With a single sentence at an industry event in Washington, Defense Department CIO Terry Halvorsen made big news that affects millions of people: "We are embarking on a two-year plan to eliminate [common access cards] from our information systems," he said June 14.
Terry Halvorsen, DoD CIO, gives a keynote address at the Department of Defense CIO Cloud Industry Day: Collaboration for Secure Cloud Partnerships, held in Washington, DC on Jan. 29, 2015.
Photo Credit: Alan Lessig/Staff
The CAC, as it's more widely known, is issued to everyone granted authority to access DoD systems and facilities, whether they're military, civilian or contractor personnel. That includes nearly 3 million cards issued last year, and more than 20 million issued over the past decade, according to the Defense Manpower Data Center.
It's also critical in sharing information between international partners, including NATO and the so-called "Five Eyes" or FVEY, the intelligence alliance between the U.S., Canada, United Kingdom, Australia and New Zealand.
"We are looking broadly at innovation in the authentication area across industry and government. We want device-agnostic agility; the ability to identify a user, even if a device is lost; and a consistent approach to identity credentialing among our allies," said Lt. Col. James Brindle, DoD spokesman. "And we are working closely with our NATO and FVEY partners on this consistent approach to credentialing. As we evaluate our options, we will provide more information later this summer or early this fall."
The move away from CAC is driven by change: in security threats, in technologies and in geographically scattered demands for access to Pentagon systems and information, among other things.
"Frankly, CAC cards are not agile enough," Halvorsen said, according to Federal News Radio. "It's really hard to get you a CAC card when people are dropping mortar shells on you and you need to get into your system. That doesn't work."
Instead, Halvorsen said Pentagon officials are looking into hybrid authentication, a "true multi-factor" approach that would combine attributes such as biometrics, behavioral analytics and passwords.
"If I structure it right, I could build the behavior pattern of that person's identity. We can like it or not, but one of the best ways for me to check security is to see if their behavior pattern has deviated," he said. "So some of the things we are thinking about is some combination of behavioral, probably biometric and maybe some personal data information that is set for individuals. There are other thoughts like iris scans. All of those are doable today."
In fact, many of those things already are taking shape in other corners of the government. In the intelligence community leaders are exploring the use of bio-markers that would authenticate the identity of users attempting to access data, according to Michael Mestrovich, technical director of the CIA's technical services office.
"We have In-Q-Tel working on a whole bunch of biometric authentication mechanisms," Mestrovich said at an event in April, pointing to technologies like FitBit that can monitor biofeedback and potentially provide derived credentials based on bio activity. "They measure your breaths per minute, they measure your pulse, they can give you an electrocardiogram. So they can pretty well, within a pretty good error rate, determine from your biometrics – how you're actually breathing, how blood is flowing through your brain – that you are who you say you are. And they can actually use that to give you a credential and authenticate you."
Sounds practically hack-proof, right? In an era of near-constant IT breaches, biometric-based authentication is an area ripe for federal pursuit. But the government will have to get out of its own way to get there – that is, rules about technology will have to change. The Pentagon only in recent months has allowed wifi for public use in the facility, and many areas don't allow cell phones, FitBits or any electronic devices into certain rooms. Biometric monitoring requires policy and acceptance to go quite a bit further.
"The downside is [biometric authentication is done] through Bluetooth technology, so we've got to not only get over the wireless capabilities but move beyond that, because everything that's coming from a biometrics perspective is being enabled through Bluetooth technology," Mestrovich said. "I think that's the next front for us right now."