Recently, I had the pleasure of speaking to ClearanceJobs editor, Lindy Kyzer about the comments which DOD Chief Information Officer, Terry Halvorsen’s made with respect for the need for change in the Common Access Credential (CAC) used by the DOD today.
What is the CAC?
The CAC provides required authentication so “systems” know who is accessing their environment and what part of the infrastructure be it physical or electronic. Within the government classified environments, the rules of “least privileged access” or “need to know” prevail. A log-in could be used by anyone, authentication requires something which the user has, ergo the CAC, also known as the Common Access Card, came about in 2006 so that the individual would not have to have multiple devices, be they fobs, id cards or dongles to access their place of employ or systems.
The current CAC has 2048-bit encryption in place, a magnetic strip, an integrated circuit chip (requiring pin (second level of authentication), barcodes, and RFID for proximity use. It can also be used as photo identification.
CAC evolves
When CAC was first introduced, the DOD had authentication as a front-burner issue. Indeed, the CAC evolution has kept the DOD at the forefront of ensuring strong encryption was part of the CAC back as far as 2008. In 2012, they required all cards use the 2048-bit encryption. This reboot with the encryption required all cards at that time to be reissued, or the users card was rendered inoperative, useful only for visual verification.
Halverson’s statement for the need for change is indicative of the need to move beyond a physical ID and a pin code. Biometrics and behavior-based authentication are all key areas of evolution.
Authentication expenses
Expenses, sadly, are always a factor. Every entity – government or commercial – is always reviewing their current operations for enhancements which will reduce the OPEX or operational expense.
The CAC, according to the DOD website, has a convoluted and expensive deployment sequence. “You must be registered in the Defense Enrollment Eligibility Reporting System (DEERS) by your sponsor prior to card issuance. Also, if you change roles – for example, changing from active-duty to contractor status – you will need to reregister in DEERS.” It also requires multiple cards for multiple roles. So if you are a reservist you will have one card, and a different card for you to use if you are a contractor or DOD civilian.
Halvorsen’s prism on the future of new authentication technologies will allow for multi-role device authentication. He specifically called out the example of the deployed individual needing a CAC replaced, but having to wait for the replacement to arrive – while mortar shells are falling all about – as not particularly helpful. One must always calculate the time loss value into the OPEX savings.
CAC as a workplace ID
IDs are visual aids to quickly determine a person’s status – IC, employee, visitor, etc. Halvorsen said, the CAC may be used for access to buildings, but not for access to DOD IT systems. Implementation and use of wifi, Bluetooth or NFC devices to determine an individual’s ability to access a given area have been around for many years (and depicted in the cinema for more). This need will continue, and the need for a wearable ID will not be going away anytime soon. That ID may evolve to be a wrist band, however.
Behavior-based authentication
Halvorsen spoke to the need for advanced authentication capabilities for DOD IT systems. Biometrics (Iris scan, heart rhythm, finger prints, voice recognition) are definitely part of the mix.
The concept of behavioral analysis is very exciting, as it is the user’s behavior characteristics which are being obtained and then used as a unique indicator. The current DARPA program (which began in 2012) into behavioral authentication is looking at a plethora of avenues.
- Screen fingerprints
- Semantic and Syntactic web browsing
- Stylometry – how does a person type, use language, keyboard dynamics
- Covert Games – teach users patterned system aberrations
The initial results of implementing behavior authentication are quite impressive. At a 2013 conference, BehavioSec displayed some soft results from their testing which would make any CISO smile. While the correct user can work through a regular workday without being falsely rejected the incorrect user would be detected within 10 seconds using keyboard (6 interactions, roughly 3 keys) or just less than 3.5 minutes using mouse (86 interactions).
This bodes well for the future of authentication and security within the DOD IT systems.