The Department of Defense's Business Case for Smart Card Technology.The Department of Defense (DoD) 4 is implementing smart card technology as its identification (ID) card for active duty uniformed services personnel, members of the Selected Reserve, DoD civilian employees, and eligible contractors. The new ID card is called the Common Access Card, or CAC. Beta testing of CAC issuance and functionality is currently taking place in over 16 locations, both in the United States and at overseas installations. First and foremost, the CAC is an approved and authorized DoD ID card. Some versions of the CAC also serve as the U.S. Geneva Conventions ID card. Current uniformed services Geneva Conventions ID cards will be replaced by CACs as the current cards expire or as replacement otherwise becomes necessary. Figure 1 shows a sample, front and back, of the new Armed Forces of the United States Geneva Conventions ID card. Because of supporting identification, physical access, and logical access functions, the CAC looks different from previous identification cards. First, it is white, not green. (But certain populations will receive CACs with color stripes for visual identification.) Second, the front has a vertical orientation with a color photograph. Third, the CAC contains a lot of media: a traditional bar code, a two-dimensional bar code, a magnetic stripe, and an integrated circuit chip. The bar code media provide backward compatibility for existing ID-card-enabled applications. The magnetic stripe is intended primarily for physical access (in support of DoD's physical access standard), but could also be used for financial applications. The intent is, in the future, to migrate applications supported by bar code and stripe media to the chip- while developing additional applications primarily to interface with the chip. One of the most immediate challenges is ensuring that this card becomes recognized worldwide as the valid DoD ID card. This conversion is a formidable undertaking with aggressive goals and objectives. Not only is the CAC being issued to populations that didn't previously receive a standard DoD identification card, but also the technologies on and supporting the CAC are significantly advanced. The functionality provided by the GAG goes beyond the traditional role of identification (to include delivery and receipt of benefits and privileges). It serves as the primary token for DoD's Public Key Infrastructure (PKI) [1] digital certificate rollout, and it functions as a badge that can be used for physical access to buildings and controlled areas. In supporting these multiple functions (especially the PM) on a single platform, the CAC is the centerpiece of DoD's business case for smart card technology. Combining the three core functions of identification, physical access, and logical access on a single platform breaks new ground within DoD. It also demands approaches to development and funding different from those used in the past. What Are Smart Cards? Smart cards are credit-card-size devices normally for carrying and use by personnel. The cards contain one or more embedded integrated circuit chips (ICC). They may also employ one or more of the following technologies: magnetic stripe, bar codes (linear or two-dimensional), noncontact and radio frequency transmitters, biometric information, encryption and authentication, and photo identification. The chip essentially is a small computer, without a monitor or power supply, that is capable of storing and processing several thousand bytes of information. Smart cards have been around since the 1970s and have seen significant popularity and growth in Europe and Asia, first primarily as (public) phone (stored monetary value) cards, and today as an integral component of the Global Subscriber Mobile (GSM) market, known as the Subscriber Identity Module (SIM). The GSM is the predominant mobile communication standard in those areas of the world. The SIM provides access control to networks, service personalization, branding and advertising to subscribers, carrying information between different mobile phones, if desired. Other applications for smart cards today include financial (banking), mass transit, health card, identification/authentication, and electronic benefits transfer. Smart cards have experienced recent growth in the United States in the credit card industry--first with American Express's Blue and later with a Visa-sponsored smart card implementation. Fielding a smart card infrastructure (especially card readers and/or point-of-sale devices) is a large and expensive undertaking for which, until recently, there has been no business case. Smart cards can add security for transactions that take place with a card not physically present at the point of sale, for instance, Internet shopping. In a recent study, over 50 percent of credit card fraud reportedly took place over the Internet, which accounted for only 2 percent of total transaction revenue. [2] Moreover, the risk is higher for merchants conducting business over the Internet. A July 2000 survey on Internet e-tailing by the Gartner Group [a technology and research firm] found that 2.6 percent of Internet transactions result in charge-backs to merchants from either customer disputes or fraud. Further, the survey found that merchants pay fees that are 66 percent higher for Internet transactions than they pay for in-store transactions. Under the card-not-present rules that govern Internet transactions, merchants absorb the full costs of charge-backs. In addition, it generally is understood that a technology upgrade is needed from the current magnetic-stripe-based credit and debit cards used extensively in the United Stares in order to enhance security and deploy a platform that can provide a better dynamic capability over rime. Smart cards generally have followed Moore's Law with increasing memory and processing power. [3] Today, smart cards have grown from basic data storage devices to capable computing platforms and are supported by Microsofr, Sun Microsystems, and the MasterCard/MAOSCO Consortium, all of which have developed specific operating systems for smart cards (that is, Windows for Smart Cards, JavaCard [TM] and MULTOS, respectively). Visa is also linked closely with smart card technology, given its support of the Global Open Platform, an open specification for secure financial applications and card management with smart cards. Smart card standards and specifications have evolved slowly, but are now at a point where large-scale implementations are taking place. One of the largest smart card implementations to date in the United States, DoD's CAC is an advanced smart card with a 32K Java [TM] Virtual Machine and cryptologic co-processor ICC capable of generating private keys that never leave the CAC. This is a strong security model for the protection of digital certificates, providing clear advantages over software-based tokens, such as floppy diskettes that must have the information transported and downloaded onto them. Though not currently employed on the CAC, contactless smart cards are also available that do not need to be inserted into a reader--they simply can be waved in the proximity of a reader to conduct a transaction, such as a purchase or gaining access. Smart cards that have biometric sensors on the card, capable of comparing a human feature--such as one's fingerprint--to a known template, also are in development. Smart Card Pilot Applications in DoD DoD has been conducting demonstrations, pilots, and studies of smart card and other automated information technologies for several years. In those evaluations, smart cards clearly have shown cost savings, mission enhancements, and improvements in quality of life for Service members. Early applications have included manifesting and tracking of personnel, food service, deployment readiness, property and weapons issuance and control, attendance and mustering, training and qualifications, immunizations, stored (monetary) value, and dental treatment. Most of these applications have been tested at the Service level in specific locations, such as initial-entry training facilities and on the island of Oahu, Hawaii. Oahu was selected because of the proximity of installations of all Services that offered a ready-made joint environmenr for testing. These demonstrations also have illustrated the innovation of personnel, at the installation level, who have developed applications by reengineering current business processes. Many of these demonstration sites have self-funded the continued use of smart card applications beyond their pilot periods, indicating strong user loyalty and acceptance. DoD has learned a great deal from conducting these pilots and demonstrations. Among the benefits of smart card technology over other automated information technologies are its support by industry and its general worldwide acceptance. This has spawned an increase in card capabilities, with prices of cards and supporting peripheral equipment (such as card readers) decreasing over time. Experience has proven that the key ingredient for a successful smart card application is using the technology as an enabler for business process reengineering. Without this business-based approach, the deployment of smart cards basically would be a technology insertion, providing little or no added value. Introducing smart card technology into business processes, however, has an automating and a streamlining effect. Take, for example, the food service application that has been piloted. The first step in using smart cards for food service was to provide a patron's authorization to eat in a government dining facility This was done using a meal entitlement code, which basically identifies whether the individual is entitled to eat at government expense. This smart card application automated the check-in process, significantly decreasing and even eliminating the long lines that previously formed because each individual was required to manually enter information and sign a registration form for each meal. Some dining facilities are considering using smart-card-enabled turnstiles for completely automated access. Also previously supporting this process was a local infrastructure to create, issue, and manage a meal card for those personnel entitled to eat at government expense. So, initially, smart card technology was used to automate the entrance/verification process. It quickly was realized that this application could build an automated headcount and automatically complete the forms that previously were manual. No longer did the forms have to be picked up after each meal and manually entered into a food management information system; they could be electronically interfaced, thereby automating much of the back-office functions for meal attendance and accountability. The new smart-card-enabled process made data more accurate (eliminating reliance on handwritten sign-in information) and more reliable for managing inventories and receiving reimbursement for meals served. In fact, information could be relayed to a display in the kitchen in real time, streamlining food preparation and minimizing waste. An added feature of the smart card that benefits the Service member, the dining facility, and the finance office is that members can authorize the deduction of funds from their pay accounts to cover the cost of their meals. With the addition of a personal identification number (PIN), this security feature enables users to authorize "cashless" payments. The adoption of smart card technology for the food service application highly automated diner check-in and back-office data entry and reduced cash management and the need for added security measures for cash collections. Dining facility employees thus can direct more attention to food preparation and quality and customer service. Although individual applications (like food services) have provided significant benefits, no single application by itself could demonstrate sufficient return on investment to offset the cost of an entire DoD smart card infrastructure. However, by supporting multiple applications, the cost of the support infrastructure (especially issuance) is lowered per application. The use of smart cards for multiple applications makes the best business case for DoD. But it also makes card management more challenging, as there are many more functional owners and decision makers involved. Early applications primarily used a data-centric approach; that is, a lot of information regarding an individual was placed on the card. As such, the card can be used as a portable data carrier in the absence of connectivity. It also enabled a number of off-line transactions and processes. However, in a multi-application environment, the large amount of on-card data made card management difficult, since individuals would be carrying a separate database that needed to be kept up to date. In implementing the CAC DoD-wide, DoD has moved toward minimizing data on the card, which is called a Web-centric approach. In this approach, the (AC is the authentication device needed to access the server or system-based data. This approach alleviates the challenge of maintaining large amounts of information on the CAC. It also supports DoD goals and a vision of moving to broad information access, faster exchange, and more ubiquitous connectivity. DoD may not be able to do everything and meet all of its requirements with a single smart card. For example, there are significant policy issues and industry practices to consider before placing a stored (monetary) value application, which may be sponsored by a financial institution, on a DoD identification card. However, as evidenced by the food service pilot application, financial applications can be enabled with a PIN and the CAC's digital certificates. These issues will be evaluated on a case-by-case basis as requirements are identified. DoD's Public Key Infrastructure The strategy that underlies DoD Information Assurance (IA) is "Defense in Depth," in which layers of defense are used to achieve security objectives. The DoD PKI is a supporting layer of this strategy; providing a vital element for a secure IA posture for the Defense Information Infrastructure. Security services provided by DoD's PM include the following: * Identification and authentication * Data integrity * Confidentiality of information and transactions * Nonrepudiation to facilitate missionrelated and e-business transactions internal to DoD and with external organizations The last service is a key point. PKI can enable electronic commerce and electronic business by providing a strong and secure sense of who did what, and when (that is, a binding transaction). The CAC is the DoD-designated hardware token for certificates and their accompanying private keys for use on unclassified networks. Certificates are instruments used to convey trust. The DoD PKI issues identity, e-mail signing, server (device), and encryption certificates. To achieve common certificates across the entire DoD, the DoD PKI identity, e-mail signing, server (device), and encryption certificates have a minimum/common set of attributes, based on open standards and specifications. In simpler terms, the CAC enables individuals to authenticate themselves over networks, including the Internet, digitally sign e-mail, and encrypt e-mail--in other words, conduct secure transactions that no one can deny having conducted (nonrepudiation). DoD Smart Card Governance The U.S. Congress has been a strong supporter of smart card technology within DoD, including designating the senior DoD decision-making body for smart card technology as the Smart Card Senior Coordinating Group (SCSCG). The SCSCG has been chartered to develop and implement DoD-wide interoperability standards for use of smart card technology and to craft a plan to exploit smart card technology as a means for enhancing readiness and improving business processes. The DoD Chief Information Officer has been assigned overall responsibility for smart card technology within DoD. As a technology-based tool, smart cards don't fit a long procurement cycle, such as that of a major weapons system. Requirements and technology change too fast to plan five or seven years in advance. Applications should be easy and quick to develop, and interfacing to the CAC should be made as easy as possible. The decision to implement smart card technology DoD-wide was made in the fall of 1999. Following congressional direction provided in the Fiscal Year 2000 Defense Authorization Act, the Deputy Secretary of Defense mandated that smart card technology would be implemented as the CAC, with mandatory functions of identification, physical access, and logical access (that is, access to DoD's networks and computer systems). Moving Forward with the CAC Many organizations have had to review their requirements and reach compromise on the appearance and content of the CAC, since it first must meet basic identification card (for example, Geneva Conventions) needs. The CAC crosses several policy and functional boundaries in DoD. It also supports both a centralized and a distributed architecture, meaning that some information and functions will be standard on all CACs, while the Components (the military services, DoD agencies, and warfighter commanders-inchief) may determine the supplemental applications deployed on CACs carried by their assigned personnel. Existing processes and procedures have been challenges to CAC development and fielding. The CAC offers a dynamic capability for both its magnetic stripe and chip that must be managed and properly controlled. It is actually a challenge to write hard-and-fast requirements for smart cards; just think of doing that for your personal computer 10 or 20 years ago. There are a lot of existing rules and regulations that will need to be reevaluated and revised to frilly support and use the CAC across DoD. Furthermore, DoD has not made extensive use of the media provided on previous versions of its identification cards. The traditional "teslin" ID cards have contained two bar codes for over seven years, yet few applications have been developed or enabled to use the bar code interface. The CAC, however, has a stronger driving force for automated interface: mandated PM milestones for DoD moving to completely signed electronic mail and secure log-on to DoD networks and computer systems. Many Components also have aggressive time lines for public key enabling their existing applications and systems, using the certificates on the CAC. Conclusion The CAC is here! Even so, change in large organizations takes time, so it will take some time before the entire DoD is fully using the CAC technology. Combining an identification card with a PM token and an access badge is a monumental challenge both procedurally and technically, especially for a target population of over four million recipients with varying needs and requirements. DoD has been able to field an operating test issuance station in less than one year, thus proving that the technical capability exists. Beta resting also has shown that the card issuance process requires extensive communications with multiple issuing sites, and adjustments are being made to improve scalabiity and continuity of communications as testing is expanded. Underlying these technical issues is a basic need for bandwidth, and the Internet is being used to the maximum extent practicable to support CAC issuance. An additional challenge is that of the "last mile," where existing installation-level telecommunication infrastructures may need to be upgraded to minimize the time needed for card issuance. DoD is moving to an automated interface with its new ID cards, and the use of available commercial off-the-shelf products has accelerated CAC technical development and implementation. Not only does the CAC offer stronger security; but it can also facilitate better uses of existing infrastructure. The CAC soon will be in everyone's hands--enabling business process reengineering, cutting through some of the inefficiencies of filling out forms and standing in lines, moving manual, paper-based transactions to automation--and accelerating the transition of time-wasting face-to-face transactions to the virtual realm! Mary Dixon (aka Mary Snavely-Dixon) is currently the Director of the DoD Access Card Programs and DEERS/RAPIDS Operations, responsible for the implementation of smart card technology in the Department of Defense. Over the course of her career, Mary worked for the Navy in manpower (determination of military and civilian requirements) and in Program Analysis and Evaluation (PA&E) in the Office of the Secretary of Defense. In 1977, she was appointed the Deputy Assistant Secretary of the Navy (Manpower), where she was responsible for military manpower, personnel, and training policy and issues within the Department. Mary also worked as a consultant addressing a wide range of manpower personnel, and training issues throughout the DoD and FEMA. She returned to the federal government at the Defense Manpower Data Center in 1998. Mary holds a master's degree in business administration-operations research from George Washington University. Endnotes (1.) Deputy Secretary of Defense Memorandum, subject "Smart Card Adoption and Implementation," November 10, 1999. (2.) According to an Unterberg Towbin study in 1998, more than 50 percent of disputed (or potentially fraudulent) charges at the Visa European division came from Internet transactions. However, Internet transactions represented only 2 percent of the division's total transaction volume. (3.) Moore's Law according to Encyclopedia Brittanica: In 1965, for a special issue of the journal Electronics, Moore was asked to predict developments over the next decade. In reviewing past increases in the number of transistors per silicon chip, Moore formulated what became known as Moore's Law: The number of transistors per silicon chip doubles each year. In 1975, as the rate of growth began to slow, Moore revised his time frame to two years. His revised law was a bit pessimistic; over roughly 40 years from 1961, the number of transistors doubled approximately every 18 months. Magazines regularly referred to Moore's Law as though it were inexorable--a technological law with the assurance of Newton's laws of motion. Only time will tell if Moore's Law will be repealed. Moore's Law according to Webopedia: In subsequent years, the pace slowed down a bit, but data density has doubled approximately every 18 months, and this is the current definition of Moore's Law, which Moore himself has blessed. Most experts, including Moore, expect Moore's Law to hold for at least another two decades. TM Java and JavaCard are trademarks of Sun Microsystems. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion