6 smart ways to use smart credentials

President Bush issued a directive last year that will soon change how employees and contractors enter federal buildings and log on to federal computers. The government's implementation of Homeland Security Presidential Directive (HSPD) 12 is based on computer-readable personal identity cards and a governmentwide public-key infrastructure (PKI).

With those technologies, federal officials say, they can prevent almost anyone from accessing federal buildings or information systems with fake identity cards.

But people familiar with the government's implementation of HSPD 12 say that agencies can derive many additional benefits from those technologies. From interviews with nearly a dozen security experts, Federal Computer Week came up with a list of six other possible uses for the secure smart cards and PKI that most federal agencies will have by the end of 2006.

Get control of the devils inside

Several security experts said they expect the Army and some federal agencies to use the new security infrastructure for tracking the activities of service members on military bases or employees in federal buildings, a use that many privacy experts oppose. Most building security and computer systems generate activity logs. The use of a single identity credential to access those systems will make it easier, within established privacy guidelines, "to find out what people are doing and where they're doing it," said J.R. Reagan, managing director of the security and identity management practice at BearingPoint, a business consulting and systems integration company. "There's some of that today," Reagan added.

But cost-effective uses of personnel tracking require a unified security management infrastructure that most military bases and federal facilities have not implemented. HSPD 12 and a related set of specifications known as Federal Information Processing Standard (FIPS) 201 require an infrastructure that could help agencies uncover possible insider threats to data security or data privacy, said Christopher Michael, technology strategist at Computer Associates International.

Such a use of government-issued smart cards would be appropriate, said Phil Libin, president of CoreStreet, which sells electronic identity verification services. "As a private citizen, I want government employees to have these cards," he said. "I want to know that all actions in the government can be logged and audited to give accountability."

Limit access to emergency sites

Smart cards and PKI could help control access to the site of a terrorist attack or another emergency. The Homeland Security Department has announced plans to issue the secure identity credentials to about 200,000 public safety officials in the Washington, D.C., area.

Federal employees trained as first responders could have additional electronic data on their identity cards to indicate their skills, said Randy Vanderhoof, executive director of the Smart Card Alliance, a government and industry group based in Princeton, N.J. "Today, there's no automated means for one who has the proper credentials to gain entrance to an emergency site as a first responder," Vanderhoof said.

Some vendors say they will support first responders' use of FIPS 201 smart cards. Saflink, for example, will provide FIPS 201-compliant middleware for mobile devices that use Microsoft's Windows Mobile 5.0 operating system.

The FIPS 201 standard implemented in phones could be useful "if you needed to know absolutely who you were talking to on the other end," Michael said.

Simplify network access controls

Beyond specialized uses of smart cards for first responders, security experts say they expect federal agencies to use the new infrastructure to simplify access for employees and contractors to secure federal Web sites and software applications, including those that record time and attendance.

"We don't need to think of 'blue sky' applications to recognize the enormous value of doing a better job of leveraging trust," said Steven Worona, director of policy and networking programs at Educause, a technology-oriented higher education group.

For example, rather than remembering a dozen or more user ID and password combinations, people can use their computer-readable identity cards to gain access to secure federal Web sites and applications that accept the PKI-based credentials, said Mary Dixon, deputy director of the Defense Department's Defense Manpower Data Center. That one change "makes it easier for the people who own the Web site because they don't have to manage passwords."

Several vendors, including Computer Associates and Blue Ridge Networks, plan to offer security software that would let agencies gain the security benefits of smart identity credentials even without modifying their secure Web sites and software applications.

Make government e-mail, forms and documents more secure

Secure e-mail, e-forms and e-documents could be another benefit of a uniform governmentwide implementation of smart cards and PKI. In addition to verifying a person's identity, PKI technology can digitally sign and encrypt e-mail, forms and documents, Worona said. "What's held us back from using this technology has been a lack of critical mass," he said.

But the HSPD 12 policy and FIPS 201 standard could change that, he added. Even if the policy requirements never extend beyond the federal government, "the lower cost, the ease of use, the wider availability of good tools to use for identity management will have a tremendously positive effect," he said.

DOD, which has been a leader in using smart card and PKI technologies, has already gained some of those benefits. DOD policy requires employees to digitally sign e-mail messages. "Once we get to the point where a sufficiently high percentage of people are signing e-mail on a routine basis, we can start being a lot more comfortable about rejecting unsigned mail as likely spam," Worona said.

In addition to encrypting e-mail using algorithms embedded in the cards, employees could secure specific document files using their computer-readable identity credentials. When employees put the cards in their computers, they could open and modify the files, said Mark Royle, government marketing manager at ActivCard, which sells digital identity products and services. "Without the card, they'll be locked," he said.

Improve cargo security

Some security experts say electronic identity verification could extend beyond those who create e-mail, forms and documents to anyone who ships sensitive goods and equipment from one federal agency to another. "There are certain scenarios where sensitive cargo is transferred between federal facilities," BearingPoint's Reagan said. For those situations, agencies need "a more robust credential."

Libin said the FIPS 201 infrastructure, if adopted by industry, could be used to verify the identities of drivers of hazardous materials trucks, control access to traffic lights or open cockpit doors on airplanes. "You could create a subway turnstile that uses these cards," he said.

Improve air travel security

Although most additional uses of the infrastructure would likely be to improve security, some of them could make airplane travel or riding the Washington Metropolitan Area Transit Authority system simply more convenient for federal employees and contractors. DHS' Registered Traveler program, when fully operational, will let frequent airline travelers voluntarily undergo additional background checks in exchange for fewer security checks.

"A federal employee could apply for Registered Traveler benefits and have their federal ID card updated, without having to have a separate card issued" for that program, Vanderhoof said. Similarly, federal employees and contractors who use the Washington mass transit system on a regular basis might benefit from having a transit pass added to their federal smart card, he added.

The American Public Transportation Association is working on a standard for reading a smart transit pass in less than 250 milliseconds.

The government's implementation of smart cards and PKI creates a stable platform for launching a number of new applications and improving the security of all federal information systems, said John Moore, a program analyst in the General Services Administration's Office of Technology Strategy and chairman of the Federal Smart Card Project Managers Group. "Everyone has become overly preoccupied with the cost, but on the other side of the equation are the benefits," he said.