Network access made simple, secure

As part of its multifaceted network security strategy, the Army is studying

the ethical and legal implications of replacing personal passwords with

devices that can read fingerprints, recognize voices and faces, and capture

a host of other personal biometric information.

Recently anointed as the Defense Department's executive agent for biometrics

research and development, the Army has created a biometrics security office

under the tutelage of Phillip Loranger, formerly the chief of the Command

and Control Protect Division within the Army's Information Assurance Office.

The Army has taken the lead in researching and developing biometric

security solutions that Loranger said will fill one of the most common network

security gaps: personal passwords.

"Passwords are cool, but passwords are the way we get into systems,"

said Loranger, speaking recently at the annual Army Directors of Information

Management Conference. Loranger demonstrated how easy it is for hackers

to crack password files and gain entry into Army networks.

"Passwords are not you. Biometrics is you," Loranger said. "This is

your finger and no one else's."

The term biometrics refers to the ability to scan and capture a digital

image of a unique human characteristic, such as a fingerprint, and compare

that captured image to a stored image that has been previously determined

to belong to an authorized user. Biometrics can be used in security applications

because qualities such as fingerprints and voice sound waves are unique

to each person.

Congress kick-started the Army's biometrics program when it added $15

million to the service's fiscal 2000 budget. Although the service will need

additional funding for the program this year, prices for biometric verifiers

have fallen drastically.

According to a recent study by Eric Bowman of Identix Corp., the average

price per access point was less than $500, compared with more than $6,000

six years ago. Voice signature verifiers on average cost about $1,000,

while fingerprint and hand geometry devices range from $300 to $1,200, according

to Bowman.

The Army plans to study a wide range of biometric security solutions

to meet its network access and authentication challenge. Initial research

will be conducted on fingerprint, iris, voice and face identification, retina

scanning, handwriting and keystroke analysis, wrist-vein recognition, and

finger and hand geometry.

But initial plans call for the biometrics solutions to be used in conjunction

with a wide array of traditional security technologies, including firewalls

and encryption.

The concern is that one technology cannot provide foolproof assurance

and personnel authentication. For example, one of the challenges facing

the biometrics program is to determine how to differentiate between the

fingerprint of a living human being and from one that is severed — a potential

problem in the reality of the battlefield.

"We believe we need a combination of technology," said Lt. Gen. William

Campbell, director of information systems for Command, Control, Communications

and Computers, who characterized the Pentagon's Non-secure Internet Protocol

Routing Network as "horribly, horribly vulnerable."

The Defense Department's focus on biometrics may be expanding before

it begins. The Defense Advanced Research Proj-ects Agency, for example,

recently began a program known as Human Identification at a Distance, which

seeks to use biometrics to identify not only facial characteristics but

also behaviors. According to Loranger, the goal is to reach the point where

a computer can recognize its owner and turn itself on.