Monday, January 3, 2011

Army to Use TWIC for Cyber Authentication

There is an interesting, yet very brief notice in today’s Federal Register from the Surface Deployment and Distribution Command (SDDC) of the US Army. They are notifying all commercial users of their ‘transportation systems and applications’ that as of October 1st, 2011, they will have to use either a commercial PKI certificate or Transportation Workers Identification Credential (TWIC) to access those information systems.

This is a very interesting expansion of the use of the TWIC beyond the port security program for which it was developed. Granted, many of the Army systems involved will be at ports, but there is nothing in the language of this notice that indicates that the TWIC will only be used for access at port facilities.

Remote vs Local Access

I don’t really understand how the two systems (PKI Certificate and TWIC) could be used for similar access situations. As I understand things the PKI Certificate is used to remotely access an electronic system or application via a network connection of some sort. The certificate would be stored on the user’s computer or other electronic communications device. To gain physical access to a DOD controlled device the certificate would have to be on a transportable data device like a USB drive; but I understand that the Military has been trying to keep those out of their networked cyber systems.

The TWIC however is a physical device that includes electronic identification coding. This would be useful for allowing physical access to a DOD controlled device only if there were a card reader (and TSA is working on establishing physical standards for a card reader system that can be used to verify physical access clearance; the electronic standards already exist) attached to the device in question.

I suppose that remote access is a possibility if there were a card reader attached to the computer or device being used to conduct the remote system access. This would imply that the military would require encryption of at least the identification verification information for transmission.

Today’s notice does not provide any real discussion on the two different types of access. It does provide some discussion on the process for obtaining an PKI certificate. It then goes on to state:

“An alternative identification security option is the Transportation Worker Identification Credential (TWIC). TWIC requirements and how to get a TWIC can be found at the TWIC Website at: http://www.tsa.gov/public (click on ‘what we do’, search ‘TWIC’).” (76 FR 127)
TWIC and Military ID

There have been a number of changes in the military since I got out of the Army in 1987. One has been that the military identification card has been upgraded into the digital age. I do know that the current ID card has some digital identification information included in the card. How much information and what physical format is used I just don’t know; it’s not something that I have followed closely.

However, with this notice, I think that we can deduce something about that identification information. First though, I am making some assumptions:

• The military is using a form of TWIC reader to allow cyber access to civilians authorized access to those systems.
• The military is using a physical form of identification verification to allow military and civilian DOD personnel access to the same systems.
• The military is going to minimize the duplication of identification verification systems.
If those assumptions are true, then one would like to conclude that the identification verification encoding on the military/DOD identification is similar enough to that used on the TWIC that a single device could read/interpret both. This would make sense because a large number of military personnel (military transportation folks in particular) would need to have routine access to many port facilities in the US. If their military ID would work with TWIC Readers it would simplify things tremendously.

The only problem with all of this is that I have a hard time believing that our government is that efficient. That would require advance planning between to very disparate departments in the US Government which is something that we typically see too little of. Additionally, to make the whole identification verification system work, there would have to be a massive amount of routine communication of information about lost and revoked identification cards. I would be pleasantly surprised (overwhelmed actually) if this were actually taking place.

Cyber System Access Control

I am pleased, however, to see that someone is addressing the issue of access verification to critical cyber systems with something other than passwords. In my (not so humble) opinion the use of passwords for systems access is untenable. There are just too many places where the modern human is expected to remember passwords that the average human being is going to have to resort to some sort of violation of security protocols to keep up with them all.

The use of an identification card like the TWIC has a number of potential benefits that make its use for control of physical access to a security cyber device attractive. The TWIC requires identification verification and a basic background check before it is issued. It allows for the use of biometric verification that the person using the card is the person that was issued the card. And, if the TWIC itself is used, all of the hard work of setting up the system has already been done.

The big potential drawback to the use of a single form of identification like TWIC for many disparate access control situations is that when the card is broken, access control for all of the systems where it is used is compromised. When the TWIC is successfully counterfeited, both visually and electronically, anyone using the TWIC will no longer be able to depend on it for identity verification. And because it is in such widespread use, it will eventually be counterfeited.

TWIC Applications

I was happy to see the Army put an effective date of October 11th, 2011 on this notice. It is going to take some amount of time to get everyone in possession of a PKI Certificate or TWIC card that needs to have access to these systems. I suspect that many of the people involved will already have a TWIC because of their need to access port facilities, but there will inevitably be a new surge of people applying for TWIC.

Hopefully the Army will put some emphasis on getting people to start the application process as early as possible. TSA does not need a new round of Congressional enquiries about why people are going to be ‘losing their jobs’ on October 1st because they have not yet received their TWIC. Perhaps the Army needs to consider a phased implementation schedule like the Coast Guard used at the various ports.

2 comments:

John C.W. Bennett said...

PJ,

Regarding your statement:
"This would make sense because a large number of military personnel (military transportation folks in particular) would need to have routine access to many port facilities in the US. If their military ID would work with TWIC Readers it would simplify things tremendously."

To my non-technical mind (social sciences major MANY yeas ago), the TWIC reader specification (http://www.tsa.gov/assets/pdf/twic_reader_card_app_spec.pdf) looks very TWIC specific. It seems likely that no one thought about having TWIC readers read federal government IDs, since federal officials, including military personnel, in the performance of official duties are exempt from the TWIC requirement. I agree, however, that it would be beneficial if the TWIC readers could verify federal IDs.

Current MTSA Regulations only require federal officials to "present" their agency-issued credential. "Present" is not defined. An early DHS memo emphasized that federal officials could not be required to "surrender" (also undefined) their IDs. As a result, there are cases of federal officials (most often from one particular agency) who refuse to let MTSA-regulated facility gate guards touch their IDs. How then are the gate guards supposed to verify the authenticity of the ID? TWIC readers that could verify federal IDs could not only avoid these conflicts over authority, but actually improve security. Terrorist organizations have often "cloned" official vehicles and uniforms (and it has been reported that a drug gang on the Texas border "cloned" a vehicle of the agency referenced above). Requiring federal IDs to be electronically read would slow down terrorists masquerading as federal officials, or at least force them to tip their hand earlier.

Kevin Fall said...

The TWIC is an HSPD-12 compliant credential and has 4 certificates on it. Readers for this type of card (that plus other federal HSPD-12 and DoD CAC credentials) are widely available (e.g. SCR3310 for $13 on Amazon). Now what your software actually -does- with those certificates is another matter.

 
/* Use this with templates/template-twocol.html */