Sunday, May 12, 2013

TWIC Reader Hearing

Well, I finally had a chance to go back and watch the web cast of last Thursday’s hearing of the
Government Operations Subcommittee of the House Oversight and Government Affairs Committee on the GAO’s report on the TWIC Reader Pilot. Well, it was supposed to be about Federal Government Approaches to Issuing Biometric IDs, but no other agencies could show up and there was this GAO report, so it was essentially about the report.

Now I described the report in an earlier post, but in summary the GAO found all sorts of methodological problems with the way the TWIC Reader Pilot was run by TSA. As a result of those problems GAO questions whether the conclusions drawn from the pilot report can be used to justify the use of TWIC Readers. GAO did not question the utility or performance of the Readers, just whether or not the TWIC Reader Pilot results could be used to justify the use of the Readers.


The hearing was very poorly attended on both sides of the Committee Room. There were only four congressmen present, the Chair and Vice-Chair, the Ranking Members of both the Committee and Sub-Committee. The Rep. Mica (R,FL) noted that there were only three people in the press gallery. Even with the advanced notice of the results of the GAO report, there was little interest in the hearing.

The hearing was, however, a model of bipartisan agreement; TSA was in deep trouble and had a great deal of explaining to do. With only four congresscritters asking questions there was a great deal of follow-up questioning and when one congressman’s turn was done the next took up the same line of questioning as if it were rehearsed.

For the most part the questioners did listen to the responses and modify their subsequent questions appropriately. The only major exception to this was Chairman Mica’s continuing reference to the susceptibility of the TWIC to forgery, even after Mr. Lord explained that the GAO’s forged cards did not pass muster in the TWIC Reader. Lord explained that the holders were allowed facility entrance despite the lack of TWIC Reader approval; certainly not the fault of TSA.

To TWIC or Not To TWIC

Every one of the Subcommittee members present questioned whether or not DHS should consider replacing the TWIC with something more effective. Committee Ranking Member Cummings (D,MD) made the comment in his opening remarks that there is no “reliable data proving that the TWIC card” is part of an effective port security program. Mr. Sadler from TSA disagreed, of course, but even Mr. Lord from GSA admitted that there was no proof that the TWIC wasn’t effective.

Mr. Sadler said time and again (in very repetitive language, obviously rehearsed to emphasize the limitations) that, when properly installed and maintained, and the operators and card holders were properly trained, the TWIC Readers in the study properly performed their scanning and verification function. No one disputed this oft repeated statement.

What wasn’t directly mentioned here was the fact that neither TSA or GAO have any control over whether or not the TWIC program continues, is cancelled or is significantly modified. All of that rests with the Congress. Of course, scrapping the program and starting anew will cost a great deal of money, something that will be politically impossible to do. Even making significant changes to the TWIC program will be costly and politically difficult to achieve in the current political and economic environment.

Interestingly, the GAO does not recommend making changes to either the TWIC or the TWIC Readers. The conclusion of this report states:

“Given that the results of the pilot are unreliable for informing the TWIC card reader rule on the technology and operational impacts of using TWIC cards with readers, we recommended that Congress should consider repealing the requirement that the Secretary of Homeland Security promulgate final regulations that require the deployment of card readers that are consistent with the findings of the pilot program; and that Congress should consider requiring that the Secretary of Homeland Security complete an assessment that evaluates the effectiveness of using TWIC with readers for enhancing port security. This would be consistent with the recommendation that we made in our May 2011 report. These results could then be used to promulgate a final regulation as appropriate.” (pg 10)

In other words, Congress should remove their mandate to use the TWIC Reader Pilot as the justification for requiring the use of TWIC Readers and put the burden back on DHS to justify the use of TWIC Readers on the basis of improved security. The reason for requiring the TWIC Reader shouldn’t be that it works, but rather that it is needed.

TWIC Antennas

There was an important technical issue that was only peripherally addressed in this hearing and in the GAO report. The GAO report noted that there was insufficient information provided in the TWIC Reader pilot to identify how many cards were not read due to broken antennas. Since the TWIC is an RFID device that can be remotely queried by the TWIC Reader a broken antenna makes it useless as a contactless identification.

Mr. Sadler noted in response to questioning that the contactless mode of operation is what distinguishes the TWIC from the Common Access Card (CAC) readers used by the military. He used this to explain why the Subcommittee members {particularly Ranking Member Connolly (D,VA)} should not try to compare the ruggedness of the CAC to the less robust TWIC.

He then claimed that only a contactless reader could be used at port facility truck gates. This does not appear to be factually correct. There are hand-held TWIC Readers that could be used, allowing the more robust antenna available on such devices to be used to contact a local base station rather than using the embedded antennas to allow the TWIC to communicate with the Reader.

IRIS Biometric

A topic near and dear to the heart of Chairman Mica is the lack of an iris scan biometric encoded in the TWIC. Each time he brings this up, apparently, he has been told that NIST does not yet established a standard for encoding the iris biometric, but is coming in the next couple of months. TSA rightly maintains that it is not up to them to establish the standard, just to implement one if it is feasibly available.

Mica requested both witnesses and the committee staff to contact NIST to see if they could get a consistent answer as to when such a standard might become available.

TWIC NPRM Reader Extension

Mr. Lord did note in response to some question about the timetable for the implementation of the TWIC Reader NPRM (a concept that Chairman Mica appeared to be completely unfamiliar with) that the Coast Guard had recently extended the comment period on the NPRM to 90 days. Then, almost in passing, he suggested that they might want to make another 90 day extension to allow comments to be formulated about the results of the GAO report on the TWIC Reader Pilot.

Since there have been no comments to date on the TWIC Reader Pilot, I would not be surprised to hear that someone in industry doesn’t request another extension to review their initial acceptance of the NPRM in light of the reported inconsistencies in the pilot report. With just a little over a month remaining on the revised comment period, the Coast Guard would certainly be justified in approving such a request.

Video Timeline

A long time reader, Donald Bruce of the Houston/Galveston, TX Area Maritime Security Committee, was kind enough to send me an annotated timeline of the important parts (in his estimation) of the web cast of the hearing. I have not checked every listing, but it was helpful to me in following the video so I thought that I would pass it along. Note: Everything up to about the 39 minute mark was essentially opening statements.

Min 39 - Iris Scan issues
Min 42 – Use of Fake Cards
Min 43 – Questions from Rep. Connolly – Was the Pilot Successful?
Min 57 – What if we cancel the program?
Min 58 – We should recommend readers
Min 110 – Answer to benefit of TWIC Pilot – Definition of a Successful Reader Project
Min 111 – We will go forward
Min 113 – The TWIC Pilot is very useful for the USCG in the NPRM
Min 114 – CAC described use in Afghanistan – a success story
Min 119 –Contact biometric will not work in a maritime environment
Min 120 – TSA Given 60 days to review over Biometric Card success (CAC)
Min 122 – Look NIST Iris standard (Alternate Biometric)

Moving Forward

Chairman Mica said that the Subcommittee will be holding additional hearings looking at other forms of Federal identification that include encoded biometrics. He also gave Mr. Sadler 60 days to look at the CAC and get back to the Committee with an explanation of why the TWIC and the CAC should/should not be compared.

No comments:

/* Use this with templates/template-twocol.html */