[LINK] Dumb Americans slow to catch on
Roger.Clarke at xamax.com.au
Thu Feb 25 09:24:07 EST 2010
Smart IDs slow to catch on
By TIM KAUFFMAN | Last Updated: February 21, 2010
Six years ago, President Bush sought to equip all employees and
contractors with high-tech identification cards that would tighten
security at federal buildings and on computer networks.
But that effort has largely failed so far to live up to its promise.
Nearly 1 & 1/2 years after employees and contractors working at federal
facilities were supposed to have been issued the new IDs, about 1.1
million still do not have them: Just 42 percent of employees and
contractors at non-Defense agencies have received the cards.
And only a handful of federal agencies have readers and other
infrastructure installed that can make full use of the personal data
embedded on the cards, such as fingerprints and personal identification
"Absent those uses for the card, the card is worthless. So we need to put
it to work," said Scott Glaser, a senior program manager in charge of
physical access controls at the General Services Administration's Public
Governmentwide, 82 percent of the 6.2 million employees and contractors
required to obtain the enhanced-security ID cards had received them by
the end of 2009, falling short of the original mandate to have all cards
issued by October 2008. Most of the progress has occurred at the Defense
There's been even less progress in using the cards to secure access to
buildings and computers.
Only a relative handful of the government's 400,000 owned and leased
facilities have card scanners and other technology needed to read the
personal data encrypted on the cards and detect automatically whether the
card holder should be granted access to the particular building or
The IDs include a computer chip that holds at least four pieces of data
to verify the cardholder's identity: two fingerprints, a personal
identification number the cardholder would know, an identifying number
unique to each card and a digital signature.
A major hurdle, federal managers say, is that agencies lack money to
purchase and install the readers and related technology.
The Bush administration issued Homeland Security Presidential Directive
12 (HSPD-12) ó the presidential order requiring the governmentwide
rollout of smart IDs ó in 2004 without providing any additional money for
agencies to perform the more robust background checks on their employees
and contractors that were required, to purchase the cards or to purchase
and install the systems needed to use the card's enhanced security
"This was an unfunded mandate," said Bob Shaw, director of security at
More progress has been made in using the cards to access personal
computers and laptops since that requires less investment.
Defense, State and some other departments require employees to use the
cards rather than passwords to log in to their computers.
Requiring employees to use the cards to access computers had an immediate
impact at Defense: Intrusions to the department's unclassified networks
dropped 46 percent after all employees began using the cards to access
computers in 2006.
Agencies are "just getting through the issuance of the cards," said Mary
Dixon, director of the Defense Manpower Data Center, which manages card
issuance at the Pentagon.
"Now it's a matter of, how do I use this in a way that makes sense so
this is not just a card that I hang around my neck, but I'm actually
Defense officials have already found other uses for the cards:
ï Managers use them to digitally approve travel claims, leave requests,
fitness reports and other work documents, which expedites approvals and
ï Employees use the cards to open encrypted e-mails containing sensitive
or personally identifiable information.
[Let's see now. I'll get you into the habit of leaving your
thumbprint lying around in places convenient for identity thieves, in
order to protect data that could be useful to an identity thief.
Clever design, that.]
ï Employees can use them as cash cards for approved purchases. For
example, Marines entering boot camp can get cash advances loaded on them.
ï Employees can use them to ride local subway trains and buses. For
example, Defense employees in Utah receive mass transit subsides on their
cards and use them when commuting under another pilot that likely will be
expanded to other metro systems.
Vivek Kundra, federal chief information officer, said the number of cards
issued to federal employees and contractors increased 65 percent last
year, indicating that the Obama administration and agencies are focused
on the effort.
The Agriculture Department, for instance, increased the number of cards
issued from 21,000 in October 2008 to more than 86,000 by the end of
2009. The agency deployed card readers and related technologies at more
than 150 of its facilities to manage facility access, a spokesman said.
Still, the department has much to do in deploying card readers at all
25,000 buildings it owns.
Neville Pattinson, vice president of government affairs and technology at
Gemalto, a leading smart-card vendor, said it may still take a couple of
years before all employees and contractors are issued smart IDs and even
longer before agencies outfit their buildings with systems to accept the
cards. "Each agency has a unique set of challenges, no question,"
Pattinson said. "Some are small, some are distributed. There is no single
recipe that works for any of this."
The costs of outfitting the 9,000 buildings that the General Services
Administration owns and leases for federal agencies will be passed on to
tenant agencies through the rent it charges. GSA officials say they don't
know how much it will cost to roll out the required technology, but it
will be far less today than it would have been even a few years ago
because of technological breakthroughs and an expanded marketplace.
"We are very pleased we're taking this slowly and methodically," Glaser
said. "We're doing this methodically to be sure we have it right. We
can't afford mistakes."
Input, an IT consulting firm, estimates that agencies will spend $500
million this year on goods and services related to HSPD-12. Spending is
growing at a rate of about 6.5 percent annually, said John Slye,
principal analyst at Input. He said it's difficult to predict how much
agencies will need to spend to fully implement HSPD-12 since agencies
could generate substantial savings by taking advantage of economies of
"Dollars isn't necessarily a good reflection of success. It's hard to put
a full price tag on how much it would take to put a reader on every door
and building," he said.
Besides the readers, agencies also must deploy systems capable of
reaching into employee and contractor databases at other agencies so they
can authenticate that a visitor from another agency has a valid card.
"Any card you want to present to me that was issued in the Department of
Defense, I know immediately whether it's a good card or not. I have no
clue for anybody at any other federal agency," said Dixon of the Defense
Agencies also have yet to agree on the systems and approaches they will
use to manage physical access, a process Dixon likened to the videotape
format competition between Beta and VHS 30 years ago. Unless agencies
adopted a common standard ó which Defense and GSA have done ó it's unwise
to spend precious dollars on systems that may not comply, experts said.
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link