Analysts are split on TWIC
Some claim flaws in credential security, while TSA and others back the program
- By Wilson P. Dizard III
- Feb 03, 2007
With the Transportation Security Administration getting ready to start issuing smart identification cards to port workers in March, a noisy debate is rising over the preferred technology for the project.
Government and industry experts are disputing claims that the Transportation Worker Identification Credential, as it stands now, is subpar.
Sources close to the program have said there are distinct concerns over the security of the TWIC cards, their response speed, communication among various vendors' TWIC systems and the relation of TWIC credentials to other IDs.
This disagreement comes as TSA continues to collect industry viewpoints about how to move forward with its port security credential.
'I am chairing a working group to develop technical specifications for the next generation of TWIC readers,' said Lisa B. Himber, vice president for the Maritime Exchange for the Delaware River and Bay. The working group falls under the National Maritime Security Advisory Committee.
'The recommendation that we are debating and hope to finalize calls for a three-second response time,' Himber said, referring to one area where opinions on the effectiveness of TSA equipment have differed sharply.
The continued uncertainty about TWIC's technology choice comes on the heels of TSA awarding a $70 million contract to Lockheed Martin Corp. to deploy the cards by establishing enrollment centers. The centers will collect biographic information and fingerprints to conduct a security threat assessment and produce the biometric credential.
The long-delayed TWIC project is intended to furnish smart cards to workers at ports and other transportation hubs, closing off terrorists' access.
As the TWIC story develops, additional sources have chimed in with perspectives on potential weaknesses in the credential production process.
For example, they have suggested that the Corbin, Ky., facility where DHS plans to provide the 'personalization' function to link the cards to the persons using them might not have sufficient quality control. The sources pointed out that the facility lacks the International Standards Organization 9000 certification by which such facilities routinely assure quality control.
The plant is located in the district of Hal Rogers, former chairman of the House Appropriations Homeland Security Subcommittee. That fact has attracted some skeptical comment in public circles, while Rogers has rejected any criticism of the facility and the choice of its location in rural southeastern Kentucky.
TSA officials say they are reviewing the ISO-9000 matter and have implemented quality controls at the plant.
But the real issues with the TWIC program concern the current technology and management approach.
TSA and industry organizations supporting this approach have joined to reject criticism by sources close to the project.
TSA officials presented point-by-point rebuttals of statements reported earlier on GCN.com about the TWIC cards' security and durability. The flaws could expose the cards to counterfeiting and rapid failure, and facilitate their use as 'breeder documents' to help illegally obtain authentic secure credentials, the sources said.
Although the final TWIC technology regulation has not yet been completed, an agency spokesman responded to the criticism:
- The TWIC cards will contain multiple security features specified by the National Institute of Standards and Technology's Federal Information Processing Standard 142 and other standards that will make them hard to counterfeit. The sources questioning the project said the low number of security measures, among other shortcomings, wouldn't slow sophisticated counterfeiters.
- The cards will meet NIST's Personal Identity Verification standards for Homeland Security Presidential Directive-12 cards and other standards for physical and electronic security.
- Rather than failing at a rate of 25 percent to 50 percent, as sources with knowledge of the process have stated, a TSA spokesman said he had been told the failure rate would be less than 1 percent.
- The card-reading delay, rather than lasting up to nine minutes as testing has shown, will be a matter of seconds.
- TSA plans to specify card stock that will assure the reliability of the card and that its authentication features will meet appropriate industry standards.
- TSA does not have current plans to issue TWIC cards to U.S. contractors overseas, invalidating assertions that TWIC cards issued overseas would not be secure.
- The card would contain a fingerplate template, and a breakdown in telecommunications links, caused for example by widespread storms, would not snarl the identification function.
- The agency went on to reject assertions that contract winner Lockheed Martin Corp. had lowballed the price, stating that the project's competitive bidding method had reduced the likely cost of the cards from between $139 and $159 to a level of $137.25. Industry sources had suggested that TSA might have fallen for a 'bait and switch' tactic.
TSA had expected to pay $100 million to $110 million for the work. Lockheed Martin's winning bid came in at $70 million. BearingPoint Inc. of McLean, Va., bid $87 million, sources said.
Despite the fact that TSA rejected criticism of TWIC, technology for the cards still appears to be a work in progress. Port officials and executives continue to provide technical advice to TSA about the system's final specifications.
'As far as we are concerned, the technology has not even been selected yet,' said George Cummings, the homeland security director for the Port of Los Angeles.
DHS already has run small pilots in Los Angeles and at other ports around the country. Cummings is negotiating with TSA the specifics of a field trial of TWIC cards that likely will involve thousands of units.
If the credentials' authentication measures fail, the cards will revert to a flash-pass mode and provide minimal security, sources close to the program have said. When that happens, illegal aliens and terrorists could use the TWIC cards to obtain 'Real ID' driver's licenses, the sources said.
The Smart Card Alliance also issued a letter condemning the criticism of the TWIC program and making points similar to TSA's.