command, control, communications and intelligence. Each service received additional operation and maintenance funding to carry out its investigative work on the technology. The Army received $5 million, and the U.S. Navy and U.S. Air Force were each awarded $1 million to pursue biometrics-based assurance programs under the direction of the Army.

To coordinate its efforts, the Army created the Biometrics Management Office (BMO), Falls Church, Virginia, which falls under the auspices of the service’s chief information officer. The BMO provides management and oversight for the Army’s biometrics program, including doctrine, plans, policy, standards, requirements, coordination and a cost-effective implementation strategy for integrating biometrics applications into the Army’s systems. In its role as executive agent for the Defense Department, the organization supplies overall guidance to all of the services.

Phillip J. Loranger, the BMO’s director, believes the Army was chosen to lead the department’s biometrics efforts in part because of the substantial progress the service had made in adopting biometrics in a short period of time. “There is also one other interesting thing. If there’s going to be a more reliable way to access systems, the Army is the best place to do it, because we have the highest density of different types of equipment and systems,” he explains.

The first step for the office was to set up the management infrastructure, Loranger, a retired Army warrant officer, says. One primary goal has been to ensure that the office’s mission is synchronized with orchestrating the introduction of biometrics technology into all of the services. “We want to be the bellybutton, so to speak, so that we’re at the center and coordinate efforts,” he says.

The organization is examining commercially available biometrics technologies to determine whether the military as well as other government agencies can adopt them. Biometrics technologies incorporated into the Defense Department must meet certain requirements. They must be relatively low cost and operate in a variety of environments, from offices to the battlefield. Biometrics technologies cannot further tax already stressed systems in areas such as bandwidth requirements and must be biometrics application programming interface compatible. The BMO must approve all proposed technologies prior to insertion.

The military foresees biometrics-based identity verification as a way to protect more than just information and systems. The technology would provide physical access security to restricted areas and also could be integrated into some weapon systems to facilitate the soldier-machine interface. However, Loranger cautions that care must be taken when considering biometrics technology for handheld weapons used in the field. “I started my career in the military in the Vietnam War and ended it in Desert Storm. The reality is that if my weapon jammed, I might have to use my buddy’s weapon. So you have to be careful,” he offers.

The BMO Virginia office will work in conjunction with the Biometrics Fusion Center located at the Benedum Airport complex in Bridgeport, West Virginia. The facility, which currently houses a small staff, is scheduled for future expansion. While the staff at the Falls Church office will focus primarily on oversight, initiatives, policy, doctrine and the overall direction of the program, fusion center personnel will test and evaluate commercial technologies prior to their integration into military systems. Future plans call for the center to act as a repository for the secure storage of central biometrics data and to serve as a central operation site for local service repositories.

According to Loranger, the BMO has launched a comprehensive pilot program to establish a methodical approach for assessing how biometrics can enhance missions and leverage common needs and experiences across the Defense Department. “We have to be somewhat careful of what we do because we don’t want to upset current programs,” he states.

To this end, the BMO is coordinating its efforts at the chief-technology-officer level with each of the armed forces. This approach ensures that the services are all headed in the same direction and that budgets are being adopted that make sense and are in cooperation, not competition, Loranger offers. In addition to Fort Monmouth, Scott Air Force Base and the Space and Naval Warfare Systems Command, the BMO is working with military research laboratories and academia.

The group’s current strategy is threefold. Near-term, or tactical, goals involve using existing commercial biometrics products and leveraging each service’s success with the technology. The BMO’s aim is to accelerate the transition of the critical biometrics capability into the Defense Department to reduce current system vulnerabilities and at the same time provide commanders with effective tools to address identification problems and enhance force protection.

Midterm, or operational, goals include supporting work to establish international biometrics data standards and communications protocols and implementing standards throughout the Defense Department. In addition, the office will facilitate the growth of the biometrics industry by providing a single infusion point for the technology for the entire department.

The BMO’s long-range, or strategic, goals take the technology into future battlespace scenarios. The objective is to create and implement integrated biometrics systems that would support network-centric warfare and enhance individual privacy with the effective adoption of newer technologies.

Although the office may contract for specially designed items in the future, Loranger says that currently the BMO is looking only at commercial products to meet its requirements. The office does not endorse any specific company or product. “We went to predominantly COTS [commercial off-the-shelf] for software and hardware a couple of years ago. Based on the fact that we have a large amount of COTS systems embedded in the Army now, it’s a common sense approach to go to COTS now. We are able to jump in and take advantage of 20-plus years of commercial and academic research and development experience,” he explains.

The Biometric Consortium is one industry source for commercial technologies. The group serves as the U.S. government’s focal point for research, development, testing, evaluation and application of biometrics-based personal identification and verification technology. The BMO works with many of the firms that are part of the consortium; however, any company that is interested in pursuing work in this field with the military is encouraged to contact the BMO, Loranger says.

Among the organizations that the office also works with are the BioAPI Consortium, the International Biometric Industry Association and West Virginia University.

Loranger points out that this initiative is about more than just the technology. “This is a different way of doing business because this is not a system in itself. We have an inherent responsibility to work with a number of people. The bottom line is the survivability of the technology,” he says.

Although the equipment itself must function in a number of environments, Loranger says the issue is not one of ruggedized platforms but rather database management, an area where a fair amount of work still needs to be done. A bandwidth requirement for identity verification could tax already overtaxed systems. One solution would be devices that offer 100 percent verification on site. However, Loranger explains that a major revolution in database management would have to occur for this to take place because match points not only must be stored but also must be quickly retrievable, he explains.

In addition to tackling technical hurdles, the organization must also address important peripheral issues. To this end, the Army conducted two separate studies. One review explored the legal impact and privacy implications of using biometrics. According to Loranger, the bottom line of the investigation showed that no legal constraints to employing biometrics currently exist. The second analysis reviewed the feasibility of adopting biometrics-based technologies. “We determined that if biometrics is going to be successful it must be done from an overall services perspective and not a single-service environment. Interoperability plays a major role in anything that we’re going to put out there,” he says.

A number of biometrics-based devices already have been deployed for both use and testing by the military. Although the technology is important, Loranger contends that the introduction of this type of information assurance approach requires that the appliances exceed conventional user-friendliness. “Most of the people at the Pentagon who are fully engaged have six or seven passwords. The current password process configuration is that they are randomly generated and that they should be memorized, not written down. Hackers can still break passwords. Biometrics creates a better man-machine interface. It is a true leap forward,” he says.

Loranger views the introduction of biometrics as a new way of thinking and a major step toward increasing information assurance. Although not a silver bullet, identity authentication using unique biological characteristics is very exciting, and he believes the method will increase in popularity for both the military and the commercial sector. He predicts that in five to seven years it will be the way the majority of authorized users access systems.

In addition to primary military missions, biometrics identity verification could be used in telemedicine, noncombatant evacuation operations, counterdrug and counterterrorist missions and personnel administration matters such as retirement pay processes.