Security Gets Smarter

n the Fox television drama 24, agent Jack Bauer and his co-workers at a fictitious federal counterterrorism agency use sophisticated smart cards with embedded microchip technology to outwit terrorists and protect American interests. Technology not very different from that used in the series is fast becoming a fact of life for employees at federal departments and agencies.

Organizations that had made the decision to incorporate smart cards into their technology infrastructures before Sept. 11 are moving to do so even more quickly now. At the Federal Aviation Administration, Sept. 11 reshuffled priorities. Officials had long intended to develop smart card-related projects to enhance security in FAA buildings, networks and PCs, but other priorities and budgetary considerations had pushed the projects to the back burner. The events of Sept. 11 cast the technology in a very different light. After the attacks, the FAA swung into action, quickly developing a request for proposals for a pilot project that eventually could put smart cards into the hands of as many as 150,000 FAA employees and contractors.

"There was a tremendous sense of urgency to get on with it and try to roll it out as quickly as possible, but to do it in a way that would serve us not only in the next six months, but in the years to come," says Dan Mehan, FAA's chief information officer and assistant administrator for information services.

Immediately after Sept.11, Transportation Secretary Norman Mineta set up action teams, two of which focused on smart card technology. Representatives of the Transportation Department, the FAA's CIO office and the Transportation Security Administration-an agency formed as a direct result of Sept. 11-participated in the teams. Very quickly, the teams settled on a set of standards that would define the technologies to be included on the cards.

For the first pilot test, which will outfit about 20,000 FAA employees with smart cards designed to provide physical access to FAA buildings, the cards will include integrated circuit chips that will hold specific information about the cardholder. A magnetic stripe will allow the card to be read by a smart card reader in the agency's buildings. The cards will include photos for identification purposes, and will rely on radio frequency technology for building access. Mehan expects the rollout of the smart cards to the pilot group to be finished by October.

If the pilot test succeeds, the program will be expanded to offer access to PCs and networks as well as to buildings. During this phase, which Mehan hopes will take place by the end of 2003, biometrics, such as fingerprints, will be added to the cards to ensure even higher levels of security.

The newly formed Transportation Security Administration also is seriously considering issuing smart cards to the millions of transportation workers at airports and seaports. The push is due in large part to the 2001 Aviation and Transportation Security Act, which requires the Transportation Department to develop a universal worker identification system. To that end, the TSA plans to embark on at least two pilot projects this year that eventually will lead to the issuance of 10 to 15 million smart cards for access to buildings and computer networks. The cards likely will include biometrics, said Gregg Hawrylko, program manager for the Transportation Department's Credential Project Office, at the Smart Card Alliance conference held in June in Washington.

The Transportation Department's decision to step up its smart card effort after Sept. 11 is just one example of accelerated interest governmentwide, says Jason Schouw, a vice president at SCM Microsystems Inc., a Fremont, Calif., smart card hardware vendor. One case in point is the Immigration and Naturalization Service. Although it had been issuing green cards for many years to enable noncitizens to remain legally in the United States, everything changed with the passing of the 2001 Enhanced Border Security Act, which required the INS to begin collecting biometrics of foreigners entering the country. Although INS officials still are considering their options, smart cards holding the biometrics are being discussed.

A SENSE OF URGENCY

Other agencies, including the Defense, State and Veterans Affairs departments and the Federal Deposit Insurance Corp. have had smart card-related security projects under way for some time. For many of them, however, the events of Sept. 11 created a greater sense of urgency and purpose.

The VA has been working on a variety of smart card pilots for the past two years and officials already had concluded that the technology would be a good fit for the agency, says Kent Simonis, director of health administration services. During both the design and implementation phase of the smart card pilot, Simonis says, the VA's staff was highly sensitive to the need for enhanced security provisions to protect the information on the card. The pilot involved issuing about 25,000 cards to veterans served at two VA medical centers. The cards, which include information on patient registration and eligibility for benefits, operate on a network-centric system, meaning that most of the information on specific patients remains within the VA's IT system instead of residing on the card. The amount of information alone prohibited using a card-centric approach, Simonis explains.

The VA is developing a national photo database of patients for use with the next iteration of the cards. Under the previous design, photos of patients resided at each medical center and couldn't easily be shared with sister facilities. The new design involves developing a central card management directory so the card vendor can match an image of the patient with his eligibility and demographic information. "That way, we'll know the person is who he says he is, and if he has a history of violence or other problems, we can take appropriate measures when he visits a VA facility," Simonis explains.

Even Defense, perhaps the farthest along in implementing smart card technology with its highly touted Common Access Card, may have been influenced to change course slightly as a result of Sept. 11. "After 9-11, we've seen that the DoD is running a biometric trial [and] looking at adding fingerprint technologies to the card to be used for physical access," says Keith Ward, general manager for smart card security solutions at Northrop Grumman Corp. Northrop is one of four prime contractors on the GSA's Smart Access Common Identification contract and a Defense supplier. Ward says that many federal smart card projects are shifting away from personal identification and computer access toward physical security and the technology surrounding it.

REMAINING CHALLENGES

Although there is more interest in smart cards throughout the federal government than ever before, challenges remain. One potential sticking point is cost. Installing the infrastructure and sophisticated card readers-not to mention issuing the smart cards themselves and reworking legacy systems to accept the cards-doesn't come cheaply. And because most federal budgets didn't account for the development of smart card programs before Sept. 11, funding can be hard to come by. "Before 9-11, nobody had budgets for this," Ward notes. "A lot of the funds we see today are [for] proof of concept [projects], with pilot [tests] of anywhere from 1,000 to 30,000 employees being used to work out the right requirements of biometrics and smart cards for these agencies." Those test projects will help garner budgetary support, Ward says.

Another challenge is interoperability-the ability of all smart card technologies, including microchips, card readers and biometric technologies, to work effectively no matter which company manufactured them. "The goal is not to have to tear out all of the existing infrastructure.

It's a challenge to develop one card with enough functionality to be used with several different facilities in different agencies, as well as for access [to desktop computers and networks]," says Marvin Tansley, vice president of SchlumbergerSema Test & Transactions of Austin, Texas.

The government has made progress in resolving this issue through the use of GSA's Smart Access Common Identification contract. The contract requires all smart card-related technologies used in federal installations to comply with specified standards that allow seamless interoperability among agencies, explains David Temoshock, director of identity policy in GSA's Office of Governmentwide Policy.

Moving to smart card systems also raises privacy issues. "We're always striking the best balance we can between security and privacy," Mehan says. "We've had privacy advocates from the agency and department look at what we're doing, and as we upgrade the power of the card, we'll keep asking ourselves these questions."