Government has been the driving force in the adoption and use of biometrics. Law enforcement has used fingerprints for forensic identification for more than a century, and more recently the U.S. government has required biometrics for identify management through smart government ID cards. Internationally, governments around the world are adopting biometric standards for passports and border controls.
But a panel of government and industry experts told legislators that biometrics might be poised to take off as a consumer technology. Like so many other recent changes, it could be driven by the evolution and convergence of the laptop and smart phone.
“Acceptance will be driven by providing added value,” said Charles H. Romine, director of the IT Laboratory at the National Institute of Standards and Technology.
And where will that added value come? Stephanie Schuckers, director of the Center for Identification Technology Research, a federally funded cooperative research center, is clear about that. “The killer app is the mobile payment system, and the driver is the customer,” she said. The convenience of using a smart phone or other mobile device for fast, secure transactions will create a market for convenient biometric authentication.
John Mears, a board member of the International Biometrics and Identification Association trade group, said rumor has it that Apple’s new iPhone 5S, which might or might not be released this summer, will come with a fingerprint reader. And if Apple can’t build a market for new technology, who can? With an expected capacity of 128G, the new phone could have the capacity to handle biometric templates.
These statements were made at a May 21 hearing of the House Science, Space and Technology subcommittees on research and technology. Given the rapid expansion of life online and the inadequacy of the current user-name-and-password paradigm, the legislators wanted to know why biometrics hasn’t been adopted more rapidly.
There are a number of reasons. For all of its promise, biometrics still is a maturing technology, and although it is practical it is not yet broadly interoperable. And for all of the recent attention paid to online threats, the public is notoriously unwilling to inconvenience itself in the name of better security.
These things will change, and maybe soon. But the legislators seemed to be working with the assumption that biometrics is rock-solid secure technology. It isn’t. There are weaknesses, trade-offs and concerns, just as with all forms of identity verification.
The experts pointed out that for a biometric, such as a fingerprint or a voice analysis, to be effective it must be unique (or close to it) and persistent. And although agencies have been using biometrics for decades, to date there is precious little research on just how unique and unchanging these features are. This is necessary before those accepting biometrics can decide if the features provide the level of certainty they require for a given purpose.
And despite the common idea that a biometric is absolute, matching has always been on a “close enough,” basis. Maybe no one else has your fingerprint, but print-matching applications use only a sampling of data picked up from a reader and stored in a template. How detailed that data is and how closely two scans must match in order to be accepted depends on the level of security an application requires. More security requires more computing capacity, more expense and possibly more inconvenience.
None of this means that biometrics can’t be a big improvement over user names and passwords. But once the technology matures organizations still will have to decide what levels of risk they are willing to accept in given situations and what expense — in terms of money, time and resources — they are willing to trade for it.
Posted on May 23, 2013 at 6:45 AM0 comments
Chicago newspaperman Edward H. Eulenberg is credited with telling young reporters, “If your mother says she loves you, check it out.”*
Good advice, not only for skeptical journalists but also for anyone who is getting information through social networking platforms such as Twitter. Case in point: April’s AP tweet, following a hack, announcing explosions at the White House that caused momentary free fall in the stock markets.
In the end it was no big deal; the news was refuted, stocks rebounded, tragedy averted. But the incident underscores the risks of relying on social media for uses they are not designed and maintained for, especially in the face of growing threats targeting almost anything and everything that is online.
“People shouldn’t be surprised that social media is being attacked,” analyst and former government security official Mischel Kwon said recently. “But they are surprised.”
We are surprised not so much because these platforms are being attacked, but because we have become so sensitive to them. Over the past five years they have moved from casual amusements to being essential tools for businesses and even government. A Google search of the phrase “follow us on Facebook” (admittedly not a scientific method) returned about 3.6 million responses in the .gov domain. The Marines have published a guide for “Building Your Presence with Facebook Pages.”
There is nothing necessarily wrong with this, but it would be wise for agencies — and everyone else — to remember that these platforms were not developed as mission applications and probably are not being maintained with the security that the Marines, for instance, would expect in their own systems or would require of a contractor hosting an official site. The AP Twitter hack appears to have been a simple user-name-and-password breach, and the results of using Twitter as a news feed were at the very least embarrassing for both the AP and those who believed the tweet. (Interestingly, the first item on the AP Twitter feed when I checked the morning I wrote this “Syria's pro-Assad hackers hack and hijack Financial Times blogs, Twitter feeds.”)
As a marketing and public relations tool, social networks can easily backfire. As a means for disseminating official information, they could be disastrous if not adequately secured.
So use social networks with a healthy dose of skepticism. If your mother tweets that she loves you, check it out.
*In the interest of skepticism, it should be pointed out that Mr. Eulenberg claimed that this was a misquote. In his 1988 obit in the Chicago Sun-Times, he is quoted as having said, “I never said that. What I said was, `If your mother tells you she loves you, kick her smartly in the shins and make her prove it.’” Sometimes it seems as if you can’t trust anyone.
Posted on May 20, 2013 at 4:24 AM0 comments
Many state and local networks and IT systems are unprepared for cyberattacks, as the CIOs overseeing them struggle to make do with strained budgets and static or shrinking staffs.
The results of a recent survey by Consero of chief information officers of states, counties, cities and towns are hardly surprising, but hardly comforting, either.
“I wasn’t shocked by anything, but I was disturbed by the cybersecurity numbers,” said Paul Mandell, CEO of the company, which took the survey for public IT officials in February. “The numbers were troubling.”
The survey contains results from only 36 officials, and Mandell acknowledges that they are anecdotal rather than statistically significant. But the respondents represent a small cross section of state and local government, with CIOs from states including Oklahoma and Idaho; counties from Riverside Co., Calif., to Prince William, Va.; cities from San Diego to Rochester, N.Y.; and agencies from the Wyoming DOT to the Fire Department of New York.
“There was a quite a bit of frustration and concern about the need to do what had to be done and the inability to get the resources they need,” Mandell said of the gathering.
That frustration is reflected in the CIO’s strategic planning goals. Fifty-five percent of respondents said their greatest impediment to doing their jobs is a lack of financial resources, and the top priority for 41 percent was simply working within budgetary constraints.
As a result of these pressures, 44 percent said that their IT infrastructure is not adequately prepared for cyberattacks, and 28 percent said they had experienced a security breach in the last 12 months. It is tempting to say that the 56 percent who feel they are adequately protected and the 72 percent who have not been attacked are being overly optimistic. With no uniform requirements for state and local government to report breaches, it is impossible to say what the actual level of malicious activity in their systems is.
The officials at the Consero conference were looking for more than a sympathetic ear to share troubles, Mandell said. They were looking for strategies to improve their lot. “The focus was on communication,” he said; “bridging the gap between their needs and the level of knowledge in those making budgetary decisions.”
Bridging that gap is not easy. The politicians who hold the purse strings do not want to be lectured by techies about routing tables and deep packet inspection. It turns out that those CIOs who are best at advocating for their budgets are not necessarily those who are best versed in the bits and bytes of their systems, but those with experience in the business world who use their well-learned politesse in dealing with the establishment.
One bright spot in the survey is that the lines of communication are open. State and local CIOs report to a variety of officials, including chief financial officers, boards of commissioners and city managers, but 86 percent of them felt that they had sufficient access to executive leadership.
That’s a start.
Posted on May 15, 2013 at 7:20 AM0 comments
Leo Scanlon, chief information security officer of the National Archives and Records Administration, has an information security question for federal CIOs: “Are you satisfied that where you are is good enough? Do you understand the risk?”
Too often, he says, federal C-level officials do not know if their security is adequate because they do not understand the risks they face and what the risk tolerance of their agencies should be. And too often, they are content to remain that way.
The issue of understanding and managing IT risk takes on greater significance with the growing emphasis on automating security. Security professionals, system administrators and agency executives have been fighting a battle over IT security vs. regulatory compliance since the passage of the Federal Information Security Management Act of 2002. Critics of the act — or at least of how it has been implemented — say that an emphasis on grading agency performance based on compliance scores has undermined efforts to improve security. With the introduction of tools to monitor systems, respond to incidents and report on status, there is a chance to finally settle the battle in favor of security.
The question, said Scanlon, is “are we going to automate compliance or automate risk management?”
Speaking at cybersecurity conference hosted by (ISC)2, Scanlon said that FISMA was never intended to be about compliance. The opening paragraphs of the act spell out that its intent is to “provide a comprehensive framework for ensuring the effectiveness of information security controls,” and “. . . provide effective governmentwide management and oversight of the related information security risks . . . .”
So why the emphasis on paperwork and reporting rather than managing risk over the last 11 years? Compliance is easier to measure. Reports from auditors and inspectors general have given congressional overseers an easy way to grade agencies, either with an A, B . . . F report card or a green-yellow-red dashboard.
The C-level executives who must report to Congress have embraced this. Their approach to IT security, Scanlon said, is, “get the IG off my back.”
Al Seifert, CEO of MSB Cybersecurity and formerly security officer for the Defense Department’s Global Command and Control System, called FISMA a “noble endeavor” that has not fulfilled its promise.
“We are not collecting the metrics we need to ensure that our security is working,” he said. “Everybody fears the auditor.”
Security automation still is rudimentary and focused on compliance reporting, Seifert said. But the technology exists to do better. The Homeland Security Department’s Cyberscope reporting system and the growing list of commercial tools that support the Security Content Automation Protocol make it possible to focus on real risk rather than merely playing the compliance game.
Risk management ultimately is a business decision that must be made at the CIO or CEO level of an agency, not by the IT people in the security shop, Scanlon said. Because security is not perfect, the level of acceptable risk must be determined based on an agency’s business and mission needs. Then it is up to the security people to manage that risk.
Posted on May 09, 2013 at 6:05 AM1 comments