b"<html>\n<title> - ADVANCEMENTS IN SMART CARD AND BIOMETRIC TECHNOLOGY</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n          ADVANCEMENTS IN SMART CARD AND BIOMETRIC TECHNOLOGY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION\n                POLICY, INTERGOVERNMENTAL RELATIONS AND\n                               THE CENSUS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           SEPTEMBER 9, 2003\n\n                               __________\n\n                           Serial No. 108-133\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n93-034              U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2003\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nJOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, \nNATHAN DEAL, Georgia                     Maryland\nCANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of \nTIM MURPHY, Pennsylvania                 Columbia\nMICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee\nJOHN R. CARTER, Texas                CHRIS BELL, Texas\nWILLIAM J. JANKLOW, South Dakota                 ------\nMARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                       Peter Sirh, Staff Director\n                 Melissa Wojciak, Deputy Staff Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n              Philip M. Schiliro, Minority Staff Director\n\n   Subcommittee on Technology, Information Policy, Intergovernmental \n                        Relations and the Census\n\n                   ADAM H. PUTNAM, Florida, Chairman\nCANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri\nDOUG OSE, California                 DIANE E. WATSON, California\nTIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts\nMICHAEL R. TURNER, Ohio\n\n                               Ex Officio\n\nTOM DAVIS, Virginia                  HENRY A. WAXMAN, California\n                        Bob Dix, Staff Director\n                 Lori Martin, Professional Staff Member\n                      Ursula Wojciechowski, Clerk\n           David McMillen, Minority Professional Staff Member\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on September 9, 2003................................     1\nStatement of:\n    Bates, Sandy, Commissioner of Federal Technology Services, \n      General Services Administration............................    28\n    Bergman, Christer, CEO, Precise Biometrics...................   103\n    Rhodes, Keith, Chief Technologist, General Accounting Office.    75\n    Scheflen, Kenneth C., Director, Defense Manpower Data Center, \n      U.S. Department of Defense.................................    45\n    Turissini, Daniel E., president, Operational Research \n      Consultants, Inc...........................................   121\n    Willemssen, Joel, managing Director of IT Management, General \n      Accounting Office..........................................     6\n    Wu, Benjamin, Deputy Under Secretary of Commerce for \n      Technology, U.S. Department of Commerce....................    53\nLetters, statements, etc., submitted for the record by:\n    Bates, Sandy, Commissioner of Federal Technology Services, \n      General Services Administration, prepared statement of.....    30\n    Bergman, Christer, CEO, Precise Biometrics, prepared \n      statement of...............................................   106\n    Putnam, Hon. Adam H., a Representative in Congress from the \n      State of Florida, prepared statement of....................     4\n    Rhodes, Keith, Chief Technologist, General Accounting Office, \n      prepared statement of......................................    77\n    Scheflen, Kenneth C., Director, Defense Manpower Data Center, \n      U.S. Department of Defense, prepared statement of..........    46\n    Turissini, Daniel E., president, Operational Research \n      Consultants, Inc., prepared statement of...................   123\n    Willemssen, Joel, managing Director of IT Management, General \n      Accounting Office, prepared statement of...................     8\n    Wu, Benjamin, Deputy Under Secretary of Commerce for \n      Technology, U.S. Department of Commerce, prepared statement \n      of.........................................................    56\n\n \n          ADVANCEMENTS IN SMART CARD AND BIOMETRIC TECHNOLOGY\n\n                              ----------                              \n\n\n                       TUESDAY, SEPTEMBER 9, 2003\n\n                  House of Representatives,\n   Subcommittee on Technology, Information Policy, \n        Intergovernmental Relations and the Census,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:05 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Adam Putnam \n(chairman of the subcommittee) presiding.\n    Present: Representative Putnam.\n    Staff present: Bob Dix, staff director; John Hambel, senior \ncounsel; Lori Martin, professional staff member; Ursula \nWojciechowski, clerk; Suzanne Lightman, fellow; Karen \nLightfoot, minority communications director/sr. policy advisor; \nDavid McMillen, minority professional staff member; Cecelia \nMorton, minority office manager; and Anna Laitin, minority \nassistant communications.\n    Mr. Putnam. A quorum being present, this hearing of the \nSubcommittee on Technology, Information Policy, \nIntergovernmental Relations and the Census will come to order.\n    Good morning and welcome, everyone, to today's hearing \nentitled, ``Advancements in Smart Card and Biometric \nTechnology.'' I hope everyone had a nice August work period and \nenjoyed a little bit of the break with Congress being out of \neverybody's hair and back home telling the good people, the \ngood constituents what we've done to them or for them, \nwhichever the case may be.\n    This is the first hearing of a very ambitious fall schedule \nfor this subcommittee. As you may have noticed from our \npostings, we will have two hearings this week, three hearings \nthe next week on cybersecurity and related matters. So we have \na very aggressive schedule in keeping with the pace that we \nhave set throughout the year, and we certainly appreciate the \nsupport that GAO and the other executive agencies have provided \nthis subcommittee in allowing us to prepare for that ambitious \na schedule.\n    Securing government buildings and computer systems is a \ntask which has grown in both importance and challenge over the \npast number of years. Recognizing this, Federal agencies \nworking with the GSA have begun testing advanced identification \ntechnology that will better authenticate the identity of those \nrequiring access to and interaction with the Federal \nGovernment.\n    Specifically, agencies are examining the use of smart cards \nwhich offer a number of benefits to Federal agencies including \nidentity authentication of cardholders, increased security over \nbuildings, safeguarding computers and data and conducting \nfinancial and nonfinancial transactions more accurately and \nefficiently. In fact, some agencies, such as the Department of \nDefense, have already issued smart cards. The DOD's Common \nAccess Card [CAC], enables physical access to buildings, \ninstallations and controlled spaces. It also permits access \ninto DOD's computer networks. The CAC provides the Department \nof Defense the information, security and assurance necessary to \nprotect vital information resources.\n    A number of other agencies across the Federal Government \nare still exploring the possibilities of smart card use; and \nwhile some progress has been made, a recent report released by \nGAO outlines some areas of concern that need to be addressed in \norder for agencies to move forward in implementing the use of \nsmart cards. As is too often the case, agencies have been \nunable to sustain an executive-level commitment to this \nproject, according to the GAO. If these types of initiatives \nfail to be a priority with the leadership of the agency, it is \ndifficult to imagine that adequate resources will be allocated \nfor their implementation.\n    Some additional noted challenges to progress include: \nrecognizing and understanding resource requirements, \nintegrating physical and IT security practices, focusing on \nachieving interoperability among smart card systems, \nmaintaining the ongoing security of smart card systems and \nprotecting the privacy of personal information. These are just \na few of the issues agencies will need to address as they move \nforward.\n    There are other advanced and emerging technologies that \nhave the potential to offer additional assurance to the \nidentity authentication process. Biometrics are automated \nmethods of recognizing a person based on a physiological or \nbehavioral characteristic. Biometry is being explored, \ndeveloped and even utilized by agencies today, including the \nFBI, at our borders and by State governments in detecting fraud \nand abuse of government benefits through identity verification.\n    Biometric authentication may also be used with smart card \ntechnology. Some smart cards have the capability of holding a \nbiometric identifier, such as a fingerprint. This holds the \npotential to increase the accuracy of the identity \nauthentication process. These possibilities as well as the \nlimitations and challenges presented by this technology should \nbe explored further.\n    As agencies proceed to explore the use of these advanced \nidentity authentication technologies, government cannot neglect \nthe importance people and process will continue to play in \nproviding a secure environment. Regardless of how well these \ntechnologies work on behalf of the Federal Government in \nauthentication and identity management, technology has its \nlimitations. Without the people and process in place to make it \nwork, we will have wasted a lot of money as well as provided a \nfalse sense of security.\n    I'm hopeful that as the Office of Management and Budget \nworking with the GSA and the National Institute of Standards \nand Technology go forward in setting some guidance for agencies \nconcrete progress in the actual implementation of smart card \ntechnology across agencies will be demonstrated in the very \nnear future.\n    As is always the case with this subcommittee, today's \nhearing can be viewed live via Web cast by going to \nreform.House.gov and clicking on the link under live committee \nbroadcast.\n    [The prepared statement of Hon. Adam H. Putnam follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.001\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.002\n    \n    Mr. Putnam. It is a pleasure to have a distinguished panel \nof witnesses with us this morning; and, as is the custom with \nthis subcommittee, I would ask that the witnesses and any \nsupporting cast members who will be answering questions rise \nand raise your right hands and be sworn in.\n    [Witnesses sworn.]\n    Mr. Putnam. Note for the record that all the witnesses \nresponded in the affirmative.\n    Our first witness this morning is Mr. Joel Willemssen. Mr. \nWillemssen is the managing director of Information Technology \nIssues at the U.S. General Accounting Office. In this position, \nhe has overall responsibility for GAO's evaluations of \ninformation technology across the government. Specific \nresponsibilities include governmentwide and agency-specific \nassessments of computer security and critical infrastructure \nprotection, e-government, information collection, use and \ndissemination and privacy. Mr. Willemssen is very supportive of \nthe work of this subcommittee, as is the rest of GAO, and we \nwelcome your testimony.\n    Mr. Willemssen, you're recognized for 5 minutes.\n\n     STATEMENT OF JOEL WILLEMSSEN, MANAGING DIRECTOR OF IT \n             MANAGEMENT, GENERAL ACCOUNTING OFFICE\n\n    Mr. Willemssen. Thank you, Mr. Chairman. Thank you for \ninviting us to testify today on the smart cards; and, as \nrequested, I'll briefly summarize our statement.\n    The Federal Government is increasingly pursuing the use of \nsmart cards for improving the security of its many physical and \ninformation assets. Since 1998, numerous smart card projects \nhave been initiated addressing a wide array of capabilities, \nincluding better authentication of the identities of people \naccessing buildings and improved security of computer systems. \nThe largest smart card program, as you mentioned, currently in \noperation is Defense's Common Access Card program; in addition \nto enabling access to specific defense systems, this card is \nalso used to better ensure that electronic messages are \naccessible only by designated recipients.\n    Even with the progress made governmentwide to use smart \ncards, there are several key management and technical \nchallenges that need to be overcome to achieve a card's full \npotential, and one of them, as you mentioned, is sustaining \nexecutive commitment. Without executive commitment, it's very \ndifficult to actually see success in smart card efforts.\n    A second challenge is obtaining adequate resources for \nprojects that can require extensive modifications to technical \ninfrastructures and software.\n    Third is that integrating security practices across many \nagencies can be a major task, because it requires collaboration \namong those organizations who have responsibility for physical \nsecurity and those organizations that have responsibility for \ncomputer and information security.\n    A fourth challenge is interoperability across the \ngovernment to try to reduce the potential number of stovepipe \nsystems that cannot easily communicate with one another.\n    And, finally, although concerns about security are \nthemselves a key driver for why we want to pursue smart cards, \nthe security of smart card systems is not foolproof and needs \nto be closely examined as agencies go forward with \nimplementation.\n    To help address these challenges, several initiatives have \nbeen undertaken to facilitate the adoption of smart cards. For \nexample, GSA has set up a governmentwide standards-based \ncontract. In addition, it's adopted a new agencywide \ncredentialing policy, and it's consolidated its special smart \ncard projects within the public building service.\n    In July, OMB has also shown that it's begun to take action \nto develop a governmentwide policy framework for smart cards, \nspecifically, a plan to develop a comprehensive policy for \ncredentialing Federal employees. Second, OMB intends to pursue \na governmentwide acquisition of authentication technology, \nincluding smart cards to achieve governmentwide cost savings. \nThird, OMB plans to consolidate agency investments in \ncredentials and related services by selecting shared service \nproviders by the end of 2003.\n    Even with those important steps of OMB and GSA, there is a \nlot of work remaining to do in the smart card area. For \nexample, reconciling the varying security requirements of \nFederal agencies to arrive at a stable design for Federal \ncredentialing is going to take a lot of time; and, further, \nachieving OMB's vision of streamlined Federal credentialing \nwill be challenging in attempting to reach consistency in how \nagencies perform identity verification.\n    Mr. Chairman, that concludes a summary of my statement, and \nI'd be pleased to address any questions you may have. Thank \nyou.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Willemssen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.003\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.004\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.005\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.006\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.007\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.008\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.009\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.010\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.011\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.012\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.013\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.014\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.015\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.016\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.017\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.018\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.019\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.020\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.021\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.022\n    \n    Mr. Putnam. Our next witness is Ms. Sandy Bates from the \nGeneral Services Administration. Ms. Bates was named \nCommissioner of the Federal Technology Service in March 2000 \nafter 2 years as Deputy Commissioner. FTS is the GSA's \ninformation technology and telecommunications organization that \nprovides more than $5 billion in products and services to \nFederal Government agencies each year. Prior to her work at \nGSA, Ms. Bates was with NASA where she held various positions \nin telecommunications, including program manager for NASA's \nagencywide local service program and for their Program Support \nCommunications Network.\n    Welcome to the subcommittee. You're recognized for 5 \nminutes.\n\n STATEMENT OF SANDY BATES, COMMISSIONER OF FEDERAL TECHNOLOGY \n           SERVICES, GENERAL SERVICES ADMINISTRATION\n\n    Ms. Bates. Thank you. Mr. Chairman, thank you for the \ninvitation to participate in today's hearing on advancements in \nsmart card and biometric technology. The Federal Government is \nmaking great strides in the use of this technology, and the \nGeneral Services Administration continues to take innovative \nactions to help agencies secure their facilities and \ninformation. We participate in governmentwide committees such \nas the Interagency Advisory Board, Federal Identity \nCredentialing Committee, the Interagency Security Committee and \nthe Smart Card Alliance.\n    I'd like to give you a brief history of the smart card \nprogram and address the concerns in your letter.\n    The GSA Federal Technology Service, along with the industry \npartners, can today meet agencies needs for smart cards, card \nreaders, applications development, interoperability and \ncomplete systems integration. We do this through our \ngovernmentwide smart card contract.\n    With regard to use of smart cards within GSA, the agency \nhas initiated several programs. Currently, all GSA associates \nin the Washington, DC area have smart card IDs. All GSA \nassociates nationwide will have smart card IDs in fiscal year \n2004. GSA's regional office in New York is implementing smart \ncards at three locations in New York City for physical access. \nThey will be using a contact/contactless smart card. The card \nwill also include a biometric thumbprint. Cards are currently \nbeing issued to all Federal employees and contractors at these \nthree locations. Employees will be able to use the cards to \ngain access to the building through optical portals.\n    Once the initial physical access program is completed, GSA \nwill begin planning to implement a smart card solution for \ncomputer access. Tenet agencies in these buildings that will be \nusing the smart card for physical access include HUD, EPA, the \nCorps of Engineers, IRS, FBI, INS and Homeland Security.\n    A major feature of GSA's smart card contract is the \nestablishment of technical specifications for smart card \ninteroperability. These standards are the first of their kind \nfor smart cards in government and represent a tremendous joint \neffort by GSA, industry partners and other Federal agencies.\n    The GSA's Interagency Advisory Board was established after \npublication of the initial version of the standards. The \nmembers include representatives from industry and government. \nThe IAB continues to refine and update the interoperability \nspecifications.\n    A recent test successfully proved interoperability of \ncivilian smart cards. The objective of the test was to \ndemonstrate that multi-agency interoperable smart cards could \nbe used in one agency's physical access system to gain access. \nThe test participants were GSA, State Department and the \nTransportation Security Administration. Representatives from \nGSA and TSA inserted their smart card IDs in the State \nDepartment's readers and were granted access to the building.\n    Regarding biometrics, GSA is working with other agencies \nand key nongovernmental organizations such as the Biometrics \nConsortium to develop worldwide standards. These standards will \nbecome part of the GSA specifications.\n    The GSA Federal Technology Service is also leading the E-\nAuthentication E-Gov initiative. Under this initiative, GSA is \nleading the Federal Identity Credentialing Committee, which \nwill define the policies for issuance and management of \nidentity credentials that encompass both physical access to \nbuildings and logical access to systems.\n    By implementing standardized credentials across the Federal \nGovernment, individual access control can be streamlined. \nGovernment cost savings can be achieved through \nstandardization, shared services and consolidated purchasing.\n    In conclusion, Mr. Chairman, I am pleased to say that GSA \nhas been instrumental in the development of the Federal \nGovernment's Smart Card Program and in its use of biometric \ntechnology. Thank you again for this opportunity to appear \nbefore this committee today, and I'll be happy to answer any \nquestions you or the committee members may have. Thank you.\n    Mr. Putnam. Thank you, Ms. Bates. We appreciate that.\n    [The prepared statement of Ms. Bates follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.023\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.024\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.025\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.026\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.027\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.028\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.029\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.030\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.031\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.032\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.033\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.034\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.035\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.036\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.037\n    \n    Mr. Putnam. Our third witness is Mr. Kenneth Scheflen. Mr. \nScheflen is the director of the Defense Manpower Data Center \n[DMDC], a position he has held since 1977. In this position \nhe's involved in both the management and technical aspects of \nprograms which he supervises. Since 1998, DMDC has been the \nhost for the Common Access Card office, formerly the DOD Smart \nCard Technology Office, which is in the process of converting \nthe current military ID card to a smart card containing PKI \ncertificates needed to secure the DOD information technology \ninfrastructure and other applications. This project is widely \nregarded as the most advanced large-scale smart card program in \nthe world.\n    Welcome to the subcommittee.\n\n STATEMENT OF KENNETH C. SCHEFLEN, DIRECTOR, DEFENSE MANPOWER \n            DATA CENTER, U.S. DEPARTMENT OF DEFENSE\n\n    Mr. Scheflen. Mr. Chairman, good morning.\n    Thank you for all the kind words, those of you that \nmentioned the CAC this morning. We think it's a real success \nstory, one of the first and probably the world's largest \nrollout of over 3 million smart cards to date, a \nmultiapplication smart card which incorporates the use of \nbiometrics in its issuance process.\n    The CAC is an identity-management, identity-assurance tool. \nIt was done relatively quickly, 6 months from approval until it \nentered beta testing, largely because it was based on standards \nand best-commercial-practices. The speed and approach is not at \nall that typical of the way DOD does IT systems. DOD depended \non other government organizations like NIST and GSA for help in \nestablishing standards and evaluating products against these \nstandards.\n    The fielding of the CAC, infrastructure to use it and the \nPKI credentials it carries is a large and costly enterprise. \nDOD is fortunate to have the resources to be able to do it. The \nCAC probably would have not happened without the decision by \nthe Department to field PKI throughout the Department, the need \nto find a token and an infrastructure to issue PKI tokens.\n    Essentially PKI, became the killer application for \njustifying the economic case for smart cards, and I think \nwithout that we probably could not have made the economic \njustification.\n    The CAC is designed to be a multi-technology, multi-\napplication product. The hope is that we can move people away \nfrom the notion that visual inspection of any ID card is \nsufficient security, and I would note the Washington Post \narticle this morning quoting the GAO investigation of the ease \nof counterfeiting driver's licenses and then using those as \nbreeder documents to get other things. We have to quit doing \nthat.\n    We plan to continue to evolve and to improve both the CAC \nitself, the information it carries on it, the security of its \nissuance process and the use of its capabilities to take \nadvantage of new technologies and continuously improve the \nsecurity posture of the Department.\n    Thank you, Mr. Chairman.\n    Mr. Putnam. Thank you very much, Mr. Scheflen.\n    [The prepared statement of Mr. Scheflen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.038\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.039\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.040\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.041\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.042\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.043\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.044\n    \n    Mr. Putnam. Finally, we have Mr. Ben Wu. Mr. Wu is Deputy \nUnder Secretary for Technology at the U.S. Department of \nCommerce. In this capacity he supervises policy development, \ndirection and management at the Technology Administration, a \nbureau of over 4,000 employees that includes the Office of \nTechnology Policy, the National Institute of Standards and \nTechnology and the National Technical Information Service.\n    Welcome to the subcommittee.\n\n STATEMENT OF BENJAMIN WU, DEPUTY UNDER SECRETARY OF COMMERCE \n          FOR TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE\n\n    Mr. Wu. Thank you, Mr. Chairman.\n    As you mentioned, as the Deputy Under Secretary of Commerce \nfor the Technology Administration, I do assist in the direct \noversight of the National Institute of Standards and Technology \n[NIST]. While NIST is one of the crown jewels of our Nation's \nFederal laboratory system as our Nation's oldest Federal \nlaboratory, it is also at times one of our true hidden gems, \ndespite the significant research expertise of its world-class \nscientists, including two Nobel Prize winners. So I appreciate \nthe subcommittee's recognition of NIST's vast technical \nportfolio and its service to our Nation and the opportunity to \nappear before you today to review NIST's work in smart card and \nbiometric technology.\n    Mr. Chairman, in these times of heightened national \nsecurity, I applaud the work of this subcommittee to bring \nintergovernmental solutions to measures that can protect our \nhomeland security. The Commerce Department shares this \nsubcommittee's focus. Post September 11, Secretary Evans has \ncommitted the Department's resources to assist in the \nadministration's homeland security efforts; and, as a result, \nNIST has been engaged in a number of critical issues, from \nfirst responder communications to chemical, biological, nuclear \ndetection to encryption standards as well as the implementation \nof smart cards within the Federal Government.\n    NIST's smart card program dates back to 1988. Recognizing \nthe potential for smart cards to improve the security of \nFederal IT systems in our national information infrastructure, \nNIST chose to invest significant research in smart card \ntechnology at an early stage, and as a result NIST has been on \nthe cutting front of many of the early innovations that have \nbeen integral to the development of modern smart cards. These \ninclude a generic authentication interface for smart cards, the \nfirst smart cards to implement the data encryption algorithm \nand the digital signature algorithm and the first \nreprogrammable smart card.\n    In my time with you this morning, I'd like to review NIST's \nwork on smart card interoperability, standardization, \nconformance testing and further research and development.\n    Many Federal agencies have a longstanding interest in smart \ncard technology, as you've heard. Since smart cards are capable \nof cryptic functions, they can perform important security \nfunctions such as securely storing digital signatures, holding \npublic key credentials and authenticating a claimed identity \nbased on biometric data. So smart cards can be a crucial \nelement in a range of current and future critical applications \nsuch as PKI, transportation worker identity cards, DOD's CAC, \nelectronic travel documents and a whole host of others.\n    However, large-scale deployment of smart cards has proven \nchallenging. Agencies have found it difficult to deploy large-\nscale smart card systems due to a lack of interoperability \namong different types of smart cards. Without assurances of \ninteroperability, agencies would be locked into a single \nvendor, and that is why NIST has been working so closely with \nindustry and other government agencies to provide \ninteroperability specifications, guidelines for an open and \nstandard method for using the smart cards.\n    This issue of interoperability is crucial and has to be \naddressed before any additional investment can be made. Yet, \nhistorically, the smart cards have been driven by requirements \narising from specific industry applications in certain domains \nsuch as banking, telecommunications and health care, and that \nhas led to a development of smart cards that are customized to \nthose specific domains with little interoperability between \nthose domains. These vertically structured smart cards systems \nare expensive, difficult to maintain and often based on \nproprietary technology.\n    So when GSA created a contract vehicle and a program to \nprocure interoperable smart card systems and services from the \nFederal sector, NIST took on the task of leading the technical \ndevelopment of a smart card interoperability framework, and \nthis framework was designed to address the interoperability \nproblems preventing governmentwide deployment of smart card \ntechnology and was ultimately incorporated into the smart card \naccess common ID contract which GSA operated.\n    After additional work to address the Federal customer needs \nidentified, NIST published two versions of the Government'S \nSmart Card Interoperability Specification [GSC-IS], one in June \n2002 and the other most recently in July 2003, and both \nstandards can be found on www.smartcard.NIST.gov.\n    GSC-IS has been well received and is making a significant \nimpact. In fact, many Federal agencies are moving forward with \nplans to deploy large numbers of GSC-compliant systems. For \nexample, DOD has incorporated the GSC-IS in its CAC, \nrepresenting millions of cards, and it will be effective in \nearly 2004.\n    Additionally, NIST responded to the January 2003, GAO \nreport by examining issues associated with the definition of a \nmulti-technology card platform. These technologies include \nsmart card integrated circuits, optical stripe media, bar \ncodes, magnetic stripes, photographs and holograms.\n    As a first step, NIST hosted a workshop on multitechnology \ncard issues in July 2003, and brought in a number of the \nstakeholders in industry. This workshop focused on \nrequirements, issues in Federal Government activities \nassociated with multitechnology cards; and, more specifically, \nit examined technical and business issues, existing voluntary \nstandards, consensus problems, multitechnology integration \nissues and industry capabilities in the field of ISO, \ncompliance storage and processor card technologies.\n    Based on this workshop and its followup, NIST is producing \na technical report that will identify integration \ninteroperability research topics, identify gaps in standards \ncoverage and also identify multitechnology composition issues; \nand we expect that this report will be available for public \ncomment in October 2003.\n    Then, in July 2003, we also published the most up-to-date \nGSC-IS, which is known as version 2.1, which I want to tell you \na little bit about. This document addresses some of the GAO \nrecommendations by incorporating support for biometrics, \ncountless smart card technologies and public key \ninfrastructure.\n    As you know, there is keen interest in the convergence of \nbiometrics and smart cards, and NIST has also been working with \nindustry to move forward the standards on an international \nfront, too, working with ANSI and the international standards \norganizations to try to make the GSC-IS an international \nstandard, and I'm pleased to say that a lot of progress has \nbeen made in that front.\n    Let me also just conclude by touching upon conformance \nassessment and further research and development needs. \nConformance testing programs are important so that we can give \nassurances to the customers and users that we have a smart card \nthat works well and can conduct business in the way that it's \nsupposed to be advertised; and NIST conformance test engineers \nand reprogrammers are developing test criteria, building a \nsuite of conformance standards and test tools so that we can \njust do just that. In addition, in looking at some of the smart \ncard research and development work that needs to be done, this \nsubcommittee is well aware that smart cards and associated \ntechnologies hold great promise for meeting many important \nneeds, and we need to, as has been stated by GAO, make sure \nthat there are strong commitments for research and development \nas well as providing good framework, best practices tools, as \nwell as an educational program that will help with the \nacceptance and the furtherance of this industry in building it \nup.\n    So there's a lot of important issues that remain up front. \nThe Department of commerce is committed in building this \nindustry forward and working with our Federal agency partners \nto make sure the needs are met.\n    Thank you very much, Mr. Chairman.\n    Mr. Putnam. Thank you very much, Mr. Wu.\n    [The prepared statement of Mr. Wu follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.045\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.046\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.047\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.048\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.049\n    \n    Mr. Putnam. Mr. Willemssen, who at the end of the day is in \ncharge of the Federal vision for smart card technology? Is it \nOMB?\n    Mr. Willemssen. From a policy perspective, it is OMB. \nHistorically, OMB has relied heavily on GSA to carry out much \nof that policy, but I would say OMB reiterated its pre-eminence \nas the policymaker with their July 3rd memorandum which \nestablished a framework for future policy in the smart card \narena.\n    Mr. Putnam. Is the goal to have discrete smart card \ntechnologies for each agency or a limited number, perhaps one \nfor defense, one for nondefense or one for a particular \nclearance?\n    Mr. Willemssen. I would say the goal is to become, all \nother factors being equal, as standardized as possible.\n    Picking up on what Mr. Wu said, to the extent that we can \ncontinue updating the interoperability standard and getting \neveryone to fall in line with that standard, the much more \nefficiently we can do business smart card-wise across the \nFederal Government.\n    I also think that the Department of Defense's project, CAC, \nsince it is so massive, really provides maybe the best \nlaboratory from a lessons-learned perspective and \nimplementation-challenges perspective on how the Federal \nGovernment can go forward from this point at additional \nagencies.\n    Mr. Putnam. But currently agencies have the discretion to \nmove forward with their own smart card technology and Mr. Wu's \noutfit is playing catch-up to develop interoperability?\n    Mr. Willemssen. I would say generally yes, but at the same \ntime one of the aspects of Mr. Forman's July 3rd memo stated \nthat agencies should not be going about acquiring separate \ntechnologies without consultation with applicable committees. \nWe would be supportive of that--of not going forward and \nessentially introducing additional stovepipes into the process.\n    Mr. Putnam. Well, how many stovepipes are there now?\n    Mr. Willemssen. I believe when we did our report earlier \nthis year we had identified about 62 different projects at 18 \ndifferent agencies.\n    Mr. Putnam. So just averaging out, three per agency?\n    Mr. Willemssen. Keeping in mind that the size of each of \nthose projects varied dramatically all the way from CAC, which \nis very large. In addition, Transportation Security \nAdministration has very massive plans on the drawing board to \ngive cards to up to 15 million transportation workers. By \ncontrast, some other projects are just in the pilot phase on a \nmuch smaller scale.\n    Mr. Putnam. Everybody has their own rodeo, everybody is \nrunning their own circus, and we're tearing down stovepipes on \none side of the government and building them right back up on \nthe other.\n    Mr. Willemssen. But I think to be fair to the executive \nbranch, I think there's a recognition of that and an attempt to \ntry to limit that from this point forward. But I agree with you \nin terms of the comment you just made about stovepipes.\n    Mr. Putnam. Is it technically feasible to have one card \nthat meets all the needs of every government employee?\n    Mr. Willemssen. Technically, yes. Managerially and \npolicywise, probably not.\n    It would probably be very difficult to standardize from a \npolicy and management perspective that you could have one card \nthat meets all the needs of all employees at all different \nsecurity levels. Different security levels will require \ndifferent techniques to protect data and assets. \nTechnologically, sure, it could be done but, realistically, \nprobably wouldn't. But I do think we need to standardize on \nfewer; and, again, linking up to what Mr. Wu said, the work \nthat NIST has done on the interoperability standard can't be \nunderestimated. That's the direction that the Federal \nGovernment needs to go.\n    Mr. Putnam. Mr. Wu, 10 years ago at the University of \nFlorida there were 50,000 students. One smart card would give \nyou access to the dorm, access to the computer lab, allow you \nto pay tuition, allow you to buy a pizza, allow you to debit \nyour book costs, and allow you to use the ATM. A decade later \nwhy aren't we further along in the Federal Government's ability \nto deploy smart card technologies that are interoperable?\n    Mr. Wu. Well, Mr. Chairman, I think that if you were to use \nthe University of Florida in an FSU analogy, you know, the \nFederal Government is so large. That smart card wouldn't work \nin Tallahassee that would work in Gainesville. That is the \nproblem we're facing right now, is that we see that each of the \nagencies, each of the subagencies are purchasing smart card \ntechnologies and moving forward along, and they're using \napplications that are right for their particular mission and \npurposes.\n    However, if we're trying to have all of the schools in \nFlorida, say, or all of the agencies in the Federal Government \ntry to talk to each other and be able to use one card in all of \nits systems, then we need to have interoperability. We need to \nhave a standard that is adopted by industry so that we can \ncreate a market out there. We need to have industry agree on \nthis specification, and we also need to be able to build it out \non an international front so that we can develop a strong U.S. \nsmart card technology market, and then we can be able to get \nall the accrual benefits for foreign markets and trade. If we \ncan do it on our own shores, then move it to Asia, Europe and \nothers.\n    So NIST is trying to do that, working with ANSI at the \nAmerican National Standards Institute and trying to move the \nGSC-IS standard to an international fora and have it adopted \nwithin the international standards organization system. And if \nwe can do that, then I think ultimately you will be able to see \none smart card utilized throughout much of the United States \nbut perhaps throughout the whole world, and we would have U.S. \ncompanies, U.S. industry leading that charge. And that's our \ngoal.\n    Mr. Putnam. How smart do these cards need to be? I mean, \nhas anybody really identified what the technical needs are? At \nwhat point do we determine that it has reached the level where \nit can be deployed, knowing that the technology will be \nchanging on a very rapid basis? But has anybody defined what \nthe needs are for a Federal Governmentwide smart card \ntechnology?\n    Mr. Wu. Well, in a sense, if you have a multitechnology \nplatform, the sky can be the limit, if you can have the \nphotographs, the holograms, fingerprints, other data built into \nthat platform.\n    So, once again, I think it comes down to developing a \nspecification, a good standard that industry can then take and \napply as many smart items or multitechnology items onto that \ncard.\n    Mr. Putnam. Well, I don't know that really answered the \nquestion. I mean, we buy computers every day knowing that the \nnext day they're obsolete to a degree, that we could have \nbought something bigger and better and faster and more \nproductive; but at some point you have to draw the line and say \nthis is adequate for our needs today, recognizing that the \ntechnology will continuously change.\n    But is the primary purpose of governmentwide smart card \ntechnology identity authentication, access control, efficiency \nso that purchases and financial services and E-travel can be \nconsolidated onto one identification? What are we trying to \naccomplish? What's it going to cost us and what's it going to \nsave us and at the end of the day what will we have achieved by \ndeploying this technology that all of you are here to discuss?\n    Mr. Willemssen. I would say, Mr. Chairman, in a post \nSeptember 11th environment, the primary purpose of smart cards \nis identity authentication, both from the standpoint of \nphysical access to facilities and access to systems. There can \nbe other purposes, but I think in today's environment that's \nthe primary goal, is ensuring that you know that person is who \nthey say they are, including thinking in detail about the \nprocess of when you give that individual their initial smart \ncard, how are you going to ensure that, again, they are who \nthey say they are.\n    Mr. Putnam. OK. Mr. Wu.\n    Mr. Wu. Thank you.\n    Mr. Chairman, you raise an excellent question, and NIST has \nbeen grappling with that issue actually as everybody in the \nFederal policymaking sector has been grappling with that issue \nin relation to border security and the requirements under the \nUSA Patriot Act. I think ultimately that question you raised is \none that needs to be decided in conjunction with congressional \nand executive branch officials as to how far or how much you \nwant on that smart card. With the border security issue, the \nUSA Patriot Act--it requires a number of Federal agencies, \nspecifically FBI, INS and State, to make sure that we have the \nstrongest possible measures for people coming into and leaving \nthe country.\n    There have been a number of tasks placed upon NIST to try \nto help create technical benefits that will allow for us to \nhave stronger border patrol, and there have been a number of \nbiometric opportunities with fingerprints, facial recognition, \nyou know, iris retina scan and others that have been thrown \ninto the mix. NIST recommended that we have a dual system of \nfingerprinting and facial recognition, but ultimately I think \nthat decision is a public policy decision which Congress as \nwell as the executive branch needs to come to a determination \non.\n    Mr. Putnam. Can we replace the rubber stamp and ink pad and \npaper passport with a smart card?\n    Mr. Wu. Well, that's ultimately the intention, to have some \nsort of biometric or smart card device so that we can have \nintegrity and people coming into our borders who say they are \nsomebody, to make sure they are in fact that person.\n    Mr. Putnam. Is that technically feasible today?\n    Mr. Wu. It depends on--yes, it is. I mean, there are a \nnumber of biometric identifiers which could be done, \nfingerprints, facial recognition, iris scan, gait, even voice, \nbut the question is how much we can afford to do, what is \nfeasible and what isn't too technically complicated in order to \nget the job done? You need to determine what you need to--or \nwhat you want out of this technology, and then we can build the \ntechnology and new research onto that.\n    Mr. Putnam. But it sounds like the technology is already \nthere.\n    Mr. Wu. The technology is there. It's a matter of trying to \nincorporate it all in, and that's why I think the \nmultitechnology platform and the standardization issue is so \nimportant.\n    Mr. Putnam. I'm just not sure what we're waiting on. I \ndon't hear what magic technology we're waiting on to be \ndeveloped before we can deploy this. We have the ability to do \nit now. What are we waiting on? What's the next step?\n    And if we're waiting for foolproof--one of the witnesses \nsaid that smart cards are not foolproof. Well, paper passports \ncertainly aren't foolproof; and as long as the technology is \nmoving forward to design these systems, there will be a \ntechnology moving forward to fake those systems. And that's \njust life. So let's move on.\n    Mr. Willemssen, in GAO's testimony, you said DOD has spent \nover $700 million to have digital certificates on smart cards, \nbut they can't be used because no funding was provided to \nenable DOD applications to accept the certificates. Is that \ncorrect?\n    Mr. Willemssen. That was an issue at the time we did our \nreview, yes, sir. Mr. Scheflen may have updated information \nthat they have gotten that funding at this point.\n    Mr. Putnam. Mr. Scheflen.\n    Mr. Scheflen. Well, I can't address the question in terms \nof where the money is. I don't believe that there is a problem \nin DOD with funds to smart card enable or PKI enable \napplications.\n    I have to be a little bit cautious because there's not one \nbig pot of money somewhere that somebody is sitting on and \ndoling out. There are different pots of money, and different \nparts of the organization have the responsibility for doing it. \nIn this particular case the applications enabling side is the \nresponsibility for funding and accomplishing on the individual \nservices in the military departments.\n    The issuance of the cards and the digital certificates is \nmore centrally funded and some in my budget and some in NSA and \nDefense Information Systems Agency. I don't believe that the \nservices would be spending the money they have spent to install \nsmart card readers on all of their computers and software at \nevery desktop if they were not going forward with the \napplications enabling expenditures as well. The best example is \nprobably NMCI, the Navy's rollout of their desktop systems \nwhere they from the beginning planned for smart cards to be \nused for cryptographic log-on to those systems.\n    I'm not aware there is anybody at DOD saying I don't have \nthe money to do the implementation so that we can actually use \nthe product, but I will take the question for the record, Mr. \nChairman, if you'd like more information.\n    Mr. Putnam. I would. I would. Thank you.\n    July's OMB memo recognized that we've recreated a bunch of \nstovepipes. Somebody was kind of slow to pick up on that, I \nwould assume. We've got 60 plus systems already out there; \nshouldn't we recommend everybody really ought to stop trying to \ndevelop their own systems? I assume we're waiting on NIST. Is \nthat fair?\n    Mr. Willemssen. NIST has made progress. Actually, I think \none of the big items to be waiting on right now is establishing \na governmentwide employee credentialing policy which I believe \nis the focus of the committee that Commissioner Bates \nmentioned. That's really one of the key next steps.\n    Again, keeping in mind that if our primary purpose is to \nauthenticate individuals and we want to move to a more \nstandardized environment technologically then we need to move \nto more of a standardized policy on how Federal employees are \ngoing to be credentialed and focus on how that process is going \nto work; and once you set that policy, then the technology and \nthe standards can follow, but you can't do them in reverse. \nOtherwise, you again run the risk of stovepiping.\n    The other thing I would mention is I think it will be \ninstructive for the rest of the Federal Government to look at \nthe experience of DOD with CAC, because that is by far the most \nmassive effort. They've had some successes. I'm sure they've \nhad some challenges, too, and to the extent that we can learn \nfrom that and not repeat any of the challenges, so to speak, I \nthink that would be very beneficial.\n    Mr. Putnam. Mr. Willemssen, you said that different \nsecurity policies within the agencies cause problems for \nimplementation. Is that information security or physical \nsecurity policies that differ?\n    Mr. Willemssen. Well, an example would be, historically, \nphysical security organizations within Federal agencies like to \nrely on ID cards, and they like to see those ID cards, look at \nthem, these days maybe touch them to make sure they're \nauthentic. Again, I'm generalizing here, but many of those \norganizations are probably less likely and less culturally \naccepting of a smart card device. They're not used to that, and \nI'm sure that's an issue at the Department of Defense where you \nhave a smart card that can both be used for physical access and \naccess to computer systems. You may find a situation that many \nof the guards over at the Department of Defense still want this \nother card to identify the individuals rather than a smart \ncard, and I think that can still be an issue at many agencies \nwho run into those kinds of barriers.\n    The other thing I would point out is, just from a security \nlevel perspective, depending on the value and the sensitivity \nof the data and assets, you're going to have to vary the level \nof controls you're going to put in the card, as simple as, are \nwe going to require biometrics for this given individual given \nwhat access they have, or is simply a password and a smart card \nwithout biometrics good enough? It depends on the value of the \ndata, and the higher the value of that data, the more controls \nyou'll have to put in place on the card.\n    Mr. Putnam. Today, what is the typical life of a card? What \nis the useful life of a given card before we would have to \nupdate them?\n    Mr. Scheflen. Our life is 3 years, and that is not tied to \nhow long the card could last but to the lifetime of the digital \ncertificates that are contained on the card.\n    Normally, in DOD the ID cards that the military members get \nare tied to a number of things. One of them is their term of \nenlistment. Another may be the rank. There's a natural turnover \nof cards and it was 3 or 4 years with the existing cards before \nwe had smart cards. Going to a fixed 3-year limit because of \nthe lapsing of the digital certificates didn't reflect that \nmuch of a change.\n    The good thing about it is that it allows a natural ability \nto introduce new technology on a gradual basis. You don't have \nto say ``we're going to stop today and recall all the cards. We \ncan phase them in over a period as the cards naturally expire \nor as people come and go. We have 3,000 or 4,000 people coming \nand going just on the uniform side, so it's a fair number.\n    If I might add a couple of comments to Mr. Willemssen's--\nyes, I think he has the physical security material down and \nabout right. We clearly experience those same kinds of problems \nin DOD. The physical security community is much more \ncomfortable with badges that are locally issued which they \nrecognize and look at. It is a continuing issue for us to try \nto get away from the notion that looking at something provides \nsecurity, which in my opinion, it doesn't today.\n    Another common misunderstanding by a lot of people inside \nthe Department is that the issuance of a CAC card with all the \nvarious credentials it has on it somehow conveys some \nprivileges, but in truth it doesn't. The privileges to enter a \nbuilding, to log onto a computer, or to get on an airplane or \nwhatever are still authorized by those that are in charge of \ngranting those privileges. The same thing happens with the \nnotion of an ID card that would be a DOD card that could be \naccepted for entry into the State Department.\n    The holding of a card itself doesn't necessarily authorize \nme to go anywhere. What would presumably happen is someone at \nthe State Department would say, I'm coming to visit, and they \nwould put me in the system. When I arrive there they would \nauthenticate me against my card and say, yes, let him in the \nbuilding. The same thing with computers. The systems \nadministrator needs to establish an account and say, yes, I \nhave the ability to log on to that system and I use my card to \nauthenticate who I am when I log on in the morning.\n    The other thing that has happened a little bit and this is \nsort of where smart cards have come from and as far as where I \nthink they're going. I used to be one of those guys that \ncarried around a piece of paper that said things you can do \nwith a smart card, and it was scrape snow off your windshields, \nscrape mud off your boot, and try to open a door with it. The \npoint of that is while we certainly had smart cards out there \nand they were not all that expensive to buy, if you didn't \nbuild the infrastructure to use them, you really didn't have a \nproduct that was worth much, and so the infrastructure costs \nand the enabling technologies are the ones that are the hard \npart to do because you must make a change in the way people do \nbusiness and in their business processes.\n    When we first started dealing in this business, the reason \npeople wanted smart cards was to carry data on them, and they \nwanted to carry data because we had a lot of systems that were \nnot interoperable within the Department. A good example was the \nArmy's levelization processing, they used the card to carry on \nit when was your last dental exam, had you done a will, and had \nyou had certain shots. The reason they did that is because all \nof those things were in computers, but they were in computers \nin different place on the base that didn't talk to each other. \nPutting that data on a card and being able to put the card in \nthere gave the commander a quick picture of what this guy \nneeded to do in order to be able to deploy. I would refer to \nthat as a datacentric approach to smart cards.\n    What has happened over the last 5 or 6 years is people have \nbegun rethinking the way they do business. Particularly in the \nDepartment as we've modernized our business processes. We're \ntrying to get away from going to an office to fill out a form \nor to change tax withholding information and trying to make \nthose things Web-enabled type of applications. If you're going \nto do Web-enabled business, you need to have something that \nauthenticates you to the Web and allows you to digitally sign \nan action that is important like a tax withholding form or \nsomething like that.\n    A lot of the interest in the use of cards, particularly \nwithin DOD, has moved away from carrying a large amount of data \naround to more being an authenticator to systems that are now \nWeb enabled and allow you to do business processes in a much \nmore efficient way which will do away with the need to walk to \nan office and fill out a form.\n    Mr. Putnam. I think that you've outlined very eloquently \nwhere we're headed, which is that the technology is there today \nto have a miniature smart card replace the dog tag which could \nbe swiped on the battlefield to let somebody know what their \nblood type is, that they're allergic to penicillin, that they \nreceived certain wounds at a different time or that they're \ndiabetic. It would also enable them to access their computer \nwhen they're not on the battlefield or get into the \ninstallation. Is that not the case?\n    Mr. Scheflen. I think that with the exception of the \nmedical stuff, the real question is, when you're looking at \nwhat happens on a battlefield, is it realistic, to pull \nsomebody's smart card out of his uniform and put it in a reader \nto check blood type? In fact, that is not the way they do that \nkind of medicine at the frontline. People are triaged and \nevacuated back to rear echelons. Generally, if that happens \nquickly enough, by the time they get back they have \nconnectivity back to the main data bases.\n    I'm not sure of the medical one and the medical people are \none of the communities within DOD which have the potential for \nlarge amounts of storage requirements. They have been refining \nit over a period of years, and we still don't really have a \ncomplete version of what the medical folks would like to \ninstall on the card. It's largely been defined as sometimes \npeople are--they're deployed in Iraq and they're away from all \nthe systems that would normally keep track of what \nimmunizations they have. The card might be a temporary carrier \nof information on treatment until they get back into, you know, \nthe communications end where that information will be uploaded \nback to the rest of their automated medical records.\n    By and large, you have it right. We see it as a device that \nwill be used to swipe, to manifest an airplane, to go through \nfood services, to change your allotments remotely. If you think \nabout it, to a certain extent, it's almost like it's e-commerce \nwithin the Defense Department. We don't do a lot of government-\nto-citizen transactions, because most of the people are somehow \ncaptive to us. But most of the other departments think of it as \ngovernment-to-citizen and to a certain extent our citizens are \nthe military members, the retirees, and their dependents. What \nwe're trying to do is give them a way of doing e-business with \nthe Defense Department.\n    Mr. Putnam. OK. Well, let's take it from a different side. \nIf you disregard or if you set aside the datacentric approach, \nand you focus on the access, this is not just DOD, it is \ngovernmentwide, you can go to a Super 8 Motel and get a card \nthat lets you in room 208, but not 210. It lets you charge your \nlunch downstairs, it lets you build a minibar for your specific \naccount, and at midnight, the day you're supposed to check out, \nor 11 a.m., it's worthless. And you could leave it in the room, \nyou could throw it on the ground, you could hand it to someone \non the sidewalk, and its of no value to that person. And that's \na very smart technology.\n    So what is our impediment to employ smart cards if our \nfocus, as has largely been stated here, is access control for \nphysical security and access control for information security? \nWhy don't we have something that works for frontline special \nsecurity administration workers all around this country, of \nForest Service firefighters or people who work in Federal \nbuildings all around this country who don't have particularly \ncomplicated security clearances? They're really just interested \nin whether they have any business being in that particular \nbuilding or accessing a particular file of a particular \ntaxpayer who's coming in. Why is this so difficult?\n    Ms. Bates. Mr. Chairman, I certainly can't address why is \nit necessarily so difficult, but I think that you've identified \nthat the technology is there. So we're not necessarily talking \nabout the technology problem, as great strides have been made \nin interoperability and standards.\n    As my colleague also mentioned, we're now talking about \nculture change, and there are some barriers. There are those \nthat say that the culture change or the change process should \nbe well along before the technology is introduced, because the \ntechnology cannot change the culture by itself. Whether it be a \ncommon access into buildings where--as he spoke about the \nguards, perhaps prefer something else, or getting all agencies \nto agree that these are the minimum set of criteria we will all \nrecognize to be on a card for building access. I've experienced \ngoing to cities where a different ID card for building access \nis required for each building. So an agency that occupies \nseveral buildings within a city will not even have the same ID \ncard that looks the same.\n    Certainly the technology's there, but there are costs \nassociated with the technology which need to be budgeted and \nplanned for, but it is a gaining acceptance, and, as stated in \nthe GAO report in your opening comments, getting top management \nsupport to say, OK, we're going to do this, and making it a \npriority, it's a difficult task.\n    Mr. Putnam. You're the chairman of that committee, right, \nthe Federal Identity?\n    Ms. Bates. It's my organization. We have the chair of the \ne-Governorship, e-authentication, and are working on the \nFederal Credentialing Committee, yes.\n    Mr. Putnam. You seem like a very determined woman. I have \nno doubt that you will get these cultures changed. It's absurd. \nThis is totally absurd. We hear that all of you are in \nagreement that the technology exists to do this, and all of you \nare in agreement, I think, that culture is the biggest \nimpediment. And so we have these agencies with different cards, \ndifferent access, within the same city, and different mindsets \nwhere we can't stand to just see, touch and feel that plastic \ncard that's dangling from everyone's neck.\n    So there's a hearing on funding, a hearing on the \ntechnology of emerging biometrics and smart-card technology. \nAll of that is really just an academic exercise is what I'm \nhearing, because it doesn't matter. The secretaries, they've \ngot other things to worry about, the assistant secretaries, the \ndeputy under assistant secretary to the deputy underling, they \nhave other things to do, and so this is all for naught. That's \nreally what I'm hearing.\n    Let me throw something else out: The access control, the \nidentity authentication for facilities, is one of the purposes \nbehind this push for smart-card technology. The second major \npush, as I understand it, and correct me if I'm wrong, is \naccess to computers.\n    Now, the Navy has 67 different payroll systems, or whatever \nit is that we've heard before, 10,000 legacy systems. Everybody \nbuys whatever flavor-of-the-month computer system that \nparticular office in that particular agency in that particular \ncity feels like meets their needs. So regardless of all of your \nhard work on standardizing interoperability of smart cards, \ndoes it really ever get off the ground until we have true \ninteroperability of the tens of thousands of systems that are \nin the Federal Government, or are we going to have to build the \naccess infrastructure for each one of these legacy systems so \nthat the smart card actually gets you into the program that you \nneed to get into? Can we do one without the other?\n    Mr. Wu.\n    Mr. Wu. Well, if that's your underlying goal is to be able \nto have somebody from the east coast tap onto a system that \ncontrols operations in the west coast, you do need to have some \nsort of interoperability of systems, and smart card will only \nget you the access as you pointed out. So, if that is your \nunderlying goal, then interoperability of systems, which is \nanother issue that NIST is working on as well, working with the \nIT industry, that is something that needs to be looked at.\n    Mr. Scheflen. Mr. Chairman, I don't think that's quite as \ndire or as unpromising as maybe the picture you painted. \nBasically, if we look at where the smart card industry was 3 or \n4 years ago, it was the University of Florida model you \ndescribed. You had deployed campus systems that were really \nproprietary to a particular vendor. If you looked at that \nparticular system, you would find that the same vendor made the \nreaders, the cards, and ran the LAN information that tracked \neverything down. Right after September 11 we saw the vendors \nout there that did produce various systems to protect bases or \nfacilities have a field day trying to sell their systems to \neverybody that felt they had need to protect it, and, of \ncourse, had that gone forward, we would have ended up with \nsystems that were completely proprietary to every base or \nbuilding.\n    What happened with the GSA contract and with the standards \nover 3 years, we basically said to the industry, we're not \ngoing to play that game anymore. It would be the equivalent of \nyou saying, I need some floppies for my computer, and going to \nthe computer store and saying, what kind of floppy drive do you \nhave for your computer, because you need these cards or these \ncards or these cards, depending on which one you have or what \nkind of software you're running, so I can sell you a different \nproduct.\n    That's the way the industry was, and working with the GSA \nand NIST and lots of others in the government, we said we're \nnot going to play that game; that we're going to buy cards. \nWe're going to say we want a 64K card that has these \ncharacteristics, and, you know, we want to buy from the low \nbidder that meets the spec, not one that has a proprietary \nproblem, because we have those kinds of readers. We did the \nsame thing with readers, and we're trying to do the same thing \nwith middleware.\n    So what we've tried to do is change industry so that \nanybody who uses the products that are sold through the GSA \ncontracts and evaluated by NIST will really be interoperable, \nand I think that we are moving in that direction. We see far \nfewer of these closed proprietary systems that are \ncharacterized as the campus systems. That had been the only \nsuccess story of smart cards in the United States. It's not \nbeen a great story here. It's been more of a European success \nstory.\n    I think we are making progress, and I think that my \ncolleagues at GSA and NIST are a large reason why the \ngovernment is in a position to move forward now, and the things \nthat they implement will be interoperable.\n    Having said that, it's still hard to do. There are cultural \nissues, and guards like to look at cards rather than have you \nput them in a computer and authenticate with a fingerprint. We \nactually have systems in DOD, one of them goes by the acronym \nof BIDS, Biometric Identification System, that uses the cards \nthat we issue as ID credentials. At the gate, the cards are \nswiped, it prints up a photograph from the data base and also \ntells them whether the card is good. They can do a fingerprint \ncheck on a hand-held wireless device and authenticate who \nthey're letting into the bases.\n    These kinds of things are happening, the interoperability \nis there, and I think that the government is moving in the \nright direction. I think the biggest problem is some of the \nthings that they're thinking are so massive that they're almost \nunaffordable. If you say, we're going to give something to 30 \nmillion truck drivers, how do you do that and what kind of \nproducts do you use and----\n    Mr. Putnam. You do it every day with a driver's license. \nWhat's the marginal increase of cost to take today's driver's \nlicense, make it smart or add whatever component is necessary? \nWhat is the marginal cost of that on 30 million?\n    Mr. Scheflen. Well, the driver's license people will talk \nabout what it takes to do that. I think getting 50 States to \nagree is a problem, but the larger problem is the one my GAO \ncolleague talked about, which is how do you really know who you \nare giving a secure credential. I guess what I would look at is \nyou're saying, I've got a very secure credential, and I'm going \nto biometrically bind the identity of the person to whom I'm \ngiving it. Now, I've done that, and that's what we do in the \nDOD, but, without some assurance that the person who you have \nin front of you is really who he purports to be, and the \nproblem there is with the feeder documents that are often \ncounterfeited, to get various types of credentials, you may \ncreate a false sense of security, you know what I mean? We now \nhave very securely bound a phony identity to this type of \ndocument.\n    Mr. Putnam. The CAC card.\n    Mr. Scheflen. Yes, sir?\n    Mr. Putnam. Do you use it for computer access, or is it \nstrictly for facility access?\n    Mr. Scheflen. No, sir. I use it but it's not sitting in my \ncomputer at the moment because it's around my neck. When I get \nback to my office, I will put it in a reader on my computer, \nand it'll ask me to enter my PIN number, and it will then allow \nme to log onto the system. If I am away from or if I don't use \nthe system for about 5 minutes or 10 minutes, it'll go blank, \nand I'll have to reenter the PIN.\n    Because it's my ID card when I leave my office, I need to \ntake it out. That locks my system down; nobody else can use it. \nIt's really interesting. Most security computer people who have \ncome in and evaluated computer security say that the weakest \nlink is usually passwords; people give them to others, they \nwrite them down, they have them on their desk, and they often \nbreak systems doing that. This is an attempt to, not to \neliminate a password because you still have a password in a \nsense because you have a PIN, but you really require two \nthings: you require the PIN and the----\n    Mr. Putnam. If a plane crashes into your office in the \nPentagon, can you put that card in another Defense computer and \naccess all of the information?\n    Mr. Scheflen. The answer to that, that's a theoretical yes. \nDepends on a lot of things.\n    Yes, other card readers will accept my credential. \nObviously the system administrator for that particular system \nI'm on would have to authorize me to use it, and whether I \ncould access my computer or not would depend on whether we have \nremote access facilities set up. The answer to that, I think, \nis that it certainly is possible, and there are a lot of \ncompanies that are thinking about virtual offices, where they \ngo with a thin client, what's called a thin client type of \napproach, where most of the information is not stored on my \ndesktop, but on a server somewhere. And I can access that \nwherever I am by simply authenticating to that server, and \nthat's, I think, the kind of model you're talking about.\n    Mr. Putnam. That is. I mean, if you're at Pearl Harbor, and \nthen your next tour is in Germany----\n    Mr. Scheflen. Right.\n    Mr. Putnam [continuing]. How much effort is required to \nallow you access at your new posting on your new tour, and does \nit require a new card, does it just require a few keystrokes of \nupdating your current card? If you change billet and you go \nfrom naval public affairs to naval financial management, do you \nhave to get a new card? Does it require just a few keystrokes \nto allow you access to the new items that you are now allowed \nto view and shut down the items that are no longer appropriate \nfor you to access?\n    Other than getting in the front door and allowing us to \nhave a better connection between the person entering and who \nthey actually are with some biometric identifier, are we not \nshortchanging the potential of smart-card technology?\n    Mr. Scheflen. No. I think, if anything, the emphasis in \nDefense has probably been more on the IT side than it has been \non the getting in the front door side for a lot of the reasons \nthat GAO described, the cultural difficulties. It is really a \nlarge focus on the getting onto the systems and accessing Web \nsites where I do business. That is more the current usage of \nthe card than even physical access.\n    Now, keep in mind that in the case of DOD, this ID card \nalso is a Geneva Convention card that has to have certain \ninformation when people go into a war zone, that's different \nthan a physical access card. It is an ID card as well.\n    I think that, in answer to how much has to happen if you \nchange jobs, a little bit of that is the business process of \nthe components in terms of how they want to do that, but by and \nlarge unless you went from one component to the other because \nyour visual certificates would have to change, and if you're a \ncivilian and went to work for the Army and went to work for the \nNavy, for example, you would get a new ID card. If you changed \njobs within the Army, there wouldn't be a need to do that.\n    Mr. Putnam. Ms. Bates.\n    Mr. Scheflen. Well, military side is a little more complex, \nbut normally people don't change components. If you changed \nyour e-mail address because you could be reassigned--i.e., an \nArmy guy could be assigned to a defense agency where his PKI \ncredentials may need to be different, and so he would have to \ngo back but wouldn't necessarily need a new card. He could have \nnew certs put on the card.\n    Mr. Putnam. OK. Well, let's switch to the civilian side----\n    Mr. Scheflen. OK.\n    Mr. Putnam [continuing]. Because that would be a good lick, \ntoo, if we could just fix that.\n    Someone who lives outside of Washington, DC, works for one \nof the many agencies that accesses documents about private \ninformation about American citizens, with IRS, Social Security, \nHUD, Health and Human Services, generally stay there a while, \nlive in the same city, work in the same building, what are we \nreally trying to accomplish with the smart card, and what are \nthe barriers to the plan in that type of situation?\n    Ms. Bates. I can speak generally and not specifically about \neach agency because each agency may have their own program \ngoing, but----\n    Mr. Putnam. Well, but we'll change that, right?\n    Ms. Bates. Right. Right.\n    Mr. Putnam. We're not going to be able to say that much \nlonger, I hope.\n    Ms. Bates. And that'll be good. That'll be good.\n    I think given that we're not the Defense Department, and \nother agencies are independent, if we take it incrementally, \nperhaps in groups of steps, of you start with a common \nidentification card where your badge or your ID card, which is \npart of a smart card, that they are all alike or have common \nfields. This is what we're trying to implement--GSA is \nimplementing in New York City, which I referenced earlier; in \nthe three buildings with the tenant agencies, have agreed that \nthe badges look the same, and they are. Everybody entering \nthose buildings goes through the contact, the scanner, and you \nget that acceptance. You can begin to add other elements to \nthose cards, whether it's the computer system access or whether \nit is the purchase card or the other elements, but having it be \nagainst the same set of standards, an agreement that this is \nwhat all the cards are going to have, a minimum capability.\n    You can then--as Mr. Wu stated, have people who are in \nposition to say, OK, I, Sandra Bates, have authorized this, \nthis, and this; you have to have that, but at least you have \nthe common card. That would lead to some group purchasing where \nyou can say, OK, we're going to do X amount, we're going to \npurchase the cards and the readers in bulk, and leverage the \ngovernment's buying power. That would achieve savings and also \ngive some central oversight against a set of companies that \nhave been predetermined. If you have the top down support and \nthen the methodology outlined to implement, you can move \nforward, but you do it incrementally.\n    I think that each agency will always have some unique \nrequirements, and that's OK, but they should be able to be \naccommodated. If we could establish a base line, for example to \nget into certain types of buildings let's say, everybody has to \ndo X, and you agree on it--here again I'm not talking about a \ntechnology problem. It is a management and implementation \nissue, one that certainly could be resolved, and I think that \nif we had a governmentwide policy that said this is what we're \ngoing to do, and then we leverage the government's buying power \nand implement, whether it be across all Federal buildings or \nFederal installations.\n    The other area that would be addressed in all of this, and \nI think we've alluded to it, and I've said it outside this \nroom, culture. The people who are doing IT security are very \nwell attuned today about cybersecurity and generally have a \ntechnical background. They are the keepers, and the users have \nbeen indoctrinated so that they understand they need security.\n    On the physical access side, it's a different group of \npeople. It's managed separately, and the expectations are \ndifferent on the part of the people who manage it and on the \npart of people of what is required to come into a building. The \nsame person can have different expectations to their computer \nsecurity versus their physical security, but I think we need to \npull that together and manage it as one. And we've had that--\nthose are the things as we move toward success.\n    Maybe you would still be frustrated as to say this is not \nmoving fast enough, but an initiative that allowed for an \nincremental approach where you moved quickly incrementally \nrather than one big, you know, throw the Hail Mary pass, I \nthink government responds better to incremental approaches.\n    Mr. Putnam. Thank you all very much.\n    Mr. Willemssen.\n    Mr. Willemssen. I wanted to add something to an item you \nmentioned before, Mr. Chairman, and you had talked about all of \nus possibly agreeing that culture was the biggest impediment.\n    What I would say is that top management commitment and \nsustaining that commitment is the largest impediment, and \nconsistent with our prior recommendation, as I mentioned, OMB \ndid come out with that July memo laying out a policy framework.\n    I think the next step, in terms of your concern about \nwhat's holding us up, is looking at the Federal Identity and \nCredentialing Committee. They obviously have a mission now, and \nthat's to come up with a common policy for credentialing \nFederal employees. So how are they going to achieve that \nmission, and when are they going to do it? What are the tasks \nand milestones associated with that? And I think to the extent \nyou can get an answer to that question, then you're that much \ncloser to knowing when these barriers are going to be overcome.\n    Mr. Putnam. Thank you very much.\n    Mr. Wu, did you have a final comment?\n    Mr. Wu. As we conclude today's hearing, or at least this \npanel, I just wanted to note that you raised some very strong \nissues. And certainly the Federal Government has certain unique \nneeds and requirements, but as we move forward to try to seek \nsolutions and try to achieve the goals that you would like, I \nwould urge that you also include the industry voice, because as \nwe try to take into account this change in culture, we need to \nhave customer acceptance, customer confidence, and if we allow \nthe industry to do that as it promulgates itself \ninternationally and domestically, I think that'll be best, \nbecause trying to achieve a market-driven solution would be the \nultimate scenario that would be successful for all of us.\n    Mr. Putnam. Thank you all very much. We appreciate the \ncontributions of panel one. If you can, I'd encourage you to \nstay for panel two and listen to some of the private sector \ncomments, that industry voice Mr. Wu referred to. And, with \nthat, we will recess for about a minute and a half while panel \none dismisses itself and panel two is seated.\n    [Recess.]\n    Mr. Putnam. If you all are ready, I'll swear you all in.\n    [Witnesses sworn.]\n    Mr. Putnam. Note, for the record, all the witnesses \nresponded in the affirmative.\n    I'd like to welcome panel two of this hearing and \nappreciate your participation in this important topic. Our \nsecond panel of witnesses includes three distinguished \nindividuals. Mr. Keith Rhodes is our first witness. He joined \nthe General Accounting Office in 1991. He is currently the \nchief technologist at the Center for Technology and \nEngineering, where he has contributed to a variety of \ntechnically complex reports and testimony. Before holding this \nposition, Mr. Rhodes was the Technical Director in GAO's Office \nof the Chief Scientist for Computers and Telecommunications. As \nTechnical Director he provided assistance throughout GAO for \nissues relating to computer and telecom technology.\n    Welcome to the subcommittee. You're recognized for 5 \nminutes.\n\n    STATEMENT OF KEITH RHODES, CHIEF TECHNOLOGIST, GENERAL \n                       ACCOUNTING OFFICE\n\n    Mr. Rhodes. Thank you Mr. Chairman.\n    I have my statement which I would submit for the record. \nThank you.\n    Mr. Chairman and members of the subcommittee, I appreciate \nthe opportunity to participate in today's hearing on the use of \nsmart cards and biometrics in the Federal Government. A \nholistic security program includes three integral concepts: \nprotection, detection and reaction. To provide protection of \nassets, such as physical buildings, information systems at our \nnational border, a primary function is to control people into \nor out of protected areas. People are identified by three basic \nmeans: By something they know, something they have, or \nsomething they are.\n    As you've already heard, smart cards can have secure \nidentification documents, something that people have. \nBiometrics can automate the identification of people by one or \nmore of their distinct physical or behavioral characteristics, \nsomething that people are. The use of these technologies in \ncombination can help provide more security than the use of \nthese technologies in isolation.\n    Last year we completed a large body of work that assessed \nthe use of biometrics for border security. In that report we \ndiscussed the current maturity of several biometric \ntechnologies, the possible implementation of these technologies \nin current border control policies, and the policy \nconsiderations and key considerations of using these \ntechnologies. While we examined the use of biometrics in a \nspecific border control context, many of the issues that we \nidentified apply to the use of biometrics for any security \nsystem, which I will address in my remarks today.\n    Biometric technologies vary in complexity, capability and \nperformance. They are essentially pattern recognition devices \nthat use cameras and scanning devices to capture images and \nmeasurements of a person's characteristics and store them for \nfuture comparisons. The first step in a biometric system is \nenrollment, when a person first presents their biometric and an \nidentifier, and the system is trained to recognize that person. \nAfter enrollment biometric systems can be used to either verify \na person's identity, conducting a one-to-one match, or to \nidentify a person out of a data base, conducting a one-to-many \nmatch.\n    In my prepared statement we briefly discuss certain leading \nbiometric technologies, including fingerprint recognition, \nfacial recognition, iris recognition and hand geometry. Our \ntechnology assessment report provides more detail on each of \nthese. However, it's important to realize that no biometric \ntechnology is perfect. Even more mature technology such as \nfingerprint recognition are not 100 percent accurate.\n    Systems sometimes falsely match an unauthorized person with \na legitimate biometric identity in a data base. Other times a \nsystem fails to make a match and rejects a legitimate person. \nThese error rates are inversely related and must be assessed in \ntandem. Acceptable risk levels must be balanced with the \ndisadvantages of inconvenience. Different applications can \ntolerate different levels of risk.\n    Also, not all people will be able to enroll in a biometric \nsystem; for example, the fingerprints of people who work \nextensively at manual labor are often too worn to be captured.\n    Better technology offerings can minimize these error rates, \nbut no product can completely eliminate these errors. These \nlimitations of biometric technology need to be considered in \nthe development of any security program using biometrics.\n    Biometric technology has been used in several Federal \napplications, including access control to buildings and \ncomputers, criminal identification, and border security. In the \nlast 2 years, laws have been passed that will require a more \nextensive use of biometric technologies in the Federal \nGovernment for border and transportation security. Biometric \ntechnologies are available today. They can be used in security \nsystems to help protect assets.\n    However, it is important to bear in mind that effective \nsecurity cannot be achieved by relying on technology alone. \nTechnology and people must work together as part of an overall \nsecurity process. Weaknesses in any of these areas diminishes \nthe effectiveness of the security process. Poorly defined \nsecurity processes or insufficiently trained people can \ndiminish the effectiveness of any security technology.\n    We have found that three key considerations need to be \naddressed before a decision is made to design, develop, and \nimplement biometrics into a security system. One, decisions \nmust be made on how the technology will be used. Two, a \ndetailed cost-benefit analysis must be conducted to determine \nthat the benefits gained from a system outweigh the costs. \nThree, a tradeoff analysis must be conducted between the \nincreased security, which the use of biometrics would provide, \nand the effect on areas such as privacy and convenience.\n    Security concerns need to be balanced with practical costs \nand operational considerations as well as political and \neconomic interests. A risk-management approach can help Federal \nagencies identify and address security concerns. A risk \nmanagement approach helps agencies define and analyze the \nassets that need to be protected, the threats to those assets, \nthe security vulnerabilities that could be exploited by \nadversaries, security priorities, and appropriate \ncountermeasures.\n    As Federal agencies consider the development of security \nsystems with biometrics, they need to define what the high-\nlevel goals of this system would be and develop a concept of \noperations that would embody the people, processes and \ntechnologies required to achieve these goals. With these \nanswers, the proper role of biometric technology in security \ncan be determined.\n    Mr. Chairman, that concludes my statement. I would be \npleased to answer any questions that you may have.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Rhodes follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.050\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.051\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.052\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.053\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.054\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.055\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.056\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.057\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.058\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.059\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.060\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.061\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.062\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.063\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.064\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.065\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.066\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.067\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.068\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.069\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.070\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.071\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.072\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.073\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.074\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.075\n    \n    Mr. Putnam. Our second witness is Mr. Christer Bergman. Mr. \nBergman has been associated with Precise Biometrics since 2000 \nand has served as president and CEO for the company since June \n2001. Prior to joining Precise Biometrics, Mr. Bergman has \nworked in the information technology industry for the last 20 \nyears and has held managerial and executive positions in \nleading Fortune 500 companies. He also serves as an officer on \nthe board of directors of the International Biometric Industry \nAssociation, a trade association dedicated to supporting and \nadvancing the collective international interests of the \nbiometric industry as a whole.\n    Welcome to the subcommittee. You're recognized for 5 \nminutes.\n\n     STATEMENT OF CHRISTER BERGMAN, CEO, PRECISE BIOMETRICS\n\n    Mr. Bergman. Good morning, Mr. Chairman, and thank you for \nthe opportunity to be here today to represent the view of the \nindustry regarding advancements in smart card and biometric \ntechnology in the Federal Government market. As you indicated, \nmy role, roles, are living and breathing biometrics, an \nindustry that is transitioning from emerging technologies into \nthe necessary tool which is part of our daily lives.\n    The biometric industry today is recognized as very much in \nfocus for governments, organizations, corporations, but it \nstill needs a major sign of approval from government and \ncorporations in order to grow into a mature industry. I'm \ndelighted to have the opportunity to give the industry \nperspective of what is happening and what is needed in order \nfor this to be a reality.\n    Let's talk biometrics. As we heard, simply speaking, \nbiometrics is using the body, body parts, in order to identify, \nverify or authenticate yourself. It could be face, finger, \nvoice, etc. It could be a combination or stand-alone. Biometric \ntechnologies could also be used in conjunction with another \ntechnology, such as a smart card.\n    When we talk about biometrics, it's also important to say \nwhere the biometric template--which is a digital stamp of your \nfingerprint or face--is compared? It's stored and compared in \nthe process. This could be done on a network server, including \na data base; that could be done on a workstation, or on device, \nor even on a smart card, as we talked today, and then we call \nthat technology Match-on-Card. Same thing, smart card.\n    What is a smart card? A smart card is a credit-card-sized \nplastic card with a small computer on it. It could either be \nconnected via the chip or contactless, as in the case with \nphysical access, and waving the card in front of the reader. \nThe smart ID card, as we call it, it's an intelligent badge; \nthat can be used to access buildings, gain access to computer \nnetworks, and can also be the carrier and verifier of my \npersonal biometric identifier. As Mr. Rhodes said before, that \nthe combination of smart card and biometrics can provide a very \nsecure infrastructure. To present something you have; which is \na card, something you are; which is your finger or face, and \ncombine it with the password, then you have a three-factor \nauthentication, which represent a very secure ID credential.\n    However, in reality, in most systems there is a big \nsecurity gap between what the system is designed for and how it \nis actually working. Therefore, there is a growing demand of \nbiometrics in combination with smart cards, so, in my \nstatement, I'm referring to biometrics and now the smart card.\n    In the older configuration, you used a smart card purely to \nstore information, e.g., a biometric template. In the newer, \nmore preferred from a security point of view, preferred \nconfiguration, you use, in fact, the smart card as a computer \nand also do a comparison of the biometric template on the card, \nand I will come back to that in a few seconds. Clearly, that \nmeans that all the smart card functionality on that card can \nonly be accessed by the person with the biometrics matching the \none stored on the card.\n    We from the industry very much appreciate the committee \nholding this very important hearing today, because as we \napproach the second anniversary of September 11, it is crucial \nto be asking the questions as to why deployment of these secure \nitems is not happening on a broader scale.\n    My full testimony is attached in response to many of the \nreasons for this. Let me take a moment to highlight just a \ncouple of the challenges and misunderstandings.\n    Privacy. People think that a biometric application takes \nyour fingerprint image and places it in a big data base where \nit can be used or misused. That is not correct. We are using a \nbiometric template, a template from a fingerprint. It could be \nstored on a smart card, not in the data base, and also it can, \nin fact, be stored and computed on the card. That means that \nthe only place where the biometric template exists is on the \nsmart card both during storage and the comparison of the stored \nand captured new image.\n    Second, the cost. There are many elements that we heard \nbefore are building up the cost of any system in the \ninfrastructure. If you combine the smart card and biometrics, \nyou can optimize the cost to any system. For instance, if the \napplication is only verification, there is no need for a big \nback-end data base and a costly infrastructure.\n    Coming back to overall leadership support, biometrics was \nconsidered a new technology a number of years ago. We from the \nbiometric industry, we applaud President Bush, Secretary Ridge \nand others who frequently mention biometrics in speeches. That \ngives us a big boost about biometrics out in the industry.\n    However, there are other organizations that need to be \napplauded. They have shown national leadership in the \ngovernment community, such as the U.S. Treasury, that implement \nthe smart card and biometric system. DMDC and the CAC program, \nas we heard before, are looking into replacing the PIN code \nwith biometrics, and we have the State Department, who was one \nof the first to implement the smart card.\n    My conclusion is that the biometric-enabled smart card is \nnot only a concept, it is very much a proven reality. It could \nlower overall cost, minimize privacy issues, optimize the \nusability from a security and convenience point of view, and it \ncould be used for physical and logical access. The industry is \nactively participating in the standardization work, but in \norder to create the de facto standard and implement a secure, \ncost-effective and convenient security system with minimum \nsecurity gaps, there's a strong need for visionary leadership.\n    The combined smart card and biometric industries are ready \nand willing to work with the leaders of this community, the \nCongress and administration to make biometric-enabled smart \ncards a reality.\n    Thank you, Mr. Chairman, for your time and consideration.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Bergman follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.076\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.077\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.078\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.079\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.080\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.081\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.082\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.083\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.084\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.085\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.086\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.087\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.088\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.089\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.090\n    \n    Mr. Putnam. Our final witness for this panel is Mr. Daniel \nTurissini. Mr. Turissini is president and COO and one of \nOperational Research Consultants' founding partners. For the \npast 10 years, he has focused the Operational Research \nConsultants in the field of information assurance and \ninformation security. Of note, ORC was certified as the first \nof three certificate authorities for the Department of \nDefense's External Certificate Authority program. The ORC is \nalso certified by the General Services Administration to \nprovide access certificates for electronic services. Under Mr. \nTurissini's leadership, ORC has been designated as the lead \nsystems integrator for the DOD Public Key Infrastructure, a \nstandard information assurance program being implemented across \nall branches of the DOD, which is a user community of \napproximately 36 million personnel, devices and applications.\n    Welcome to the subcommittee, Mr. Turissini. You're \nrecognized for 5 minutes.\n\n   STATEMENT OF DANIEL E. TURISSINI, PRESIDENT, OPERATIONAL \n                   RESEARCH CONSULTANTS, INC.\n\n    Mr. Turissini. Thank you, Mr. Chairman.\n    Thank you for the opportunity to appear here to discuss \nadvancements in smart card and biometric technology. The fact \nthat this committee is holding these hearings reinforces an \nimportant focus on ensuring the integrity of sensitive and \nconfidential information. The paper I provided, which I \nsummarize here, highlights the complexity of this challenge.\n    I focus on digital security and authentication. We can talk \nto physical in the questioning. This includes maintaining an \nopen environment for commerce, data exchange, collaboration and \ncommunication, but without sacrificing information security. To \nmeet this challenge, we must first adopt a credential or a \nstandard for credentials that will support confidentiality, \ndata integrity, identification and authentication, privilege \nand authorization, and nonrepudiation.\n    Second, we must provision to protect those credentials. \nThis is further complicated by our need in this country to be \nmobile.\n    And last, we must achieve these goals without encroaching \nupon civil liberties under which our country was founded.\n    The information fog preceding September 11 and the recent \nvirus attacks in the headlines leave little time for invention \nand development, especially while we are not taking full \nadvantage of significant advancements in the development of \nproduction and technologies like smart cards, biometrics, and \nasymmetric credentialing. We must certainly agree about the \nurgency to these requirements; yet, for over 5 years we are \ndelayed implementing solutions that address many of these \nissues in favor of a more optimal solution that will soon be \navailable or a single solution that will be everything to \neverybody.\n    Our target should be striving to attain the highest level \nof security currently attainable without sacrificing \navailability to authorized parties. To a large degree, the \nresistance to this technology has been due to fears of the loss \nof privacy and images of ``big brother.'' Although not without \nmerit, such fears do not have to be realized if the proper \napproaches, policies, procedures and education are employed. We \nmust embrace the technology available today and continue to \nevolve these technologies as advances emerge and technologies \nmature. Instead of reinventing the mouse trap, we must use the \nmouse trap we have and enhance that trap over time.\n    The technologies necessary to attain digital security in \nour open society are available. Asymmetric key technology fully \nsupports nonrepudiation and ensures user privacy. Identity, \nrepresented by a key pair, can be managed so that key, the \nprivate key, is created and retained only by the owner, while \nthe associated public key can be freely distributed, thus \nproviding the requisite security needed to afford all parties a \nhigh level of confidence that the individuals attempting access \ninto resources are who they claim to be, and that the actioning \nof a transaction can be identified and nonrepudiated, and this \ncan be done without compromising or infringing upon the privacy \nof the individual. It has been by adhering to established \nstandards, policies and procedures, and enforcing the proper \nuse and integration of these technologies, and enforcing the \nlaws to provide the requisite ramification for transgression.\n    The infrastructure to deploy this technology is currently \nfielded, capable and interoperable, but underutilized. Federal \nleadership is required for the implementation of meaningful and \nefficient security over the Internet to protect sensitive \ninformation and billions of dollars in transactions each day. \nWith your support, the large investment already made in the GSA \nACES program and the DOD PKI program can be embraced to avoid \nmany of the problems that stand in the way of the President's \ne-government initiatives.\n    Equally as important is advancement of the technologies of \nsmart cards and biometrics, and they can be focused on \nenhancing the existing security tools and ensuring the \nprotection of these credentials that are available today. There \nis not currently one solution or technology that will attain \nthe desired level of security without sacrificing availability \nand without encroaching on civil liberties; however, through \nproper integration and configuration of smart card, biometric \nand asymmetric key technology, security can be achieved and \nConstitutional rights protected. It is an achievable \nundertaking that will ``provide for the common defense, promote \nthe general Welfare, and secure the blessings of liberty to \nourselves and our prosperity.''\n    Thank you for your time and the opportunity to present our \nviewpoint.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Turissini follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3034.091\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.092\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.093\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.094\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.095\n    \n    [GRAPHIC] [TIFF OMITTED] T3034.096\n    \n    Mr. Putnam. I appreciate the remarks of all of our \nwitnesses.\n    I'd like to begin with questions from Mr. Rhodes. You \nopened up your remarks with a three-prong test, if you will: \nHow will the technology be used, what is the cost-benefit \nanalysis, and what are the tradeoffs.\n    Mr. Rhodes. Yes, sir.\n    Mr. Putnam. I'd like you to answer, how does GAO envision \nsmart-card technology being used; to what degree, what scale, \nwhat applications would be layered on? In other words, are we \njust talking about identity authentication, are we just talking \nabout access, or would there be other applications which you \nall would envision?\n    Mr. Rhodes. Well, there would be the primary function, of \ncourse, the authentication of you as who you are, and all that \nwould be associated with your identity.\n    So that would be mainly in the areas of access, and that \nwould be access to location as well as access to system and \ninformation, etc.; I mean, not unlike the token that you carry \nwith you in order to vote. I can't use that token; that's \nyours. It's in your possession, but it gives you access in \norder to do something.\n    So in saying, ``Is it just access to a facility or is it \njust access to a system,'' it's really the opener for you to be \nable to exercise your function as a Representative of the \nUnited States in your role of executing a vote. So that's \ndefining it just as access to location or access to \ninformation. There is that part.\n    But then the other two legs, as it were, of detection as \nwell as reaction in terms of holistic security approach, it \nwould be used as a continual identifier of you wherever you \nwere inside the system. You're inside a facility and then you \nlog onto a computer and some incident occurs; we will be able \nto know where you are inside the system. So it's not just \naccess for you as an individual, but it's also evidence \ncollection. It's also forensic analysis from the law \nenforcement standpoint, and it's also reaction from either the \ncomputer emergency response team or law enforcement to be able \nto isolate the systems that are under attack or a location \nthat's having a problem.\n    For example, in the release of the Blaster Worm that's gone \non for the last few weeks, someone has been identified. There's \na possibility that someone else is colluding with that \nindividual. If people had better positive identification of \nthemselves, of the system, and of the system to other systems \ninvolved--it's not just an access point, but it's also an \nidentifier of action as well.\n    Mr. Putnam. So those are additional values that come from \nhaving positive ID. Does it pass your second test, which is the \ncost benefit?\n    Mr. Rhodes. Depending on what you want to do. If you're \ntalking about--I mean, once upon a time, for access to a \nparticular system, when I worked prior to coming to GAO, I \nneeded a retinal scan in order to actually control the system, \nbecause it was a high-value asset and it was a high-security \nclearance. I actually had several stages I had to go through \nbefore I got to that part of the system where I exercised the \nretinal scan. So in that scenario, the cost benefit is the \nfunction of what are you going to lose if the asset becomes \ncompromised.\n    And that's really the primary high-level policy statement, \nnot unlike the Smart Card discussion that my colleague Joel \nWillemssen talked about on the first panel. There has to be \nthat policy established that says, ``This is the hierarchy of \nvalue.'' What we're really talking about is operation security. \nYou're looking at what are the critical assets. You're valuing \nthem based on risk, and you're saying what needs to be applied.\n    Well, most people view a retinal scan as very intrusive, \nand they aren't willing to sit and go through that process; but \neverybody has their fingerprints, and that's less intrusive. So \nbuilding that connection between value of asset and the \nmultiple layers of authentication--something I have, something \nI know, something I am--that's the process for the cost \nbenefit. So being able to say, are biometrics cost beneficial? \nYes, they are.\n    Smart cards are cost beneficial as well, depending on how \nyou apply them. I mean, the CAC program, as was discussed in \nthe earlier panel, incorporates fingerprints. Obviously it's \ncost beneficial for their application, but you might not be \nable to use that to control a spacecraft on orbit.\n    Mr. Putnam. I think Mr. Willemssen's comments were right \non, and his take-away point was that this credentialing \nstandardization is the most important first step; and I think \nthat was the key point. But at the higher levels, at the higher \nsecurity clearances, if you want access to a silo or access to \na sub, I think that people are pretty well in agreement and are \nwilling to undergo the intrusive nature of the biometric scan. \nBut we basically already have that.\n    Mr. Rhodes. Absolutely.\n    Mr. Putnam. Since.\n    Mr. Rhodes. Twenty years ago.\n    Mr. Putnam. But if our goal is a governmentwide smart card \nprogram or even a DOD-wide smart card program, is it still cost \neffective for someone who has no clearance, has no access to \nparticularly sensitive material, and you're just using it as a \nnifty way to get around people having keys and people being \nable to get behind the counter at the Social Security \nAdministration as opposed to just getting into the public \nbuilding.\n    Is that cost benefit always worth it?\n    Mr. Rhodes. Well, that's the--your point is--and the \nhierarchy you just went through is the true basis for it. If \nall you're wanting is for somebody to get access into a \nbuilding in order to stand on the other side of the counter and \ntalk to some government official you may not necessarily need \nthat. However, for the person to get behind that counter in the \nenvironment we are in now, with the understanding of the threat \nthat we have now, it certainly seems that something far beyond \njust my driver's license, which colleagues from our Special \nInvestigations Office are testifying on today. We have forged \ncredentials for them. At that point, the token at that moment, \nmy driver's license, is pretty worthless.\n    Mr. Putnam. Especially in any good college town.\n    Mr. Rhodes. Yes, especially in any good college town where \nthey know that to be old enough to buy a beer, you need a \nphotograph of the front of your face, not the profile of your \nface. I mean, these are the points that need to be made.\n    One other question, though, that needs to be asked is--and \nthe other two panelists have alluded to this--the system behind \nthe token has to be clearly designed and built from a security \nstandpoint so that, for example, I have the correct token, but \nthe system behind it is broken. So now I am authenticated into \na system where either the enrollment piece isn't good enough or \nthe system itself and who is maintaining the system behind it \naren't good enough.\n    Mr. Putnam. This is not your first Technology Subcommittee \nhearing. You've heard stovepipes and interoperability and all \nthis kind of stuff for a long, long time, a lot longer than I \nhave. This is a question I posed to the first panel.\n    How do you juxtapose the goal of access management and \nidentity authentication with the fact that there are so many \nthousands of different systems, even within agencies or within \ndepartments? Until we have interoperability there, will smart \ncards ever really work on a broad basis?\n    Mr. Rhodes. Not on a broad basis. I mean, I have seven ID \ncards in my pocket right now, some of which--two of which are \nused for the exact same building. One is to get into the front \ndoor and one is to get onto a certain floor, because there are \ntwo different agencies in the building.\n    So if I'm talking about physical tokens with my picture on \nit, I think I'm in several hundred access systems around \nWashington and the United States and other government agencies.\n    So until you have that interoperability that you're talking \nabout, I won't be able to have the ``single sign-on'' where I \ncan do what you were asking on the first panel, take my token, \nplug it in. God forbid that my building has a--there's some \naccident that occurs in my building and I need to be evacuated. \nNo, I will not be able to take that token and go to a remote \nlocation and log in unless the infrastructure is there or \nunless the stovepipes are broken, because it can't just be a \nmatter of me being able to have complete, unfettered access and \nauthentication to the system in front of me. I need to be able \nto go to other places.\n    Mr. Putnam. The point you made about the number of ID cards \nyou have, you can go down to the Capital Hyatt or the Hilton or \nanywhere, and everybody gets a room card--hundreds of different \nroom cards, two per room, 300 rooms in this big, tall hotel. \nAll those cards get you in the front door after hours or the \nback door or the parking garage, all of them equally, but \nunequally get you into your discrete room that you have \nbusiness being in. But GAO can't have the same technology.\n    Mr. Rhodes. The GAO--I will say this. The GAO does have the \nsame technology, but we're only 3,000 people. We're 3,000 \npeople in 10 locations, and we have a Comptroller General who's \na power user of technology.\n    If you want to have an organization, if you want to be able \nto take the entire Federal Government and say, standardize, \nwell, who's the czar of the Federal Government? Who's going to \nuse both carrot and stick to get that done? That's the modus \noperandi for the solution.\n    I mean, I report directly to the Comptroller General of the \nUnited States, and he believes that security is important, but \nconvenience is also important. And we've struck a balance. So I \nhave one ID for the General Accounting Office.\n    Mr. Putnam. Well, we're going to have a czarina now.\n    Mr. Bergman and Mr. Turissini, give us the private sector \ntake on what you've heard this morning. Where are we headed? \nWhat is your vision for what the Federal Government's approach \nto smart card technology could be?\n    Just share that with us, if you would, please, beginning \nwith Mr. Bergman.\n    Mr. Bergman. Do you want the pleasant answer or the truth?\n    Mr. Putnam. Well, you're under oath now. So you're stuck.\n    Mr. Bergman. Good point. I think it takes too long time to \nget started and deploy the technology.\n    The technology is there in different places, and we need to \nmove forward. It was talked about that, we use more and more \nWeb-enabled applications, and that's good and fair; but then we \ntalk about the Web application having a smart card or smart ID \ncredential interacting with the PIN code. So then we have two \nPIN codes talking with each other.\n    Where is the evidence that it is the person who is \nauthenticated to that particular smart card?\n    The technology is here, and I think that it's been said a \nnumber of times today that we need to get moving and create a \nde facto standard. The technology is not the blockage, and I \ndon't think that we have to be that complex in creating all the \nback-end systems, all interacting, because then we need to wait \nfor another number of years.\n    Private organizations have similar problems. They don't \nhave one back-end system even for a small corporation. They \nhave hundreds maybe, and the technology still works there, as \nwe speak, right now.\n    I do think that we have to decide, where we want to go, the \nstrategy, the needs, and start to implement it. If we are \nsitting and trying to create the fantastic, unique system, then \nwe'll never get there. I don't see any difference between the \nFederal Government versus the corporations in the market out \nthere. Let's have the, ``This is the direction we're going,'' \nand then let's move on.\n    Mr. Putnam. Mr. Turissini.\n    Mr. Turissini. Just to add to that, not only is the \ntechnology here, but the infrastructure has been invested in \nover the last 5 to 10 years within the DOD, with GSA to do the \ncredentialing and to get people identity credentials, not only \nwithin the government but with our civil citizenry.\n    We have, again, neglected to go forth with this technology \nfor fears, for stovepipes, for rice bowls maybe, but the bottom \nline is, we can currently credential almost everybody in the \ngovernment and probably everybody in the country.\n    The DOD, under the program I'm working, is currently \ncredentialing over 10,000 people a day on smart cards, giving \nunique credentials; and those credentials, in the form of \ndigital certificates, can be accepted in your data bases, your \nWeb-enabled data bases, tomorrow if you choose to do so. It's \nnot a long process, nor is it a terribly expensive process.\n    We need to get on with the business of securing our \ninformation resources. You need what is the cost benefit.\n    There are very few pieces of information that anybody in \nthis government deals with that in the aggregate can't be \nharmful to us outside of the United States, things like flight \nschedules, things like where people land and when they land and \nwho's coming in and out of this country. We can't guarantee who \nthe bad guys are, but we can guarantee who the good guys are. \nWe can credential all the people we need to, so that if you \ndon't have a credential, you're under suspicion and you've got \nto go get one or we've got to talk to you a little bit closer.\n    So the technology is here. We've invested 5 years, 7 years, \nand a lot of money with GSA and DOD to create the \ninfrastructure to field this technology. I say, let's get on \nwith the business of doing it; and I think the way that we do \nthat is by--they called it ``culture'' earlier. I think it's \njust policy and direction. You need to be told, and you need to \nsay, this is the way we're going.\n    We have policy that is set up in the forms of certificate \npolicies and practice statements. They need to be in force. \nThey need to be promulgated.\n    As far as the physical versus the virtual, this is my smart \ncard CAC. This is my identification into a DOD building. Other \nthan the color, I don't know what the culture shock is.\n    So physically don't tell the guys at smart card. I don't \nknow. It's not that big a deal. But I do have a chip on my \nsmart card, and that chip gives me digital capability.\n    And, again, the smart card is not my access. It's a \nprotection of the credential. That's all it's doing. It's \nprotecting the blob, the ones and zeros that are on there that \nidentify me, the thing that I went to a work station, gave them \nmy three or four forms of ID, gave them my fingerprint and \nguaranteed that I'm going to protect that credential. I can't \ngive it to anybody else. It's not like a password that I can \npass over to him, because it's on here, and I have it, and I'm \nthe only one--and I'm responsible for that.\n    Mr. Putnam. One of the issues that always comes up in any \ncongressional hearing when we're trying to push the Federal \nGovernment to do particular things is the considerable \ndifficulty due to the sheer size of the government, and the \ndifferent requirements based on job classifications and things \nlike that.\n    To the best of your knowledge, who is the largest \ncommercial user of smart card technology that might be a good \nfirm for this subcommittee to pay a visit to and see how \nthey've made it work?\n    Mr. Turissini. Actually, the banking industry is probably \nthe best, and I don't know if it's a particular firm, maybe \nChase Manhattan. But what we've got to be careful about is the \ndefinition of ``smart card,'' and there are many definitions, \neverywhere from a stored value card to a card like the CAC, \nwhich is a cryptographic module card, a computer that actually \nprotects a credential.\n    The biggest user of that kind of credentialing is the DOD. \nNobody else is really doing that to the extent that the DOD is \ndoing. Like I said, over 3 million users right now, and we're \nissuing 10,000 credentials a day. But from a credentialing \npoint of view and a smart card in a less secure environment, \nalthough probably just as critical, the financial community is \nvery involved in moving transactions using digital credentials \nand protecting those credentials on some kind of a token, \nwhether it's smart card or an IT or something like that.\n    Mr. Putnam. Mr. Bergman, do you want to add anything?\n    Mr. Bergman. No. The CAC program is definitely the biggest \none.\n    I just want to add there are other projects on their way \naround the world right now, everywhere from Hong Kong to \nMalaysia, to Saudi, to Latvia, Turkey, a number of countries \nout there are doing the same thing right now. And those will \nmaybe be bigger or larger deployment when they are deployed, \nbut I don't know any bigger than the CAC program as deployed.\n    Mr. Putnam. A lot of pressure, Mr. Scheflen.\n    Mr. Rhodes, do you want to add anything to that?\n    Mr. Rhodes. I would echo the distinction between a smart \ncard, which actually has its cryptographic module on it and \nactually has the computer on the card, versus the stored value. \nThere are larger implementations in industry that are stored \nvalue, but there isn't any larger implementation than the CAC \nof a truly smart--on-the-card, intelligent system.\n    Mr. Putnam. I may not be truly appreciating that \ndistinction. It just seems that you get a little tag to hang on \nyour key ring from your supermarket. They take 10 percent off \nevery time, you use it and you earn points toward a new ball \ncap. And you get a little card to hang on your key ring that \nyou wave in front of the gas pump, and you're allowed to get \n$50, $40 of gas at a time and head on, and they ask you if you \nwant a receipt. You don't have to see anybody. You don't have \nto talk to anybody over those intercoms that never work.\n    It just seems like the rest of the world is figuring all \nthis out reasonably well. I mean, we're buying gas, not getting \naccess to missile silos. But still, tens, hundreds of millions \nof dollars' worth of transactions on a fairly frequent basis \nthat ordinary citizens are becoming rather accustomed to and \ncomfortable with, even though Giant knows that they prefer \nCheer over Tide or that they buy 12 gallons of milk a month or \nwhatever.\n    People are dealing with it so that they can get that 10 \npercent off. I mean, I think we're in this post-September 11 \nworld, everybody is focused on ways to sell the government \nsomething based on security, but the idea that instead of there \nbeing a paper file that moves around with our 3 million \nmilitary personnel every 2 years, you've got it on something \nthe size of your VISA card and you swipe it when you go into \nwhatever installation in whatever country on whatever base, and \nyou deal with that; and then you perhaps could take that same \ncard over to the PX and buy your groceries and you could take \nthat same card over and, I mean, have dozens of applications on \nthe same smart card above and beyond simple identity \nauthentication and access.\n    And maybe I'm not appreciating the distinctions here, but \neven if you separate the zebra that is DOD from all the horses \nthat are the rest of the government, there's a lot more that we \ncan be doing with this, I think, for an awful lot of Federal \nGovernment employees, than we have.\n    Mr. Bergman, could you elaborate some on the match-on card \ntechnology?\n    Mr. Bergman. I would be happy to do that.\n    The match-on card technology that we're using, the chip on \nthe smart card do the comparison of the template. That means \nthat when I log onto my computer, I have my biometric template \nstored on that chip. I put it into my biometric and combined \nsmart card reader, which is about a $100 piece of equipment. \nWhen I do the matching, the matching is done on the smart card. \nThat means that my template will not be transformed over to a \ndata base somewhere else. From a scalability point of view, \nthat's very important. I don't need to have the infrastructure \nbuilt up behind it.\n    For instance, take today's discussion about the U.S. VISIT \nprogram. Does it need to be an infrastructure to allow myself \nwith my finger going into a data base somewhere in the world, \nor is it only when I issue a credential that I need to be \nconnected back to the data base and say am I a good guy or bad \nguy. After that, once I've got my credential and it's secure \nenough to go around the world and say this is me, there's one \npiece missing in it. That's the validation of it. Is it valid? \nIt's OK, it's me, but am I still valid? And there are \ntechnologies for that as well.\n    An example that happened to me last Saturday, returning \nback from Sweden, we were standing, myself and hundreds of \nother people, out in Dulles Airport waiting for INS because the \nback-end system was down. Is that the way we want to build the \ninfrastructure? This was just to swipe my passport and my green \ncard. Is this the way we protect our borders? That is a pretty \neffective way--``no one can enter.'' Nothing happened for 40 \nminutes because the back-end data base was down.\n    Those are the kinds of things that we need to think about \nwhen we deploy a large system. That's why I think you do DOD \nbiometric authentication up front on your token, on a sticky \nproduct. A sticky product is something you have and that you \nuse 10 times a day.\n    And you talk about convenience. It's convenience for me. \nYou can't force people to use security. It's convenience that \nmatters.\n    I can get into different places. The biometric comparison \ncan be done on a card or a token, or it can be done back on a \ndata base. And I think the data base is a legacy infrastructure \nand costly, and it's a pretty nonoptimized way of doing \nbusiness today.\n    Mr. Putnam. To any of you who wish to answer, how far are \nwe from being able to replace the paper passport with a smart-\ncard type of identification, merged with biometrics?\n    Mr. Bergman.\n    Mr. Bergman. From a technology point of view, we're not far \naway, but I think along the same line, that we have been \ntalking and listening today about the stovepipes.\n    If you talk about the passport which is one passport for \nthe United States, another one for European countries, I think \nwe need to discuss where we are heading. I think that \nbiometrics should be on the road map, I think it's a good step \nforward to have my picture, my face on that smart card or \ntoken, in a readable format.\n    To have a smart card on the passports is probably a number \nof years, 5 years, 10 years away--if we decide upon the \ndirection. I don't know, but lots of people in this country \ndon't even have a passport.\n    Those are the kinds of things that we have to sit down and \ndecide about the strategy, go for it, and step by step we \nimplement it.\n    Mr. Putnam. Mr. Rhodes.\n    Mr. Rhodes. One point I would make is that INS and State--\nat the time of that report, INS and State had issued 5 million \nborder crossing cards that included fingerprint or \nfingerprints--probably at about 6.5 million now. But just as \nyou had the discussion this morning about the cards are issued, \nbut are they application-enabled, well, the cards--you have 6.5 \nmillion cards out there, but they haven't bought enough \nreaders. So now the cards are being treated just as any other \ntravel document.\n    So as they're--how far away are we from this is my digital \nidentity on this card and it's recognizable in the United \nStates or it's recognizable inside the Federal Government. It's \na matter of the implementation.\n    I can't stress enough what the other panelists, not just \nhere but on the earlier panels, said. It is not a question of \ntechnology; it really isn't. The ID-on-card, match-on-card \ntechnology is one of the balancing factors for convenience as \nwell as privacy concerns. It's a matter of deploying them, \ngetting them out, getting people enrolled and making certain \nthat the technology is in place.\n    Just as you were saying earlier for the earlier panel, when \nis it good enough?\n    It's not perfect. As somebody who tests the security of the \nFederal Government on behalf of the legislative branch, putting \nsomething in place better than a user ID and a password is a \nstep in the right direction, even if it's not the greatest \nthing in the world, if it's not the best technology, because \nuser IDs and passwords are folly. And you give me 7 days, I can \nbreak any one of them, and I don't care what it is, because we \ndo it.\n    So trying to get a token and trying to get some smart card \ncombination with biometric technology is superior to what we \nhave now, and that's really the question that everyone needs to \nask, ``Is what we're trying to put in place better than what we \nhave now,'' and the answer is, ``Yes.''\n    Mr. Putnam. You mentioned face, hand, iris and finger. Are \nthey the key biometric features?\n    Mr. Rhodes. Those are the four that are most mature.\n    Mr. Putnam. Right. So you mentioned that retinal scan is \nprobably what most people would consider the most intrusive.\n    Mr. Rhodes. No doubt.\n    Mr. Putnam. Fingerprint, probably less intrusive.\n    Mr. Rhodes. Yes, sir.\n    Mr. Putnam. The least intrusive.\n    What is the most appropriate biometric characteristic to \nadopt for widespread usage for things like air travel, access \nto unclassified-type facilities and things of that sort that \nwould be widely used perhaps on a passport?\n    Mr. Rhodes. At least in the technology we've looked at, \nsince fingerprint recognition is the most mature, that's \nprobably the most appropriate. You'd want to have a fingerprint \nphotograph on a card.\n    Talking about a single token, you're actually talking about \nmultiple identifiers on the token. There's the design of the \ntoken, the color of the token. There's a shield on it. There's \nprobably a magnetic strip on the back as well as an on-board \nchip, and there would be some template inside there for a \nfingerprint.\n    Now the question becomes, ``Do you want just a thumb, just \nan index finger? Do you want 10 fingers?'' But the fingerprint \nrecognition is the longest lived. I mean, that's the most \nmature technology at the moment, although retinal scan is very \nmature, but you have to sit for a long time, and you have to \nhave this thing paint the back of your eye. And people usually \ndon't want to take an afternoon and enjoy that. The more \ninvasive it is, the more concerns there are.\n    Facial recognition is probably the least invasive, but it's \nextremely unstable, because you can do it with a CCTV. You can \ndo it with closed circuit television at a stadium or something \nlike that; but depending on how the lighting is, how the face \nis turned, the expression on the face, the identification \npoints shift, and then they don't necessarily connect properly. \nThere's a high false-positive rate. And there's a high false-\nnegative rate, as well, with facial recognition, facial \npattern.\n    Mr. Putnam. Mr. Turissini, talk a little bit about the \nprivacy issues, please. You've raised that in your testimony, \nand understandably there are widespread concerns in the \npopulace about privacy issues.\n    How do we strike the proper balance?\n    Mr. Turissini. Well, as I state in the paper, what you need \nto look at are multiple technologies, not just a single \ntechnology. Using smart cards with the biometric, with the \nasymmetric credential, allows the personal data, that \nfingerprint or the scan of the face or retina, to be owned and \ncarried only by the owner of the fingerprint or the credential.\n    What I would be afraid of in a public venue would be to \nhave my fingerprint or even a representation of my fingerprint \nto be in a data base to be compared to; and then that would be \ndistributed. Because it's not going to be on one data base; \nit's going to go to the next data base. It's kind of like when \nyou send an e-mail to eBay and you get 100 junk mails. Well, \nyou use your fingerprint on one place, and then your \nfingerprint is all over the world.\n    But the big distinction--and I want to bring this back to \nthe earlier question, the distinction between the cryptographic \nsmart card, the cryptographic function versus just the stored \nvalue; and that's the same issue, there is this nonrepudiation. \nWhen you go to a gas station, even when you use your credit \ncard, they're not checking to see if Mr. Putnam is swiping that \ncard. They're checking to see that Mr. Putnam has money in that \nchecking account or that credit card account or something like \nthat. They really don't care who you are. They just care that \nyou have money to pay the bill.\n    In the transactions we're dealing with in the government \nand the protections we're involved with, we not only want to \nknow who's touching this data. We want to know what they're \ndoing, and we want them to leave a trace of nonrepudiation. We \ndon't want people coming into our enclaves and doing something \nand then later being able to say, I didn't do it.\n    These viruses are a good example. We have the technology \ntoday to use digital credentialing, whether in the form of \ndigital certificates or in combination with the smart cards and \nthe biometrics, so that every e-mail I receive into my enclave \nis identified with the person sending it.\n    Now, if I have to go out and get a credential, show three \nforms of ID and sign that I'm going to protect that credential \nand I'm going to put it on a smart card, and then when I send \nyou an e-mail, I have to apply that credential to it so that \nyou know it came from me, I'm not going to send you a virus, \ncertainly not on purpose. I'm not going to create a worm and \nsend it to you with my signature on it.\n    So the distinction in just stored value versus this \ncryptographic or this strong smart card is really the assurance \nthat the person doing the transaction is that person by name, \nrank, Social Security or serial number and not just a bank \naccount or not just somebody from Federal Building No. 12 or \nsomething like that. It really brings every transaction to a \npersonal level, not only from a signature, not only from an \nauthentication, but also from an auditing point of view. And \nthat's why it doesn't matter the level of security from the \nback-end point of view.\n    The only thing the credential cares about is your identity. \nNow, what you do with that identity in your back end is your \nchoice.\n    Now, if you are--and we'll put numbers on it. If you're \n99.9 percent sure that this credential is going to be correct \nbecause it comes from a trusted third party, and it's protected \nby a biometric or a smart card environment and you're going to \ndo a financial transaction, maybe that's all you want is \nauthentication by that credential. And if you're going to blow \nmissiles up, maybe you want that person and somebody else's \ncredential statement. So there's the back end.\n    How you react to that identity is kind of a separate \nquestion. It's not a completely different issue, but it is a \nseparate question.\n    We have not only the technology but the infrastructure to \ncredential, to make that credential available so that you can \ndecide what to do with that credential; so that the FAA and TSA \ncan say, you know, I've got this card and it's Dan Turissini, \nand Dan Turissini is allowed access in and out of the airports, \nand he's a good guy and he doesn't have a criminal record. And \nthe guy that shows up with no ID and no credential, well, we've \ngot to take a closer look at that. They're the people that \nshould be taking off their shoes and checking their--the heels \nof their shoes and stuff like that.\n    So that's the distinction. It's the nonreputable \nauthentication of that person and the auditing capability of \nthose transactions, rather than to a bank account or to a \nlocation; it's directly to the person's identity.\n    Mr. Putnam. Any other comments from the other panelists?\n    Mr. Bergman. From a privacy point of view?\n    Mr. Putnam. Yes.\n    Mr. Bergman. I fully agree with my panelists here.\n    When you demo on a trade show, you demo biometrics. The \nworst you could joke about is saying, ``What's happening right \nnow is taking your fingerprint and sending it back to a data \nbase.'' The people get really scared.\n    The biggest educational problem we have is, Mrs. So-and-So, \nwe are not taking your fingerprint. You're using your \nfingerprint to create the digital representation. It's called a \nbiometric template. And it's not stored in the data base. And \nit's not a unique concern. Thousands of people have discussed \nthat kind of thing, I don't want to have my fingerprint in the \ndata base.\n    And also, by the way, Minority Report and other interesting \nmovies the last years haven't helped because, it's the \nfingerprint, I put the fingerprint somewhere else, and you're \nnailed.\n    So I think that the privacy, as you said here before, is \nthat the template is one step; and the second step is, I have \nit right here. I control my template. I control my own data \nbase, so to speak. That's why I'm concerned about the overall \ninfrastructure that's being proposed for the U.S. VISIT and \nTWIC program right now. That's counterproductive to the \nbiometric industries from an image template and the storage.\n    The privacy is a big concern. And you, Mr. Chairman, said \nbefore about passport, it's going to be even bigger, because we \ndon't deal with only DOD people.\n    Mr. Putnam. Elaborate some on the TWIC concern.\n    Mr. Bergman. My understanding is that TWIC is proposing to \nhave the image going back to a data base and to have 450 point \nof entries fully equipped with biometric devices that could \ncapture fingerprints, send that fingerprint back to a data base \nand check if you are a good guy. Otherwise, we don't let you \nover the bridge, so to speak.\n    That's the big concern, to have the image back and forth to \na data base, because as Mr. Turissini said before, it's not one \ndata base. It's replicated in different data bases.\n    I've been working 5 years for a data base company, so I \nknow that. Replication of data base is a special thing. It's \neasier to say, not so easily done.\n    Mr. Putnam. That's something we can look into.\n    Mr. Rhodes, do you have any final comments?\n    Mr. Rhodes. The one point that I would make regarding \neither data base or sending information back is that is at the \nheart of the privacy concern. The question is how--the question \nfrom a citizen's point of view is, what are you going to do \nwith this information, because we've now moved away from, \nyou've stolen my identity because you've got my Social Security \nnumber.\n    Now you move into that realm of absolute nonrepudiation, \nbecause this is the double whorl on my thumb, and this is the \nsingle whorl on my left index finger, and two of them brought \ntogether give great authentication of who I am and leave me no \nmargin for saying, ``I wasn't there or I'm not this \nindividual.''\n    The more that information gets passed and the more that it \nbecomes replicated, it becomes difficult to synchronize data \nbases, and it becomes difficult to make certain that they're \nall up to date. So the more that it is tied into on-card \nvalidation as opposed to a larger system where the information \nis being passed, the more it's going to be convenient; and \nultimately, that's one of the factors that needs to be brought \nin.\n    We all know what it was like to try to move through \nWashington, DC, right after September 11th. We couldn't get \ninto buildings. Even if you worked there, it was difficult to \nget into a building, and you had the right credentials.\n    Trying to get on an airplane during a high-threat period is \nvery difficult. Trying to get on an airplane under any \nconditions is difficult these days, but during high threat it's \nvery difficult.\n    So as more of this technology is applied, if it's \nconvenient, if it makes it easier for people to move through \nportals and to get to the services that they need--your point \nabout having my medical records on a smart card that's \nbiometrically validated back to me, etc., all the conveniences, \nthat's great, because the card can speak for me when I can't. \nBut I have to make certain that the information on that card \nisn't then able to be used by someone else or that the \ninformation on that card isn't going to be corrupted or \nunusable because the system I plug into is getting creamed by \nBlaster at that moment. So these are all those balances that \nhave to be worked out on the tradeoffs.\n    Mr. Putnam. Very good.\n    I want to thank this panel for their contributions and \nthank the first panel, as well, particularly those who stayed--\nMr. Willemssen, Mr. Scheflen--and I appreciate your remaining \nand hearing the issues raised by the private sector and Mr. \nRhodes.\n    We obviously have a lot of work to do on this issue, and \nthis subcommittee will continue to follow the progress of the \nexecutive branch's move toward implementing this.\n    So, with that, we appreciate all the contributions, and \njust to make sure I'm not forgetting something. If there may be \nadditional questions we did not have time for today, the record \nwill remain open for 2 weeks for submitted questions an \nanswers. With that, we stand adjourned.\n    [Whereupon, at 12:35 p.m., the subcommittee was adjourned.]\n\n\x1a\n</pre></body></html>\n"