The work on updating the common access card (CAC) used within the Department of Defense continues. In August 2016, we explained CAC and analyzed the next generation of authentication methodologies. In early June, Lt. Gen. Alan R. Lynn, USA, Director of the Defense Information Systems Agency (DISA) noted how DISA is “racing to remain ahead of cybercriminals” and that he and his agency are open to ideas and solutions from the private sector. Lynn calls shocking the depth and breadth of the cyber threats DISA faces. Lynn said, “The agency makes thousands of changes to networks each month to defend them. And it removes hundreds of millions of bad emails infected with malware or phishing attempts.”
To that end, Defense Advanced Research Project Agency (DARPA) work in the realm of behavioral analysis continues. Lynn noted, “the new (authentication) system will employ behavioral analysis and biometrics to verify identity. This could feature “patterns of life,” in which a person’s actions are compared with established habits.” Think of this in terms of pattern recognition.
Testing of six-to-twelve month pilot projects began in April 2017. These tests include using the CAC with mobile devices and evolving new methodologies of “derived credentials.” Discussion on derived credentials replacing the CAC dates back to at least 2004, when the White House issued Homeland Security Presidential Directive 12 which mandated a new Smart ID card for government employees/contractors. The NIST has coined the term derived credentials to refer to cryptographic credentials which are created from the Common Access Card (CAC) and carried in a mobile device instead of the card.
DARPA’s active authentication program, as explained by Dr. Angelos Keromytis, is “developing novel ways of validating the identity of the person at the console that focus on unique aspects of the individual through the use of software based biometrics.” He continues, the focus is “on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something with your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint.'”
What’s certain is change is afoot. When DISA will land on the new authentication protocol remains to be determined.