Feds get carded

Two years ago, smart cards were something of a novelty for federal agencies. But times have changed, and the events of Sept. 11 have boosted their worth as a tool for tightening security and providing a way to control access to buildings and computer networks.

New laws are adding to the urgency. For example, the Border Security Act, signed by President Bush in May, mandates development of a machine-readable, tamper-resistant biometric method of monitoring foreigners as they enter and exit the country. Smart cards are likely to be the only feasible way of doing that by the October 2004 deadline.

And technical developments are pushing aside some past objections to smart cards. Late last month, the National Institute of Standards and Technology published an interoperability specification described by some as the cornerstone of future government smart card programs. If adopted by agencies, the specification will enable different vendors' cards and readers to work with one another, which is seen as an important step in convincing agencies to use the technology.

Still, doubts persist. Slow buy-in by top agency managers, concerns about costs in an era of ever-tightening budgets and suspicions about the reliability of the technology have so far kept a lid on what might otherwise have been a rapid deployment of smart cards.

"I do think the rate of interest has increased after Sept. 11, but the knowledge level [about smart card technology] is marginal at best," said Mike Brooks, director of the General Services Administration's Center for Smart Card Solutions. "We are working on educating people on the attributes of [smart cards] and about the multiple applications that can be put onto them."

Because smart cards include relatively powerful microprocessors and some local memory, they can work with agency applications while carrying such information as biometric identifiers of the card's user and digital certificates that can be used with an agency's public-key infrastructure.

Many agency officials say they would move to smart cards if they had the money, said Mickey Femino, director of GSA's Center for Innovative Business Solutions. "Otherwise, they have to take the funds from current line items, and then it becomes difficult. Beginning pilot programs is easy, but to fully develop programs, they need to see the [specific] dollars in their budgets."

Brooks said GSA officials are working to convince agencies of the long-term savings smart cards will bring so that they will be less reluctant to redirect current resources to fund a smart card program.

Problem Solved

Nevertheless, Brooks feels the tide is turning. "Before Sept. 11, smart cards were a solution looking for a problem," he said. "We have the problem now, and we need to promote the use of smart cards as one of the tools people can put into their security toolbox."

A report from GSA's Office of Electronic Government shows that agencies have issued slightly more than 1.4 million smart cards and projects that usage will increase to more than 4.3 million cards during the next year or so. The report covers programs at 24 agencies, ranging from large military deployments to small-scale pilot programs such as the one under way at the U.S. Patent and Trademark Office.

USPTO had 15 cards in use when the research for the report was conducted, but officials expect to reach a full deployment of around 8,500.

The biggest government project is the Defense Department's Common Access Card (CAC) program, designed to provide a new military identification card and a means for securing access to military facilities, computers and networks. More than 800,000 cards have already been issued, and plans call for a total of up to 4.5 million to be issued by the end of 2003.

The scope of the program is truly global, with around 900 sites in 13 countries involved in issuing the cards. But the program is nearly a year behind schedule, mainly because of problems associated with handling such a widely distributed system rather than issues with the technology itself, according to Gordon Hannah, a spokesman for the CAC program.

"The initial goal was aggressive and deliberately so, in order to keep people moving along," he said. "The bad news is that we haven't been able to expand it as quickly as we would like, but some negative issues in a program of this size are inevitable. And going from the initial tasking to converting all of the issuance workstations in around a year is really working at Internet speed for a government agency."

As many as 13 million smart cards could end up being issued under the program. The final number will be determined by such factors as how many military family members are also DOD employees and how many military retirees still need access to facilities. However, there is no formal requirement to go beyond the initial target population of around 4 million, Hannah said.

On a smaller scale, State Department officials began looking at smart card technology more than seven years ago. They are in the process of capturing photographs and data on the 20,000 employees in the department's National Capital Region for cards that will be used to gain access to the department's buildings. That project should be completed by the end of July.

However, the cards have always been intended for other uses as well, said Lolie Kull, program manager for the Bureau of Diplomatic Security's smart card project. State's PKI office will place digital certificates on more than 2,000 cards by the end of the year, she said, and a number of programs under consideration would use the cards for access to computer systems. Eventually, all State employees will use smart cards.

Culture Change

Perhaps the hardest part has been getting buy-in from the department's upper management. There has been interest, "but no strong support," Kull said. "So far, it's been a difficult way to do this. We've had to justify all of our steps, why we needed more money for this and that, and so on."

She believes a cultural change is necessary if State is to make full use of smart cards' capabilities, and that could take five years.

But a slow approach might be the right way to go, according to Randy Vanderhoof, acting president and chief executive officer of the Smart Card Alliance, an industry organization.

"We are very pleased at the aggressive position the government has taken to stop researching [smart cards] and actually start putting them in place," Vanderhoof said. "And the proof that it can be done and done effectively is the DOD CAC program."

But he feels agencies might be moving too fast. "I am not in favor of getting the technology out there just to get it in place quickly," he said. "I think the government is doing what it can to get the pieces in place, but there needs to be a way to get it done in a decent fashion so that things work well and policy decisions can keep up with the technology deployments. Otherwise, we could have public relations problems."

Although none of the programs under way at agencies were begun as a result of the events of Sept. 11, most of them were affected by them; if nothing else, the terrorist attacks prompted a change in the initial focus of existing smart card programs. Most now stress the initial use of smart cards for physical access to buildings.

One program that is a direct result of the terrorist attacks is the Transportation Worker Identification Card (TWIC) initiative at the newly formed Transportation Security Administration. TWIC, which will begin with several pilot projects this fall, will be used as an ID and building access card by workers at airports, seaports and other transportation hubs. Eventually, TSA could issue up to 13 million cards.

The Federal Aviation Administration has issued a request for proposals for a smart card program that will serve as the initial pilot project for the TWIC effort. That pilot project will last for about nine months, said Michael Brown, director of the FAA's Office of Information Systems Security. Officials will begin procuring cards for agencywide distribution shortly afterward, with the goal of issuing smart cards to the FAA's 50,000 or so employees and a similar number of contractors.

Problems may still lie ahead for this and other programs, but most observers agree that there is no longer any question about whether smart cards have a future in North America, and the U.S. government is leading the way.

"It was the case several years ago that we saw the government was moving but just not fast enough," said Paul Beverly, vice president of smart cards at SchlumbergerSema, one of the world's major suppliers of smart cards, and chairman of the board at the Smart Card Alliance. "But over the past year, I think the government has taken a real leadership role."

However, inertia is a problem at many agencies, according to GSA's Femino. Although the terrorist attacks have pushed officials to reconsider their approaches to security, many agencies already have systems in place and question why they should change them, he said.

According to Brooks, one solution could be an executive order requiring agencies to adopt smart card technology, along the lines of what the DOD brass did for that department's smart card program. In fact, officials from GSA and other agencies with a strong interest in smart cards recently visited the Office of Management and Budget to make their case for having the Bush administration issue such an order.

OMB officials will say only that they are reviewing the need for a public statement on the use of smart cards by government agencies. Brooks is more confident and predicts "an 80 percent chance" that such an order will be issued soon.

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@mindspring.com.