[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





          ADVANCEMENTS IN SMART CARD AND BIOMETRIC TECHNOLOGY

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 9, 2003

                               __________

                           Serial No. 108-133

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

93-034              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, 
NATHAN DEAL, Georgia                     Maryland
CANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of 
TIM MURPHY, Pennsylvania                 Columbia
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN R. CARTER, Texas                CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota                 ------
MARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont 
                                         (Independent)

                       Peter Sirh, Staff Director
                 Melissa Wojciak, Deputy Staff Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
              Philip M. Schiliro, Minority Staff Director

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 DIANE E. WATSON, California
TIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                 Lori Martin, Professional Staff Member
                      Ursula Wojciechowski, Clerk
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 9, 2003................................     1
Statement of:
    Bates, Sandy, Commissioner of Federal Technology Services, 
      General Services Administration............................    28
    Bergman, Christer, CEO, Precise Biometrics...................   103
    Rhodes, Keith, Chief Technologist, General Accounting Office.    75
    Scheflen, Kenneth C., Director, Defense Manpower Data Center, 
      U.S. Department of Defense.................................    45
    Turissini, Daniel E., president, Operational Research 
      Consultants, Inc...........................................   121
    Willemssen, Joel, managing Director of IT Management, General 
      Accounting Office..........................................     6
    Wu, Benjamin, Deputy Under Secretary of Commerce for 
      Technology, U.S. Department of Commerce....................    53
Letters, statements, etc., submitted for the record by:
    Bates, Sandy, Commissioner of Federal Technology Services, 
      General Services Administration, prepared statement of.....    30
    Bergman, Christer, CEO, Precise Biometrics, prepared 
      statement of...............................................   106
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     4
    Rhodes, Keith, Chief Technologist, General Accounting Office, 
      prepared statement of......................................    77
    Scheflen, Kenneth C., Director, Defense Manpower Data Center, 
      U.S. Department of Defense, prepared statement of..........    46
    Turissini, Daniel E., president, Operational Research 
      Consultants, Inc., prepared statement of...................   123
    Willemssen, Joel, managing Director of IT Management, General 
      Accounting Office, prepared statement of...................     8
    Wu, Benjamin, Deputy Under Secretary of Commerce for 
      Technology, U.S. Department of Commerce, prepared statement 
      of.........................................................    56

 
          ADVANCEMENTS IN SMART CARD AND BIOMETRIC TECHNOLOGY

                              ----------                              


                       TUESDAY, SEPTEMBER 9, 2003

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:05 a.m., in 
room 2154, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representative Putnam.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Lori Martin, professional staff member; Ursula 
Wojciechowski, clerk; Suzanne Lightman, fellow; Karen 
Lightfoot, minority communications director/sr. policy advisor; 
David McMillen, minority professional staff member; Cecelia 
Morton, minority office manager; and Anna Laitin, minority 
assistant communications.
    Mr. Putnam. A quorum being present, this hearing of the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order.
    Good morning and welcome, everyone, to today's hearing 
entitled, ``Advancements in Smart Card and Biometric 
Technology.'' I hope everyone had a nice August work period and 
enjoyed a little bit of the break with Congress being out of 
everybody's hair and back home telling the good people, the 
good constituents what we've done to them or for them, 
whichever the case may be.
    This is the first hearing of a very ambitious fall schedule 
for this subcommittee. As you may have noticed from our 
postings, we will have two hearings this week, three hearings 
the next week on cybersecurity and related matters. So we have 
a very aggressive schedule in keeping with the pace that we 
have set throughout the year, and we certainly appreciate the 
support that GAO and the other executive agencies have provided 
this subcommittee in allowing us to prepare for that ambitious 
a schedule.
    Securing government buildings and computer systems is a 
task which has grown in both importance and challenge over the 
past number of years. Recognizing this, Federal agencies 
working with the GSA have begun testing advanced identification 
technology that will better authenticate the identity of those 
requiring access to and interaction with the Federal 
Government.
    Specifically, agencies are examining the use of smart cards 
which offer a number of benefits to Federal agencies including 
identity authentication of cardholders, increased security over 
buildings, safeguarding computers and data and conducting 
financial and nonfinancial transactions more accurately and 
efficiently. In fact, some agencies, such as the Department of 
Defense, have already issued smart cards. The DOD's Common 
Access Card [CAC], enables physical access to buildings, 
installations and controlled spaces. It also permits access 
into DOD's computer networks. The CAC provides the Department 
of Defense the information, security and assurance necessary to 
protect vital information resources.
    A number of other agencies across the Federal Government 
are still exploring the possibilities of smart card use; and 
while some progress has been made, a recent report released by 
GAO outlines some areas of concern that need to be addressed in 
order for agencies to move forward in implementing the use of 
smart cards. As is too often the case, agencies have been 
unable to sustain an executive-level commitment to this 
project, according to the GAO. If these types of initiatives 
fail to be a priority with the leadership of the agency, it is 
difficult to imagine that adequate resources will be allocated 
for their implementation.
    Some additional noted challenges to progress include: 
recognizing and understanding resource requirements, 
integrating physical and IT security practices, focusing on 
achieving interoperability among smart card systems, 
maintaining the ongoing security of smart card systems and 
protecting the privacy of personal information. These are just 
a few of the issues agencies will need to address as they move 
forward.
    There are other advanced and emerging technologies that 
have the potential to offer additional assurance to the 
identity authentication process. Biometrics are automated 
methods of recognizing a person based on a physiological or 
behavioral characteristic. Biometry is being explored, 
developed and even utilized by agencies today, including the 
FBI, at our borders and by State governments in detecting fraud 
and abuse of government benefits through identity verification.
    Biometric authentication may also be used with smart card 
technology. Some smart cards have the capability of holding a 
biometric identifier, such as a fingerprint. This holds the 
potential to increase the accuracy of the identity 
authentication process. These possibilities as well as the 
limitations and challenges presented by this technology should 
be explored further.
    As agencies proceed to explore the use of these advanced 
identity authentication technologies, government cannot neglect 
the importance people and process will continue to play in 
providing a secure environment. Regardless of how well these 
technologies work on behalf of the Federal Government in 
authentication and identity management, technology has its 
limitations. Without the people and process in place to make it 
work, we will have wasted a lot of money as well as provided a 
false sense of security.
    I'm hopeful that as the Office of Management and Budget 
working with the GSA and the National Institute of Standards 
and Technology go forward in setting some guidance for agencies 
concrete progress in the actual implementation of smart card 
technology across agencies will be demonstrated in the very 
near future.
    As is always the case with this subcommittee, today's 
hearing can be viewed live via Web cast by going to 
reform.House.gov and clicking on the link under live committee 
broadcast.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.001
    
    [GRAPHIC] [TIFF OMITTED] T3034.002
    
    Mr. Putnam. It is a pleasure to have a distinguished panel 
of witnesses with us this morning; and, as is the custom with 
this subcommittee, I would ask that the witnesses and any 
supporting cast members who will be answering questions rise 
and raise your right hands and be sworn in.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all the witnesses 
responded in the affirmative.
    Our first witness this morning is Mr. Joel Willemssen. Mr. 
Willemssen is the managing director of Information Technology 
Issues at the U.S. General Accounting Office. In this position, 
he has overall responsibility for GAO's evaluations of 
information technology across the government. Specific 
responsibilities include governmentwide and agency-specific 
assessments of computer security and critical infrastructure 
protection, e-government, information collection, use and 
dissemination and privacy. Mr. Willemssen is very supportive of 
the work of this subcommittee, as is the rest of GAO, and we 
welcome your testimony.
    Mr. Willemssen, you're recognized for 5 minutes.

     STATEMENT OF JOEL WILLEMSSEN, MANAGING DIRECTOR OF IT 
             MANAGEMENT, GENERAL ACCOUNTING OFFICE

    Mr. Willemssen. Thank you, Mr. Chairman. Thank you for 
inviting us to testify today on the smart cards; and, as 
requested, I'll briefly summarize our statement.
    The Federal Government is increasingly pursuing the use of 
smart cards for improving the security of its many physical and 
information assets. Since 1998, numerous smart card projects 
have been initiated addressing a wide array of capabilities, 
including better authentication of the identities of people 
accessing buildings and improved security of computer systems. 
The largest smart card program, as you mentioned, currently in 
operation is Defense's Common Access Card program; in addition 
to enabling access to specific defense systems, this card is 
also used to better ensure that electronic messages are 
accessible only by designated recipients.
    Even with the progress made governmentwide to use smart 
cards, there are several key management and technical 
challenges that need to be overcome to achieve a card's full 
potential, and one of them, as you mentioned, is sustaining 
executive commitment. Without executive commitment, it's very 
difficult to actually see success in smart card efforts.
    A second challenge is obtaining adequate resources for 
projects that can require extensive modifications to technical 
infrastructures and software.
    Third is that integrating security practices across many 
agencies can be a major task, because it requires collaboration 
among those organizations who have responsibility for physical 
security and those organizations that have responsibility for 
computer and information security.
    A fourth challenge is interoperability across the 
government to try to reduce the potential number of stovepipe 
systems that cannot easily communicate with one another.
    And, finally, although concerns about security are 
themselves a key driver for why we want to pursue smart cards, 
the security of smart card systems is not foolproof and needs 
to be closely examined as agencies go forward with 
implementation.
    To help address these challenges, several initiatives have 
been undertaken to facilitate the adoption of smart cards. For 
example, GSA has set up a governmentwide standards-based 
contract. In addition, it's adopted a new agencywide 
credentialing policy, and it's consolidated its special smart 
card projects within the public building service.
    In July, OMB has also shown that it's begun to take action 
to develop a governmentwide policy framework for smart cards, 
specifically, a plan to develop a comprehensive policy for 
credentialing Federal employees. Second, OMB intends to pursue 
a governmentwide acquisition of authentication technology, 
including smart cards to achieve governmentwide cost savings. 
Third, OMB plans to consolidate agency investments in 
credentials and related services by selecting shared service 
providers by the end of 2003.
    Even with those important steps of OMB and GSA, there is a 
lot of work remaining to do in the smart card area. For 
example, reconciling the varying security requirements of 
Federal agencies to arrive at a stable design for Federal 
credentialing is going to take a lot of time; and, further, 
achieving OMB's vision of streamlined Federal credentialing 
will be challenging in attempting to reach consistency in how 
agencies perform identity verification.
    Mr. Chairman, that concludes a summary of my statement, and 
I'd be pleased to address any questions you may have. Thank 
you.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Willemssen follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.003
    
    [GRAPHIC] [TIFF OMITTED] T3034.004
    
    [GRAPHIC] [TIFF OMITTED] T3034.005
    
    [GRAPHIC] [TIFF OMITTED] T3034.006
    
    [GRAPHIC] [TIFF OMITTED] T3034.007
    
    [GRAPHIC] [TIFF OMITTED] T3034.008
    
    [GRAPHIC] [TIFF OMITTED] T3034.009
    
    [GRAPHIC] [TIFF OMITTED] T3034.010
    
    [GRAPHIC] [TIFF OMITTED] T3034.011
    
    [GRAPHIC] [TIFF OMITTED] T3034.012
    
    [GRAPHIC] [TIFF OMITTED] T3034.013
    
    [GRAPHIC] [TIFF OMITTED] T3034.014
    
    [GRAPHIC] [TIFF OMITTED] T3034.015
    
    [GRAPHIC] [TIFF OMITTED] T3034.016
    
    [GRAPHIC] [TIFF OMITTED] T3034.017
    
    [GRAPHIC] [TIFF OMITTED] T3034.018
    
    [GRAPHIC] [TIFF OMITTED] T3034.019
    
    [GRAPHIC] [TIFF OMITTED] T3034.020
    
    [GRAPHIC] [TIFF OMITTED] T3034.021
    
    [GRAPHIC] [TIFF OMITTED] T3034.022
    
    Mr. Putnam. Our next witness is Ms. Sandy Bates from the 
General Services Administration. Ms. Bates was named 
Commissioner of the Federal Technology Service in March 2000 
after 2 years as Deputy Commissioner. FTS is the GSA's 
information technology and telecommunications organization that 
provides more than $5 billion in products and services to 
Federal Government agencies each year. Prior to her work at 
GSA, Ms. Bates was with NASA where she held various positions 
in telecommunications, including program manager for NASA's 
agencywide local service program and for their Program Support 
Communications Network.
    Welcome to the subcommittee. You're recognized for 5 
minutes.

 STATEMENT OF SANDY BATES, COMMISSIONER OF FEDERAL TECHNOLOGY 
           SERVICES, GENERAL SERVICES ADMINISTRATION

    Ms. Bates. Thank you. Mr. Chairman, thank you for the 
invitation to participate in today's hearing on advancements in 
smart card and biometric technology. The Federal Government is 
making great strides in the use of this technology, and the 
General Services Administration continues to take innovative 
actions to help agencies secure their facilities and 
information. We participate in governmentwide committees such 
as the Interagency Advisory Board, Federal Identity 
Credentialing Committee, the Interagency Security Committee and 
the Smart Card Alliance.
    I'd like to give you a brief history of the smart card 
program and address the concerns in your letter.
    The GSA Federal Technology Service, along with the industry 
partners, can today meet agencies needs for smart cards, card 
readers, applications development, interoperability and 
complete systems integration. We do this through our 
governmentwide smart card contract.
    With regard to use of smart cards within GSA, the agency 
has initiated several programs. Currently, all GSA associates 
in the Washington, DC area have smart card IDs. All GSA 
associates nationwide will have smart card IDs in fiscal year 
2004. GSA's regional office in New York is implementing smart 
cards at three locations in New York City for physical access. 
They will be using a contact/contactless smart card. The card 
will also include a biometric thumbprint. Cards are currently 
being issued to all Federal employees and contractors at these 
three locations. Employees will be able to use the cards to 
gain access to the building through optical portals.
    Once the initial physical access program is completed, GSA 
will begin planning to implement a smart card solution for 
computer access. Tenet agencies in these buildings that will be 
using the smart card for physical access include HUD, EPA, the 
Corps of Engineers, IRS, FBI, INS and Homeland Security.
    A major feature of GSA's smart card contract is the 
establishment of technical specifications for smart card 
interoperability. These standards are the first of their kind 
for smart cards in government and represent a tremendous joint 
effort by GSA, industry partners and other Federal agencies.
    The GSA's Interagency Advisory Board was established after 
publication of the initial version of the standards. The 
members include representatives from industry and government. 
The IAB continues to refine and update the interoperability 
specifications.
    A recent test successfully proved interoperability of 
civilian smart cards. The objective of the test was to 
demonstrate that multi-agency interoperable smart cards could 
be used in one agency's physical access system to gain access. 
The test participants were GSA, State Department and the 
Transportation Security Administration. Representatives from 
GSA and TSA inserted their smart card IDs in the State 
Department's readers and were granted access to the building.
    Regarding biometrics, GSA is working with other agencies 
and key nongovernmental organizations such as the Biometrics 
Consortium to develop worldwide standards. These standards will 
become part of the GSA specifications.
    The GSA Federal Technology Service is also leading the E-
Authentication E-Gov initiative. Under this initiative, GSA is 
leading the Federal Identity Credentialing Committee, which 
will define the policies for issuance and management of 
identity credentials that encompass both physical access to 
buildings and logical access to systems.
    By implementing standardized credentials across the Federal 
Government, individual access control can be streamlined. 
Government cost savings can be achieved through 
standardization, shared services and consolidated purchasing.
    In conclusion, Mr. Chairman, I am pleased to say that GSA 
has been instrumental in the development of the Federal 
Government's Smart Card Program and in its use of biometric 
technology. Thank you again for this opportunity to appear 
before this committee today, and I'll be happy to answer any 
questions you or the committee members may have. Thank you.
    Mr. Putnam. Thank you, Ms. Bates. We appreciate that.
    [The prepared statement of Ms. Bates follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.023
    
    [GRAPHIC] [TIFF OMITTED] T3034.024
    
    [GRAPHIC] [TIFF OMITTED] T3034.025
    
    [GRAPHIC] [TIFF OMITTED] T3034.026
    
    [GRAPHIC] [TIFF OMITTED] T3034.027
    
    [GRAPHIC] [TIFF OMITTED] T3034.028
    
    [GRAPHIC] [TIFF OMITTED] T3034.029
    
    [GRAPHIC] [TIFF OMITTED] T3034.030
    
    [GRAPHIC] [TIFF OMITTED] T3034.031
    
    [GRAPHIC] [TIFF OMITTED] T3034.032
    
    [GRAPHIC] [TIFF OMITTED] T3034.033
    
    [GRAPHIC] [TIFF OMITTED] T3034.034
    
    [GRAPHIC] [TIFF OMITTED] T3034.035
    
    [GRAPHIC] [TIFF OMITTED] T3034.036
    
    [GRAPHIC] [TIFF OMITTED] T3034.037
    
    Mr. Putnam. Our third witness is Mr. Kenneth Scheflen. Mr. 
Scheflen is the director of the Defense Manpower Data Center 
[DMDC], a position he has held since 1977. In this position 
he's involved in both the management and technical aspects of 
programs which he supervises. Since 1998, DMDC has been the 
host for the Common Access Card office, formerly the DOD Smart 
Card Technology Office, which is in the process of converting 
the current military ID card to a smart card containing PKI 
certificates needed to secure the DOD information technology 
infrastructure and other applications. This project is widely 
regarded as the most advanced large-scale smart card program in 
the world.
    Welcome to the subcommittee.

 STATEMENT OF KENNETH C. SCHEFLEN, DIRECTOR, DEFENSE MANPOWER 
            DATA CENTER, U.S. DEPARTMENT OF DEFENSE

    Mr. Scheflen. Mr. Chairman, good morning.
    Thank you for all the kind words, those of you that 
mentioned the CAC this morning. We think it's a real success 
story, one of the first and probably the world's largest 
rollout of over 3 million smart cards to date, a 
multiapplication smart card which incorporates the use of 
biometrics in its issuance process.
    The CAC is an identity-management, identity-assurance tool. 
It was done relatively quickly, 6 months from approval until it 
entered beta testing, largely because it was based on standards 
and best-commercial-practices. The speed and approach is not at 
all that typical of the way DOD does IT systems. DOD depended 
on other government organizations like NIST and GSA for help in 
establishing standards and evaluating products against these 
standards.
    The fielding of the CAC, infrastructure to use it and the 
PKI credentials it carries is a large and costly enterprise. 
DOD is fortunate to have the resources to be able to do it. The 
CAC probably would have not happened without the decision by 
the Department to field PKI throughout the Department, the need 
to find a token and an infrastructure to issue PKI tokens.
    Essentially PKI, became the killer application for 
justifying the economic case for smart cards, and I think 
without that we probably could not have made the economic 
justification.
    The CAC is designed to be a multi-technology, multi-
application product. The hope is that we can move people away 
from the notion that visual inspection of any ID card is 
sufficient security, and I would note the Washington Post 
article this morning quoting the GAO investigation of the ease 
of counterfeiting driver's licenses and then using those as 
breeder documents to get other things. We have to quit doing 
that.
    We plan to continue to evolve and to improve both the CAC 
itself, the information it carries on it, the security of its 
issuance process and the use of its capabilities to take 
advantage of new technologies and continuously improve the 
security posture of the Department.
    Thank you, Mr. Chairman.
    Mr. Putnam. Thank you very much, Mr. Scheflen.
    [The prepared statement of Mr. Scheflen follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.038
    
    [GRAPHIC] [TIFF OMITTED] T3034.039
    
    [GRAPHIC] [TIFF OMITTED] T3034.040
    
    [GRAPHIC] [TIFF OMITTED] T3034.041
    
    [GRAPHIC] [TIFF OMITTED] T3034.042
    
    [GRAPHIC] [TIFF OMITTED] T3034.043
    
    [GRAPHIC] [TIFF OMITTED] T3034.044
    
    Mr. Putnam. Finally, we have Mr. Ben Wu. Mr. Wu is Deputy 
Under Secretary for Technology at the U.S. Department of 
Commerce. In this capacity he supervises policy development, 
direction and management at the Technology Administration, a 
bureau of over 4,000 employees that includes the Office of 
Technology Policy, the National Institute of Standards and 
Technology and the National Technical Information Service.
    Welcome to the subcommittee.

 STATEMENT OF BENJAMIN WU, DEPUTY UNDER SECRETARY OF COMMERCE 
          FOR TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE

    Mr. Wu. Thank you, Mr. Chairman.
    As you mentioned, as the Deputy Under Secretary of Commerce 
for the Technology Administration, I do assist in the direct 
oversight of the National Institute of Standards and Technology 
[NIST]. While NIST is one of the crown jewels of our Nation's 
Federal laboratory system as our Nation's oldest Federal 
laboratory, it is also at times one of our true hidden gems, 
despite the significant research expertise of its world-class 
scientists, including two Nobel Prize winners. So I appreciate 
the subcommittee's recognition of NIST's vast technical 
portfolio and its service to our Nation and the opportunity to 
appear before you today to review NIST's work in smart card and 
biometric technology.
    Mr. Chairman, in these times of heightened national 
security, I applaud the work of this subcommittee to bring 
intergovernmental solutions to measures that can protect our 
homeland security. The Commerce Department shares this 
subcommittee's focus. Post September 11, Secretary Evans has 
committed the Department's resources to assist in the 
administration's homeland security efforts; and, as a result, 
NIST has been engaged in a number of critical issues, from 
first responder communications to chemical, biological, nuclear 
detection to encryption standards as well as the implementation 
of smart cards within the Federal Government.
    NIST's smart card program dates back to 1988. Recognizing 
the potential for smart cards to improve the security of 
Federal IT systems in our national information infrastructure, 
NIST chose to invest significant research in smart card 
technology at an early stage, and as a result NIST has been on 
the cutting front of many of the early innovations that have 
been integral to the development of modern smart cards. These 
include a generic authentication interface for smart cards, the 
first smart cards to implement the data encryption algorithm 
and the digital signature algorithm and the first 
reprogrammable smart card.
    In my time with you this morning, I'd like to review NIST's 
work on smart card interoperability, standardization, 
conformance testing and further research and development.
    Many Federal agencies have a longstanding interest in smart 
card technology, as you've heard. Since smart cards are capable 
of cryptic functions, they can perform important security 
functions such as securely storing digital signatures, holding 
public key credentials and authenticating a claimed identity 
based on biometric data. So smart cards can be a crucial 
element in a range of current and future critical applications 
such as PKI, transportation worker identity cards, DOD's CAC, 
electronic travel documents and a whole host of others.
    However, large-scale deployment of smart cards has proven 
challenging. Agencies have found it difficult to deploy large-
scale smart card systems due to a lack of interoperability 
among different types of smart cards. Without assurances of 
interoperability, agencies would be locked into a single 
vendor, and that is why NIST has been working so closely with 
industry and other government agencies to provide 
interoperability specifications, guidelines for an open and 
standard method for using the smart cards.
    This issue of interoperability is crucial and has to be 
addressed before any additional investment can be made. Yet, 
historically, the smart cards have been driven by requirements 
arising from specific industry applications in certain domains 
such as banking, telecommunications and health care, and that 
has led to a development of smart cards that are customized to 
those specific domains with little interoperability between 
those domains. These vertically structured smart cards systems 
are expensive, difficult to maintain and often based on 
proprietary technology.
    So when GSA created a contract vehicle and a program to 
procure interoperable smart card systems and services from the 
Federal sector, NIST took on the task of leading the technical 
development of a smart card interoperability framework, and 
this framework was designed to address the interoperability 
problems preventing governmentwide deployment of smart card 
technology and was ultimately incorporated into the smart card 
access common ID contract which GSA operated.
    After additional work to address the Federal customer needs 
identified, NIST published two versions of the Government'S 
Smart Card Interoperability Specification [GSC-IS], one in June 
2002 and the other most recently in July 2003, and both 
standards can be found on www.smartcard.NIST.gov.
    GSC-IS has been well received and is making a significant 
impact. In fact, many Federal agencies are moving forward with 
plans to deploy large numbers of GSC-compliant systems. For 
example, DOD has incorporated the GSC-IS in its CAC, 
representing millions of cards, and it will be effective in 
early 2004.
    Additionally, NIST responded to the January 2003, GAO 
report by examining issues associated with the definition of a 
multi-technology card platform. These technologies include 
smart card integrated circuits, optical stripe media, bar 
codes, magnetic stripes, photographs and holograms.
    As a first step, NIST hosted a workshop on multitechnology 
card issues in July 2003, and brought in a number of the 
stakeholders in industry. This workshop focused on 
requirements, issues in Federal Government activities 
associated with multitechnology cards; and, more specifically, 
it examined technical and business issues, existing voluntary 
standards, consensus problems, multitechnology integration 
issues and industry capabilities in the field of ISO, 
compliance storage and processor card technologies.
    Based on this workshop and its followup, NIST is producing 
a technical report that will identify integration 
interoperability research topics, identify gaps in standards 
coverage and also identify multitechnology composition issues; 
and we expect that this report will be available for public 
comment in October 2003.
    Then, in July 2003, we also published the most up-to-date 
GSC-IS, which is known as version 2.1, which I want to tell you 
a little bit about. This document addresses some of the GAO 
recommendations by incorporating support for biometrics, 
countless smart card technologies and public key 
infrastructure.
    As you know, there is keen interest in the convergence of 
biometrics and smart cards, and NIST has also been working with 
industry to move forward the standards on an international 
front, too, working with ANSI and the international standards 
organizations to try to make the GSC-IS an international 
standard, and I'm pleased to say that a lot of progress has 
been made in that front.
    Let me also just conclude by touching upon conformance 
assessment and further research and development needs. 
Conformance testing programs are important so that we can give 
assurances to the customers and users that we have a smart card 
that works well and can conduct business in the way that it's 
supposed to be advertised; and NIST conformance test engineers 
and reprogrammers are developing test criteria, building a 
suite of conformance standards and test tools so that we can 
just do just that. In addition, in looking at some of the smart 
card research and development work that needs to be done, this 
subcommittee is well aware that smart cards and associated 
technologies hold great promise for meeting many important 
needs, and we need to, as has been stated by GAO, make sure 
that there are strong commitments for research and development 
as well as providing good framework, best practices tools, as 
well as an educational program that will help with the 
acceptance and the furtherance of this industry in building it 
up.
    So there's a lot of important issues that remain up front. 
The Department of commerce is committed in building this 
industry forward and working with our Federal agency partners 
to make sure the needs are met.
    Thank you very much, Mr. Chairman.
    Mr. Putnam. Thank you very much, Mr. Wu.
    [The prepared statement of Mr. Wu follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.045
    
    [GRAPHIC] [TIFF OMITTED] T3034.046
    
    [GRAPHIC] [TIFF OMITTED] T3034.047
    
    [GRAPHIC] [TIFF OMITTED] T3034.048
    
    [GRAPHIC] [TIFF OMITTED] T3034.049
    
    Mr. Putnam. Mr. Willemssen, who at the end of the day is in 
charge of the Federal vision for smart card technology? Is it 
OMB?
    Mr. Willemssen. From a policy perspective, it is OMB. 
Historically, OMB has relied heavily on GSA to carry out much 
of that policy, but I would say OMB reiterated its pre-eminence 
as the policymaker with their July 3rd memorandum which 
established a framework for future policy in the smart card 
arena.
    Mr. Putnam. Is the goal to have discrete smart card 
technologies for each agency or a limited number, perhaps one 
for defense, one for nondefense or one for a particular 
clearance?
    Mr. Willemssen. I would say the goal is to become, all 
other factors being equal, as standardized as possible.
    Picking up on what Mr. Wu said, to the extent that we can 
continue updating the interoperability standard and getting 
everyone to fall in line with that standard, the much more 
efficiently we can do business smart card-wise across the 
Federal Government.
    I also think that the Department of Defense's project, CAC, 
since it is so massive, really provides maybe the best 
laboratory from a lessons-learned perspective and 
implementation-challenges perspective on how the Federal 
Government can go forward from this point at additional 
agencies.
    Mr. Putnam. But currently agencies have the discretion to 
move forward with their own smart card technology and Mr. Wu's 
outfit is playing catch-up to develop interoperability?
    Mr. Willemssen. I would say generally yes, but at the same 
time one of the aspects of Mr. Forman's July 3rd memo stated 
that agencies should not be going about acquiring separate 
technologies without consultation with applicable committees. 
We would be supportive of that--of not going forward and 
essentially introducing additional stovepipes into the process.
    Mr. Putnam. Well, how many stovepipes are there now?
    Mr. Willemssen. I believe when we did our report earlier 
this year we had identified about 62 different projects at 18 
different agencies.
    Mr. Putnam. So just averaging out, three per agency?
    Mr. Willemssen. Keeping in mind that the size of each of 
those projects varied dramatically all the way from CAC, which 
is very large. In addition, Transportation Security 
Administration has very massive plans on the drawing board to 
give cards to up to 15 million transportation workers. By 
contrast, some other projects are just in the pilot phase on a 
much smaller scale.
    Mr. Putnam. Everybody has their own rodeo, everybody is 
running their own circus, and we're tearing down stovepipes on 
one side of the government and building them right back up on 
the other.
    Mr. Willemssen. But I think to be fair to the executive 
branch, I think there's a recognition of that and an attempt to 
try to limit that from this point forward. But I agree with you 
in terms of the comment you just made about stovepipes.
    Mr. Putnam. Is it technically feasible to have one card 
that meets all the needs of every government employee?
    Mr. Willemssen. Technically, yes. Managerially and 
policywise, probably not.
    It would probably be very difficult to standardize from a 
policy and management perspective that you could have one card 
that meets all the needs of all employees at all different 
security levels. Different security levels will require 
different techniques to protect data and assets. 
Technologically, sure, it could be done but, realistically, 
probably wouldn't. But I do think we need to standardize on 
fewer; and, again, linking up to what Mr. Wu said, the work 
that NIST has done on the interoperability standard can't be 
underestimated. That's the direction that the Federal 
Government needs to go.
    Mr. Putnam. Mr. Wu, 10 years ago at the University of 
Florida there were 50,000 students. One smart card would give 
you access to the dorm, access to the computer lab, allow you 
to pay tuition, allow you to buy a pizza, allow you to debit 
your book costs, and allow you to use the ATM. A decade later 
why aren't we further along in the Federal Government's ability 
to deploy smart card technologies that are interoperable?
    Mr. Wu. Well, Mr. Chairman, I think that if you were to use 
the University of Florida in an FSU analogy, you know, the 
Federal Government is so large. That smart card wouldn't work 
in Tallahassee that would work in Gainesville. That is the 
problem we're facing right now, is that we see that each of the 
agencies, each of the subagencies are purchasing smart card 
technologies and moving forward along, and they're using 
applications that are right for their particular mission and 
purposes.
    However, if we're trying to have all of the schools in 
Florida, say, or all of the agencies in the Federal Government 
try to talk to each other and be able to use one card in all of 
its systems, then we need to have interoperability. We need to 
have a standard that is adopted by industry so that we can 
create a market out there. We need to have industry agree on 
this specification, and we also need to be able to build it out 
on an international front so that we can develop a strong U.S. 
smart card technology market, and then we can be able to get 
all the accrual benefits for foreign markets and trade. If we 
can do it on our own shores, then move it to Asia, Europe and 
others.
    So NIST is trying to do that, working with ANSI at the 
American National Standards Institute and trying to move the 
GSC-IS standard to an international fora and have it adopted 
within the international standards organization system. And if 
we can do that, then I think ultimately you will be able to see 
one smart card utilized throughout much of the United States 
but perhaps throughout the whole world, and we would have U.S. 
companies, U.S. industry leading that charge. And that's our 
goal.
    Mr. Putnam. How smart do these cards need to be? I mean, 
has anybody really identified what the technical needs are? At 
what point do we determine that it has reached the level where 
it can be deployed, knowing that the technology will be 
changing on a very rapid basis? But has anybody defined what 
the needs are for a Federal Governmentwide smart card 
technology?
    Mr. Wu. Well, in a sense, if you have a multitechnology 
platform, the sky can be the limit, if you can have the 
photographs, the holograms, fingerprints, other data built into 
that platform.
    So, once again, I think it comes down to developing a 
specification, a good standard that industry can then take and 
apply as many smart items or multitechnology items onto that 
card.
    Mr. Putnam. Well, I don't know that really answered the 
question. I mean, we buy computers every day knowing that the 
next day they're obsolete to a degree, that we could have 
bought something bigger and better and faster and more 
productive; but at some point you have to draw the line and say 
this is adequate for our needs today, recognizing that the 
technology will continuously change.
    But is the primary purpose of governmentwide smart card 
technology identity authentication, access control, efficiency 
so that purchases and financial services and E-travel can be 
consolidated onto one identification? What are we trying to 
accomplish? What's it going to cost us and what's it going to 
save us and at the end of the day what will we have achieved by 
deploying this technology that all of you are here to discuss?
    Mr. Willemssen. I would say, Mr. Chairman, in a post 
September 11th environment, the primary purpose of smart cards 
is identity authentication, both from the standpoint of 
physical access to facilities and access to systems. There can 
be other purposes, but I think in today's environment that's 
the primary goal, is ensuring that you know that person is who 
they say they are, including thinking in detail about the 
process of when you give that individual their initial smart 
card, how are you going to ensure that, again, they are who 
they say they are.
    Mr. Putnam. OK. Mr. Wu.
    Mr. Wu. Thank you.
    Mr. Chairman, you raise an excellent question, and NIST has 
been grappling with that issue actually as everybody in the 
Federal policymaking sector has been grappling with that issue 
in relation to border security and the requirements under the 
USA Patriot Act. I think ultimately that question you raised is 
one that needs to be decided in conjunction with congressional 
and executive branch officials as to how far or how much you 
want on that smart card. With the border security issue, the 
USA Patriot Act--it requires a number of Federal agencies, 
specifically FBI, INS and State, to make sure that we have the 
strongest possible measures for people coming into and leaving 
the country.
    There have been a number of tasks placed upon NIST to try 
to help create technical benefits that will allow for us to 
have stronger border patrol, and there have been a number of 
biometric opportunities with fingerprints, facial recognition, 
you know, iris retina scan and others that have been thrown 
into the mix. NIST recommended that we have a dual system of 
fingerprinting and facial recognition, but ultimately I think 
that decision is a public policy decision which Congress as 
well as the executive branch needs to come to a determination 
on.
    Mr. Putnam. Can we replace the rubber stamp and ink pad and 
paper passport with a smart card?
    Mr. Wu. Well, that's ultimately the intention, to have some 
sort of biometric or smart card device so that we can have 
integrity and people coming into our borders who say they are 
somebody, to make sure they are in fact that person.
    Mr. Putnam. Is that technically feasible today?
    Mr. Wu. It depends on--yes, it is. I mean, there are a 
number of biometric identifiers which could be done, 
fingerprints, facial recognition, iris scan, gait, even voice, 
but the question is how much we can afford to do, what is 
feasible and what isn't too technically complicated in order to 
get the job done? You need to determine what you need to--or 
what you want out of this technology, and then we can build the 
technology and new research onto that.
    Mr. Putnam. But it sounds like the technology is already 
there.
    Mr. Wu. The technology is there. It's a matter of trying to 
incorporate it all in, and that's why I think the 
multitechnology platform and the standardization issue is so 
important.
    Mr. Putnam. I'm just not sure what we're waiting on. I 
don't hear what magic technology we're waiting on to be 
developed before we can deploy this. We have the ability to do 
it now. What are we waiting on? What's the next step?
    And if we're waiting for foolproof--one of the witnesses 
said that smart cards are not foolproof. Well, paper passports 
certainly aren't foolproof; and as long as the technology is 
moving forward to design these systems, there will be a 
technology moving forward to fake those systems. And that's 
just life. So let's move on.
    Mr. Willemssen, in GAO's testimony, you said DOD has spent 
over $700 million to have digital certificates on smart cards, 
but they can't be used because no funding was provided to 
enable DOD applications to accept the certificates. Is that 
correct?
    Mr. Willemssen. That was an issue at the time we did our 
review, yes, sir. Mr. Scheflen may have updated information 
that they have gotten that funding at this point.
    Mr. Putnam. Mr. Scheflen.
    Mr. Scheflen. Well, I can't address the question in terms 
of where the money is. I don't believe that there is a problem 
in DOD with funds to smart card enable or PKI enable 
applications.
    I have to be a little bit cautious because there's not one 
big pot of money somewhere that somebody is sitting on and 
doling out. There are different pots of money, and different 
parts of the organization have the responsibility for doing it. 
In this particular case the applications enabling side is the 
responsibility for funding and accomplishing on the individual 
services in the military departments.
    The issuance of the cards and the digital certificates is 
more centrally funded and some in my budget and some in NSA and 
Defense Information Systems Agency. I don't believe that the 
services would be spending the money they have spent to install 
smart card readers on all of their computers and software at 
every desktop if they were not going forward with the 
applications enabling expenditures as well. The best example is 
probably NMCI, the Navy's rollout of their desktop systems 
where they from the beginning planned for smart cards to be 
used for cryptographic log-on to those systems.
    I'm not aware there is anybody at DOD saying I don't have 
the money to do the implementation so that we can actually use 
the product, but I will take the question for the record, Mr. 
Chairman, if you'd like more information.
    Mr. Putnam. I would. I would. Thank you.
    July's OMB memo recognized that we've recreated a bunch of 
stovepipes. Somebody was kind of slow to pick up on that, I 
would assume. We've got 60 plus systems already out there; 
shouldn't we recommend everybody really ought to stop trying to 
develop their own systems? I assume we're waiting on NIST. Is 
that fair?
    Mr. Willemssen. NIST has made progress. Actually, I think 
one of the big items to be waiting on right now is establishing 
a governmentwide employee credentialing policy which I believe 
is the focus of the committee that Commissioner Bates 
mentioned. That's really one of the key next steps.
    Again, keeping in mind that if our primary purpose is to 
authenticate individuals and we want to move to a more 
standardized environment technologically then we need to move 
to more of a standardized policy on how Federal employees are 
going to be credentialed and focus on how that process is going 
to work; and once you set that policy, then the technology and 
the standards can follow, but you can't do them in reverse. 
Otherwise, you again run the risk of stovepiping.
    The other thing I would mention is I think it will be 
instructive for the rest of the Federal Government to look at 
the experience of DOD with CAC, because that is by far the most 
massive effort. They've had some successes. I'm sure they've 
had some challenges, too, and to the extent that we can learn 
from that and not repeat any of the challenges, so to speak, I 
think that would be very beneficial.
    Mr. Putnam. Mr. Willemssen, you said that different 
security policies within the agencies cause problems for 
implementation. Is that information security or physical 
security policies that differ?
    Mr. Willemssen. Well, an example would be, historically, 
physical security organizations within Federal agencies like to 
rely on ID cards, and they like to see those ID cards, look at 
them, these days maybe touch them to make sure they're 
authentic. Again, I'm generalizing here, but many of those 
organizations are probably less likely and less culturally 
accepting of a smart card device. They're not used to that, and 
I'm sure that's an issue at the Department of Defense where you 
have a smart card that can both be used for physical access and 
access to computer systems. You may find a situation that many 
of the guards over at the Department of Defense still want this 
other card to identify the individuals rather than a smart 
card, and I think that can still be an issue at many agencies 
who run into those kinds of barriers.
    The other thing I would point out is, just from a security 
level perspective, depending on the value and the sensitivity 
of the data and assets, you're going to have to vary the level 
of controls you're going to put in the card, as simple as, are 
we going to require biometrics for this given individual given 
what access they have, or is simply a password and a smart card 
without biometrics good enough? It depends on the value of the 
data, and the higher the value of that data, the more controls 
you'll have to put in place on the card.
    Mr. Putnam. Today, what is the typical life of a card? What 
is the useful life of a given card before we would have to 
update them?
    Mr. Scheflen. Our life is 3 years, and that is not tied to 
how long the card could last but to the lifetime of the digital 
certificates that are contained on the card.
    Normally, in DOD the ID cards that the military members get 
are tied to a number of things. One of them is their term of 
enlistment. Another may be the rank. There's a natural turnover 
of cards and it was 3 or 4 years with the existing cards before 
we had smart cards. Going to a fixed 3-year limit because of 
the lapsing of the digital certificates didn't reflect that 
much of a change.
    The good thing about it is that it allows a natural ability 
to introduce new technology on a gradual basis. You don't have 
to say ``we're going to stop today and recall all the cards. We 
can phase them in over a period as the cards naturally expire 
or as people come and go. We have 3,000 or 4,000 people coming 
and going just on the uniform side, so it's a fair number.
    If I might add a couple of comments to Mr. Willemssen's--
yes, I think he has the physical security material down and 
about right. We clearly experience those same kinds of problems 
in DOD. The physical security community is much more 
comfortable with badges that are locally issued which they 
recognize and look at. It is a continuing issue for us to try 
to get away from the notion that looking at something provides 
security, which in my opinion, it doesn't today.
    Another common misunderstanding by a lot of people inside 
the Department is that the issuance of a CAC card with all the 
various credentials it has on it somehow conveys some 
privileges, but in truth it doesn't. The privileges to enter a 
building, to log onto a computer, or to get on an airplane or 
whatever are still authorized by those that are in charge of 
granting those privileges. The same thing happens with the 
notion of an ID card that would be a DOD card that could be 
accepted for entry into the State Department.
    The holding of a card itself doesn't necessarily authorize 
me to go anywhere. What would presumably happen is someone at 
the State Department would say, I'm coming to visit, and they 
would put me in the system. When I arrive there they would 
authenticate me against my card and say, yes, let him in the 
building. The same thing with computers. The systems 
administrator needs to establish an account and say, yes, I 
have the ability to log on to that system and I use my card to 
authenticate who I am when I log on in the morning.
    The other thing that has happened a little bit and this is 
sort of where smart cards have come from and as far as where I 
think they're going. I used to be one of those guys that 
carried around a piece of paper that said things you can do 
with a smart card, and it was scrape snow off your windshields, 
scrape mud off your boot, and try to open a door with it. The 
point of that is while we certainly had smart cards out there 
and they were not all that expensive to buy, if you didn't 
build the infrastructure to use them, you really didn't have a 
product that was worth much, and so the infrastructure costs 
and the enabling technologies are the ones that are the hard 
part to do because you must make a change in the way people do 
business and in their business processes.
    When we first started dealing in this business, the reason 
people wanted smart cards was to carry data on them, and they 
wanted to carry data because we had a lot of systems that were 
not interoperable within the Department. A good example was the 
Army's levelization processing, they used the card to carry on 
it when was your last dental exam, had you done a will, and had 
you had certain shots. The reason they did that is because all 
of those things were in computers, but they were in computers 
in different place on the base that didn't talk to each other. 
Putting that data on a card and being able to put the card in 
there gave the commander a quick picture of what this guy 
needed to do in order to be able to deploy. I would refer to 
that as a datacentric approach to smart cards.
    What has happened over the last 5 or 6 years is people have 
begun rethinking the way they do business. Particularly in the 
Department as we've modernized our business processes. We're 
trying to get away from going to an office to fill out a form 
or to change tax withholding information and trying to make 
those things Web-enabled type of applications. If you're going 
to do Web-enabled business, you need to have something that 
authenticates you to the Web and allows you to digitally sign 
an action that is important like a tax withholding form or 
something like that.
    A lot of the interest in the use of cards, particularly 
within DOD, has moved away from carrying a large amount of data 
around to more being an authenticator to systems that are now 
Web enabled and allow you to do business processes in a much 
more efficient way which will do away with the need to walk to 
an office and fill out a form.
    Mr. Putnam. I think that you've outlined very eloquently 
where we're headed, which is that the technology is there today 
to have a miniature smart card replace the dog tag which could 
be swiped on the battlefield to let somebody know what their 
blood type is, that they're allergic to penicillin, that they 
received certain wounds at a different time or that they're 
diabetic. It would also enable them to access their computer 
when they're not on the battlefield or get into the 
installation. Is that not the case?
    Mr. Scheflen. I think that with the exception of the 
medical stuff, the real question is, when you're looking at 
what happens on a battlefield, is it realistic, to pull 
somebody's smart card out of his uniform and put it in a reader 
to check blood type? In fact, that is not the way they do that 
kind of medicine at the frontline. People are triaged and 
evacuated back to rear echelons. Generally, if that happens 
quickly enough, by the time they get back they have 
connectivity back to the main data bases.
    I'm not sure of the medical one and the medical people are 
one of the communities within DOD which have the potential for 
large amounts of storage requirements. They have been refining 
it over a period of years, and we still don't really have a 
complete version of what the medical folks would like to 
install on the card. It's largely been defined as sometimes 
people are--they're deployed in Iraq and they're away from all 
the systems that would normally keep track of what 
immunizations they have. The card might be a temporary carrier 
of information on treatment until they get back into, you know, 
the communications end where that information will be uploaded 
back to the rest of their automated medical records.
    By and large, you have it right. We see it as a device that 
will be used to swipe, to manifest an airplane, to go through 
food services, to change your allotments remotely. If you think 
about it, to a certain extent, it's almost like it's e-commerce 
within the Defense Department. We don't do a lot of government-
to-citizen transactions, because most of the people are somehow 
captive to us. But most of the other departments think of it as 
government-to-citizen and to a certain extent our citizens are 
the military members, the retirees, and their dependents. What 
we're trying to do is give them a way of doing e-business with 
the Defense Department.
    Mr. Putnam. OK. Well, let's take it from a different side. 
If you disregard or if you set aside the datacentric approach, 
and you focus on the access, this is not just DOD, it is 
governmentwide, you can go to a Super 8 Motel and get a card 
that lets you in room 208, but not 210. It lets you charge your 
lunch downstairs, it lets you build a minibar for your specific 
account, and at midnight, the day you're supposed to check out, 
or 11 a.m., it's worthless. And you could leave it in the room, 
you could throw it on the ground, you could hand it to someone 
on the sidewalk, and its of no value to that person. And that's 
a very smart technology.
    So what is our impediment to employ smart cards if our 
focus, as has largely been stated here, is access control for 
physical security and access control for information security? 
Why don't we have something that works for frontline special 
security administration workers all around this country, of 
Forest Service firefighters or people who work in Federal 
buildings all around this country who don't have particularly 
complicated security clearances? They're really just interested 
in whether they have any business being in that particular 
building or accessing a particular file of a particular 
taxpayer who's coming in. Why is this so difficult?
    Ms. Bates. Mr. Chairman, I certainly can't address why is 
it necessarily so difficult, but I think that you've identified 
that the technology is there. So we're not necessarily talking 
about the technology problem, as great strides have been made 
in interoperability and standards.
    As my colleague also mentioned, we're now talking about 
culture change, and there are some barriers. There are those 
that say that the culture change or the change process should 
be well along before the technology is introduced, because the 
technology cannot change the culture by itself. Whether it be a 
common access into buildings where--as he spoke about the 
guards, perhaps prefer something else, or getting all agencies 
to agree that these are the minimum set of criteria we will all 
recognize to be on a card for building access. I've experienced 
going to cities where a different ID card for building access 
is required for each building. So an agency that occupies 
several buildings within a city will not even have the same ID 
card that looks the same.
    Certainly the technology's there, but there are costs 
associated with the technology which need to be budgeted and 
planned for, but it is a gaining acceptance, and, as stated in 
the GAO report in your opening comments, getting top management 
support to say, OK, we're going to do this, and making it a 
priority, it's a difficult task.
    Mr. Putnam. You're the chairman of that committee, right, 
the Federal Identity?
    Ms. Bates. It's my organization. We have the chair of the 
e-Governorship, e-authentication, and are working on the 
Federal Credentialing Committee, yes.
    Mr. Putnam. You seem like a very determined woman. I have 
no doubt that you will get these cultures changed. It's absurd. 
This is totally absurd. We hear that all of you are in 
agreement that the technology exists to do this, and all of you 
are in agreement, I think, that culture is the biggest 
impediment. And so we have these agencies with different cards, 
different access, within the same city, and different mindsets 
where we can't stand to just see, touch and feel that plastic 
card that's dangling from everyone's neck.
    So there's a hearing on funding, a hearing on the 
technology of emerging biometrics and smart-card technology. 
All of that is really just an academic exercise is what I'm 
hearing, because it doesn't matter. The secretaries, they've 
got other things to worry about, the assistant secretaries, the 
deputy under assistant secretary to the deputy underling, they 
have other things to do, and so this is all for naught. That's 
really what I'm hearing.
    Let me throw something else out: The access control, the 
identity authentication for facilities, is one of the purposes 
behind this push for smart-card technology. The second major 
push, as I understand it, and correct me if I'm wrong, is 
access to computers.
    Now, the Navy has 67 different payroll systems, or whatever 
it is that we've heard before, 10,000 legacy systems. Everybody 
buys whatever flavor-of-the-month computer system that 
particular office in that particular agency in that particular 
city feels like meets their needs. So regardless of all of your 
hard work on standardizing interoperability of smart cards, 
does it really ever get off the ground until we have true 
interoperability of the tens of thousands of systems that are 
in the Federal Government, or are we going to have to build the 
access infrastructure for each one of these legacy systems so 
that the smart card actually gets you into the program that you 
need to get into? Can we do one without the other?
    Mr. Wu.
    Mr. Wu. Well, if that's your underlying goal is to be able 
to have somebody from the east coast tap onto a system that 
controls operations in the west coast, you do need to have some 
sort of interoperability of systems, and smart card will only 
get you the access as you pointed out. So, if that is your 
underlying goal, then interoperability of systems, which is 
another issue that NIST is working on as well, working with the 
IT industry, that is something that needs to be looked at.
    Mr. Scheflen. Mr. Chairman, I don't think that's quite as 
dire or as unpromising as maybe the picture you painted. 
Basically, if we look at where the smart card industry was 3 or 
4 years ago, it was the University of Florida model you 
described. You had deployed campus systems that were really 
proprietary to a particular vendor. If you looked at that 
particular system, you would find that the same vendor made the 
readers, the cards, and ran the LAN information that tracked 
everything down. Right after September 11 we saw the vendors 
out there that did produce various systems to protect bases or 
facilities have a field day trying to sell their systems to 
everybody that felt they had need to protect it, and, of 
course, had that gone forward, we would have ended up with 
systems that were completely proprietary to every base or 
building.
    What happened with the GSA contract and with the standards 
over 3 years, we basically said to the industry, we're not 
going to play that game anymore. It would be the equivalent of 
you saying, I need some floppies for my computer, and going to 
the computer store and saying, what kind of floppy drive do you 
have for your computer, because you need these cards or these 
cards or these cards, depending on which one you have or what 
kind of software you're running, so I can sell you a different 
product.
    That's the way the industry was, and working with the GSA 
and NIST and lots of others in the government, we said we're 
not going to play that game; that we're going to buy cards. 
We're going to say we want a 64K card that has these 
characteristics, and, you know, we want to buy from the low 
bidder that meets the spec, not one that has a proprietary 
problem, because we have those kinds of readers. We did the 
same thing with readers, and we're trying to do the same thing 
with middleware.
    So what we've tried to do is change industry so that 
anybody who uses the products that are sold through the GSA 
contracts and evaluated by NIST will really be interoperable, 
and I think that we are moving in that direction. We see far 
fewer of these closed proprietary systems that are 
characterized as the campus systems. That had been the only 
success story of smart cards in the United States. It's not 
been a great story here. It's been more of a European success 
story.
    I think we are making progress, and I think that my 
colleagues at GSA and NIST are a large reason why the 
government is in a position to move forward now, and the things 
that they implement will be interoperable.
    Having said that, it's still hard to do. There are cultural 
issues, and guards like to look at cards rather than have you 
put them in a computer and authenticate with a fingerprint. We 
actually have systems in DOD, one of them goes by the acronym 
of BIDS, Biometric Identification System, that uses the cards 
that we issue as ID credentials. At the gate, the cards are 
swiped, it prints up a photograph from the data base and also 
tells them whether the card is good. They can do a fingerprint 
check on a hand-held wireless device and authenticate who 
they're letting into the bases.
    These kinds of things are happening, the interoperability 
is there, and I think that the government is moving in the 
right direction. I think the biggest problem is some of the 
things that they're thinking are so massive that they're almost 
unaffordable. If you say, we're going to give something to 30 
million truck drivers, how do you do that and what kind of 
products do you use and----
    Mr. Putnam. You do it every day with a driver's license. 
What's the marginal increase of cost to take today's driver's 
license, make it smart or add whatever component is necessary? 
What is the marginal cost of that on 30 million?
    Mr. Scheflen. Well, the driver's license people will talk 
about what it takes to do that. I think getting 50 States to 
agree is a problem, but the larger problem is the one my GAO 
colleague talked about, which is how do you really know who you 
are giving a secure credential. I guess what I would look at is 
you're saying, I've got a very secure credential, and I'm going 
to biometrically bind the identity of the person to whom I'm 
giving it. Now, I've done that, and that's what we do in the 
DOD, but, without some assurance that the person who you have 
in front of you is really who he purports to be, and the 
problem there is with the feeder documents that are often 
counterfeited, to get various types of credentials, you may 
create a false sense of security, you know what I mean? We now 
have very securely bound a phony identity to this type of 
document.
    Mr. Putnam. The CAC card.
    Mr. Scheflen. Yes, sir?
    Mr. Putnam. Do you use it for computer access, or is it 
strictly for facility access?
    Mr. Scheflen. No, sir. I use it but it's not sitting in my 
computer at the moment because it's around my neck. When I get 
back to my office, I will put it in a reader on my computer, 
and it'll ask me to enter my PIN number, and it will then allow 
me to log onto the system. If I am away from or if I don't use 
the system for about 5 minutes or 10 minutes, it'll go blank, 
and I'll have to reenter the PIN.
    Because it's my ID card when I leave my office, I need to 
take it out. That locks my system down; nobody else can use it. 
It's really interesting. Most security computer people who have 
come in and evaluated computer security say that the weakest 
link is usually passwords; people give them to others, they 
write them down, they have them on their desk, and they often 
break systems doing that. This is an attempt to, not to 
eliminate a password because you still have a password in a 
sense because you have a PIN, but you really require two 
things: you require the PIN and the----
    Mr. Putnam. If a plane crashes into your office in the 
Pentagon, can you put that card in another Defense computer and 
access all of the information?
    Mr. Scheflen. The answer to that, that's a theoretical yes. 
Depends on a lot of things.
    Yes, other card readers will accept my credential. 
Obviously the system administrator for that particular system 
I'm on would have to authorize me to use it, and whether I 
could access my computer or not would depend on whether we have 
remote access facilities set up. The answer to that, I think, 
is that it certainly is possible, and there are a lot of 
companies that are thinking about virtual offices, where they 
go with a thin client, what's called a thin client type of 
approach, where most of the information is not stored on my 
desktop, but on a server somewhere. And I can access that 
wherever I am by simply authenticating to that server, and 
that's, I think, the kind of model you're talking about.
    Mr. Putnam. That is. I mean, if you're at Pearl Harbor, and 
then your next tour is in Germany----
    Mr. Scheflen. Right.
    Mr. Putnam [continuing]. How much effort is required to 
allow you access at your new posting on your new tour, and does 
it require a new card, does it just require a few keystrokes of 
updating your current card? If you change billet and you go 
from naval public affairs to naval financial management, do you 
have to get a new card? Does it require just a few keystrokes 
to allow you access to the new items that you are now allowed 
to view and shut down the items that are no longer appropriate 
for you to access?
    Other than getting in the front door and allowing us to 
have a better connection between the person entering and who 
they actually are with some biometric identifier, are we not 
shortchanging the potential of smart-card technology?
    Mr. Scheflen. No. I think, if anything, the emphasis in 
Defense has probably been more on the IT side than it has been 
on the getting in the front door side for a lot of the reasons 
that GAO described, the cultural difficulties. It is really a 
large focus on the getting onto the systems and accessing Web 
sites where I do business. That is more the current usage of 
the card than even physical access.
    Now, keep in mind that in the case of DOD, this ID card 
also is a Geneva Convention card that has to have certain 
information when people go into a war zone, that's different 
than a physical access card. It is an ID card as well.
    I think that, in answer to how much has to happen if you 
change jobs, a little bit of that is the business process of 
the components in terms of how they want to do that, but by and 
large unless you went from one component to the other because 
your visual certificates would have to change, and if you're a 
civilian and went to work for the Army and went to work for the 
Navy, for example, you would get a new ID card. If you changed 
jobs within the Army, there wouldn't be a need to do that.
    Mr. Putnam. Ms. Bates.
    Mr. Scheflen. Well, military side is a little more complex, 
but normally people don't change components. If you changed 
your e-mail address because you could be reassigned--i.e., an 
Army guy could be assigned to a defense agency where his PKI 
credentials may need to be different, and so he would have to 
go back but wouldn't necessarily need a new card. He could have 
new certs put on the card.
    Mr. Putnam. OK. Well, let's switch to the civilian side----
    Mr. Scheflen. OK.
    Mr. Putnam [continuing]. Because that would be a good lick, 
too, if we could just fix that.
    Someone who lives outside of Washington, DC, works for one 
of the many agencies that accesses documents about private 
information about American citizens, with IRS, Social Security, 
HUD, Health and Human Services, generally stay there a while, 
live in the same city, work in the same building, what are we 
really trying to accomplish with the smart card, and what are 
the barriers to the plan in that type of situation?
    Ms. Bates. I can speak generally and not specifically about 
each agency because each agency may have their own program 
going, but----
    Mr. Putnam. Well, but we'll change that, right?
    Ms. Bates. Right. Right.
    Mr. Putnam. We're not going to be able to say that much 
longer, I hope.
    Ms. Bates. And that'll be good. That'll be good.
    I think given that we're not the Defense Department, and 
other agencies are independent, if we take it incrementally, 
perhaps in groups of steps, of you start with a common 
identification card where your badge or your ID card, which is 
part of a smart card, that they are all alike or have common 
fields. This is what we're trying to implement--GSA is 
implementing in New York City, which I referenced earlier; in 
the three buildings with the tenant agencies, have agreed that 
the badges look the same, and they are. Everybody entering 
those buildings goes through the contact, the scanner, and you 
get that acceptance. You can begin to add other elements to 
those cards, whether it's the computer system access or whether 
it is the purchase card or the other elements, but having it be 
against the same set of standards, an agreement that this is 
what all the cards are going to have, a minimum capability.
    You can then--as Mr. Wu stated, have people who are in 
position to say, OK, I, Sandra Bates, have authorized this, 
this, and this; you have to have that, but at least you have 
the common card. That would lead to some group purchasing where 
you can say, OK, we're going to do X amount, we're going to 
purchase the cards and the readers in bulk, and leverage the 
government's buying power. That would achieve savings and also 
give some central oversight against a set of companies that 
have been predetermined. If you have the top down support and 
then the methodology outlined to implement, you can move 
forward, but you do it incrementally.
    I think that each agency will always have some unique 
requirements, and that's OK, but they should be able to be 
accommodated. If we could establish a base line, for example to 
get into certain types of buildings let's say, everybody has to 
do X, and you agree on it--here again I'm not talking about a 
technology problem. It is a management and implementation 
issue, one that certainly could be resolved, and I think that 
if we had a governmentwide policy that said this is what we're 
going to do, and then we leverage the government's buying power 
and implement, whether it be across all Federal buildings or 
Federal installations.
    The other area that would be addressed in all of this, and 
I think we've alluded to it, and I've said it outside this 
room, culture. The people who are doing IT security are very 
well attuned today about cybersecurity and generally have a 
technical background. They are the keepers, and the users have 
been indoctrinated so that they understand they need security.
    On the physical access side, it's a different group of 
people. It's managed separately, and the expectations are 
different on the part of the people who manage it and on the 
part of people of what is required to come into a building. The 
same person can have different expectations to their computer 
security versus their physical security, but I think we need to 
pull that together and manage it as one. And we've had that--
those are the things as we move toward success.
    Maybe you would still be frustrated as to say this is not 
moving fast enough, but an initiative that allowed for an 
incremental approach where you moved quickly incrementally 
rather than one big, you know, throw the Hail Mary pass, I 
think government responds better to incremental approaches.
    Mr. Putnam. Thank you all very much.
    Mr. Willemssen.
    Mr. Willemssen. I wanted to add something to an item you 
mentioned before, Mr. Chairman, and you had talked about all of 
us possibly agreeing that culture was the biggest impediment.
    What I would say is that top management commitment and 
sustaining that commitment is the largest impediment, and 
consistent with our prior recommendation, as I mentioned, OMB 
did come out with that July memo laying out a policy framework.
    I think the next step, in terms of your concern about 
what's holding us up, is looking at the Federal Identity and 
Credentialing Committee. They obviously have a mission now, and 
that's to come up with a common policy for credentialing 
Federal employees. So how are they going to achieve that 
mission, and when are they going to do it? What are the tasks 
and milestones associated with that? And I think to the extent 
you can get an answer to that question, then you're that much 
closer to knowing when these barriers are going to be overcome.
    Mr. Putnam. Thank you very much.
    Mr. Wu, did you have a final comment?
    Mr. Wu. As we conclude today's hearing, or at least this 
panel, I just wanted to note that you raised some very strong 
issues. And certainly the Federal Government has certain unique 
needs and requirements, but as we move forward to try to seek 
solutions and try to achieve the goals that you would like, I 
would urge that you also include the industry voice, because as 
we try to take into account this change in culture, we need to 
have customer acceptance, customer confidence, and if we allow 
the industry to do that as it promulgates itself 
internationally and domestically, I think that'll be best, 
because trying to achieve a market-driven solution would be the 
ultimate scenario that would be successful for all of us.
    Mr. Putnam. Thank you all very much. We appreciate the 
contributions of panel one. If you can, I'd encourage you to 
stay for panel two and listen to some of the private sector 
comments, that industry voice Mr. Wu referred to. And, with 
that, we will recess for about a minute and a half while panel 
one dismisses itself and panel two is seated.
    [Recess.]
    Mr. Putnam. If you all are ready, I'll swear you all in.
    [Witnesses sworn.]
    Mr. Putnam. Note, for the record, all the witnesses 
responded in the affirmative.
    I'd like to welcome panel two of this hearing and 
appreciate your participation in this important topic. Our 
second panel of witnesses includes three distinguished 
individuals. Mr. Keith Rhodes is our first witness. He joined 
the General Accounting Office in 1991. He is currently the 
chief technologist at the Center for Technology and 
Engineering, where he has contributed to a variety of 
technically complex reports and testimony. Before holding this 
position, Mr. Rhodes was the Technical Director in GAO's Office 
of the Chief Scientist for Computers and Telecommunications. As 
Technical Director he provided assistance throughout GAO for 
issues relating to computer and telecom technology.
    Welcome to the subcommittee. You're recognized for 5 
minutes.

    STATEMENT OF KEITH RHODES, CHIEF TECHNOLOGIST, GENERAL 
                       ACCOUNTING OFFICE

    Mr. Rhodes. Thank you Mr. Chairman.
    I have my statement which I would submit for the record. 
Thank you.
    Mr. Chairman and members of the subcommittee, I appreciate 
the opportunity to participate in today's hearing on the use of 
smart cards and biometrics in the Federal Government. A 
holistic security program includes three integral concepts: 
protection, detection and reaction. To provide protection of 
assets, such as physical buildings, information systems at our 
national border, a primary function is to control people into 
or out of protected areas. People are identified by three basic 
means: By something they know, something they have, or 
something they are.
    As you've already heard, smart cards can have secure 
identification documents, something that people have. 
Biometrics can automate the identification of people by one or 
more of their distinct physical or behavioral characteristics, 
something that people are. The use of these technologies in 
combination can help provide more security than the use of 
these technologies in isolation.
    Last year we completed a large body of work that assessed 
the use of biometrics for border security. In that report we 
discussed the current maturity of several biometric 
technologies, the possible implementation of these technologies 
in current border control policies, and the policy 
considerations and key considerations of using these 
technologies. While we examined the use of biometrics in a 
specific border control context, many of the issues that we 
identified apply to the use of biometrics for any security 
system, which I will address in my remarks today.
    Biometric technologies vary in complexity, capability and 
performance. They are essentially pattern recognition devices 
that use cameras and scanning devices to capture images and 
measurements of a person's characteristics and store them for 
future comparisons. The first step in a biometric system is 
enrollment, when a person first presents their biometric and an 
identifier, and the system is trained to recognize that person. 
After enrollment biometric systems can be used to either verify 
a person's identity, conducting a one-to-one match, or to 
identify a person out of a data base, conducting a one-to-many 
match.
    In my prepared statement we briefly discuss certain leading 
biometric technologies, including fingerprint recognition, 
facial recognition, iris recognition and hand geometry. Our 
technology assessment report provides more detail on each of 
these. However, it's important to realize that no biometric 
technology is perfect. Even more mature technology such as 
fingerprint recognition are not 100 percent accurate.
    Systems sometimes falsely match an unauthorized person with 
a legitimate biometric identity in a data base. Other times a 
system fails to make a match and rejects a legitimate person. 
These error rates are inversely related and must be assessed in 
tandem. Acceptable risk levels must be balanced with the 
disadvantages of inconvenience. Different applications can 
tolerate different levels of risk.
    Also, not all people will be able to enroll in a biometric 
system; for example, the fingerprints of people who work 
extensively at manual labor are often too worn to be captured.
    Better technology offerings can minimize these error rates, 
but no product can completely eliminate these errors. These 
limitations of biometric technology need to be considered in 
the development of any security program using biometrics.
    Biometric technology has been used in several Federal 
applications, including access control to buildings and 
computers, criminal identification, and border security. In the 
last 2 years, laws have been passed that will require a more 
extensive use of biometric technologies in the Federal 
Government for border and transportation security. Biometric 
technologies are available today. They can be used in security 
systems to help protect assets.
    However, it is important to bear in mind that effective 
security cannot be achieved by relying on technology alone. 
Technology and people must work together as part of an overall 
security process. Weaknesses in any of these areas diminishes 
the effectiveness of the security process. Poorly defined 
security processes or insufficiently trained people can 
diminish the effectiveness of any security technology.
    We have found that three key considerations need to be 
addressed before a decision is made to design, develop, and 
implement biometrics into a security system. One, decisions 
must be made on how the technology will be used. Two, a 
detailed cost-benefit analysis must be conducted to determine 
that the benefits gained from a system outweigh the costs. 
Three, a tradeoff analysis must be conducted between the 
increased security, which the use of biometrics would provide, 
and the effect on areas such as privacy and convenience.
    Security concerns need to be balanced with practical costs 
and operational considerations as well as political and 
economic interests. A risk-management approach can help Federal 
agencies identify and address security concerns. A risk 
management approach helps agencies define and analyze the 
assets that need to be protected, the threats to those assets, 
the security vulnerabilities that could be exploited by 
adversaries, security priorities, and appropriate 
countermeasures.
    As Federal agencies consider the development of security 
systems with biometrics, they need to define what the high-
level goals of this system would be and develop a concept of 
operations that would embody the people, processes and 
technologies required to achieve these goals. With these 
answers, the proper role of biometric technology in security 
can be determined.
    Mr. Chairman, that concludes my statement. I would be 
pleased to answer any questions that you may have.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Rhodes follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.050
    
    [GRAPHIC] [TIFF OMITTED] T3034.051
    
    [GRAPHIC] [TIFF OMITTED] T3034.052
    
    [GRAPHIC] [TIFF OMITTED] T3034.053
    
    [GRAPHIC] [TIFF OMITTED] T3034.054
    
    [GRAPHIC] [TIFF OMITTED] T3034.055
    
    [GRAPHIC] [TIFF OMITTED] T3034.056
    
    [GRAPHIC] [TIFF OMITTED] T3034.057
    
    [GRAPHIC] [TIFF OMITTED] T3034.058
    
    [GRAPHIC] [TIFF OMITTED] T3034.059
    
    [GRAPHIC] [TIFF OMITTED] T3034.060
    
    [GRAPHIC] [TIFF OMITTED] T3034.061
    
    [GRAPHIC] [TIFF OMITTED] T3034.062
    
    [GRAPHIC] [TIFF OMITTED] T3034.063
    
    [GRAPHIC] [TIFF OMITTED] T3034.064
    
    [GRAPHIC] [TIFF OMITTED] T3034.065
    
    [GRAPHIC] [TIFF OMITTED] T3034.066
    
    [GRAPHIC] [TIFF OMITTED] T3034.067
    
    [GRAPHIC] [TIFF OMITTED] T3034.068
    
    [GRAPHIC] [TIFF OMITTED] T3034.069
    
    [GRAPHIC] [TIFF OMITTED] T3034.070
    
    [GRAPHIC] [TIFF OMITTED] T3034.071
    
    [GRAPHIC] [TIFF OMITTED] T3034.072
    
    [GRAPHIC] [TIFF OMITTED] T3034.073
    
    [GRAPHIC] [TIFF OMITTED] T3034.074
    
    [GRAPHIC] [TIFF OMITTED] T3034.075
    
    Mr. Putnam. Our second witness is Mr. Christer Bergman. Mr. 
Bergman has been associated with Precise Biometrics since 2000 
and has served as president and CEO for the company since June 
2001. Prior to joining Precise Biometrics, Mr. Bergman has 
worked in the information technology industry for the last 20 
years and has held managerial and executive positions in 
leading Fortune 500 companies. He also serves as an officer on 
the board of directors of the International Biometric Industry 
Association, a trade association dedicated to supporting and 
advancing the collective international interests of the 
biometric industry as a whole.
    Welcome to the subcommittee. You're recognized for 5 
minutes.

     STATEMENT OF CHRISTER BERGMAN, CEO, PRECISE BIOMETRICS

    Mr. Bergman. Good morning, Mr. Chairman, and thank you for 
the opportunity to be here today to represent the view of the 
industry regarding advancements in smart card and biometric 
technology in the Federal Government market. As you indicated, 
my role, roles, are living and breathing biometrics, an 
industry that is transitioning from emerging technologies into 
the necessary tool which is part of our daily lives.
    The biometric industry today is recognized as very much in 
focus for governments, organizations, corporations, but it 
still needs a major sign of approval from government and 
corporations in order to grow into a mature industry. I'm 
delighted to have the opportunity to give the industry 
perspective of what is happening and what is needed in order 
for this to be a reality.
    Let's talk biometrics. As we heard, simply speaking, 
biometrics is using the body, body parts, in order to identify, 
verify or authenticate yourself. It could be face, finger, 
voice, etc. It could be a combination or stand-alone. Biometric 
technologies could also be used in conjunction with another 
technology, such as a smart card.
    When we talk about biometrics, it's also important to say 
where the biometric template--which is a digital stamp of your 
fingerprint or face--is compared? It's stored and compared in 
the process. This could be done on a network server, including 
a data base; that could be done on a workstation, or on device, 
or even on a smart card, as we talked today, and then we call 
that technology Match-on-Card. Same thing, smart card.
    What is a smart card? A smart card is a credit-card-sized 
plastic card with a small computer on it. It could either be 
connected via the chip or contactless, as in the case with 
physical access, and waving the card in front of the reader. 
The smart ID card, as we call it, it's an intelligent badge; 
that can be used to access buildings, gain access to computer 
networks, and can also be the carrier and verifier of my 
personal biometric identifier. As Mr. Rhodes said before, that 
the combination of smart card and biometrics can provide a very 
secure infrastructure. To present something you have; which is 
a card, something you are; which is your finger or face, and 
combine it with the password, then you have a three-factor 
authentication, which represent a very secure ID credential.
    However, in reality, in most systems there is a big 
security gap between what the system is designed for and how it 
is actually working. Therefore, there is a growing demand of 
biometrics in combination with smart cards, so, in my 
statement, I'm referring to biometrics and now the smart card.
    In the older configuration, you used a smart card purely to 
store information, e.g., a biometric template. In the newer, 
more preferred from a security point of view, preferred 
configuration, you use, in fact, the smart card as a computer 
and also do a comparison of the biometric template on the card, 
and I will come back to that in a few seconds. Clearly, that 
means that all the smart card functionality on that card can 
only be accessed by the person with the biometrics matching the 
one stored on the card.
    We from the industry very much appreciate the committee 
holding this very important hearing today, because as we 
approach the second anniversary of September 11, it is crucial 
to be asking the questions as to why deployment of these secure 
items is not happening on a broader scale.
    My full testimony is attached in response to many of the 
reasons for this. Let me take a moment to highlight just a 
couple of the challenges and misunderstandings.
    Privacy. People think that a biometric application takes 
your fingerprint image and places it in a big data base where 
it can be used or misused. That is not correct. We are using a 
biometric template, a template from a fingerprint. It could be 
stored on a smart card, not in the data base, and also it can, 
in fact, be stored and computed on the card. That means that 
the only place where the biometric template exists is on the 
smart card both during storage and the comparison of the stored 
and captured new image.
    Second, the cost. There are many elements that we heard 
before are building up the cost of any system in the 
infrastructure. If you combine the smart card and biometrics, 
you can optimize the cost to any system. For instance, if the 
application is only verification, there is no need for a big 
back-end data base and a costly infrastructure.
    Coming back to overall leadership support, biometrics was 
considered a new technology a number of years ago. We from the 
biometric industry, we applaud President Bush, Secretary Ridge 
and others who frequently mention biometrics in speeches. That 
gives us a big boost about biometrics out in the industry.
    However, there are other organizations that need to be 
applauded. They have shown national leadership in the 
government community, such as the U.S. Treasury, that implement 
the smart card and biometric system. DMDC and the CAC program, 
as we heard before, are looking into replacing the PIN code 
with biometrics, and we have the State Department, who was one 
of the first to implement the smart card.
    My conclusion is that the biometric-enabled smart card is 
not only a concept, it is very much a proven reality. It could 
lower overall cost, minimize privacy issues, optimize the 
usability from a security and convenience point of view, and it 
could be used for physical and logical access. The industry is 
actively participating in the standardization work, but in 
order to create the de facto standard and implement a secure, 
cost-effective and convenient security system with minimum 
security gaps, there's a strong need for visionary leadership.
    The combined smart card and biometric industries are ready 
and willing to work with the leaders of this community, the 
Congress and administration to make biometric-enabled smart 
cards a reality.
    Thank you, Mr. Chairman, for your time and consideration.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Bergman follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.076
    
    [GRAPHIC] [TIFF OMITTED] T3034.077
    
    [GRAPHIC] [TIFF OMITTED] T3034.078
    
    [GRAPHIC] [TIFF OMITTED] T3034.079
    
    [GRAPHIC] [TIFF OMITTED] T3034.080
    
    [GRAPHIC] [TIFF OMITTED] T3034.081
    
    [GRAPHIC] [TIFF OMITTED] T3034.082
    
    [GRAPHIC] [TIFF OMITTED] T3034.083
    
    [GRAPHIC] [TIFF OMITTED] T3034.084
    
    [GRAPHIC] [TIFF OMITTED] T3034.085
    
    [GRAPHIC] [TIFF OMITTED] T3034.086
    
    [GRAPHIC] [TIFF OMITTED] T3034.087
    
    [GRAPHIC] [TIFF OMITTED] T3034.088
    
    [GRAPHIC] [TIFF OMITTED] T3034.089
    
    [GRAPHIC] [TIFF OMITTED] T3034.090
    
    Mr. Putnam. Our final witness for this panel is Mr. Daniel 
Turissini. Mr. Turissini is president and COO and one of 
Operational Research Consultants' founding partners. For the 
past 10 years, he has focused the Operational Research 
Consultants in the field of information assurance and 
information security. Of note, ORC was certified as the first 
of three certificate authorities for the Department of 
Defense's External Certificate Authority program. The ORC is 
also certified by the General Services Administration to 
provide access certificates for electronic services. Under Mr. 
Turissini's leadership, ORC has been designated as the lead 
systems integrator for the DOD Public Key Infrastructure, a 
standard information assurance program being implemented across 
all branches of the DOD, which is a user community of 
approximately 36 million personnel, devices and applications.
    Welcome to the subcommittee, Mr. Turissini. You're 
recognized for 5 minutes.

   STATEMENT OF DANIEL E. TURISSINI, PRESIDENT, OPERATIONAL 
                   RESEARCH CONSULTANTS, INC.

    Mr. Turissini. Thank you, Mr. Chairman.
    Thank you for the opportunity to appear here to discuss 
advancements in smart card and biometric technology. The fact 
that this committee is holding these hearings reinforces an 
important focus on ensuring the integrity of sensitive and 
confidential information. The paper I provided, which I 
summarize here, highlights the complexity of this challenge.
    I focus on digital security and authentication. We can talk 
to physical in the questioning. This includes maintaining an 
open environment for commerce, data exchange, collaboration and 
communication, but without sacrificing information security. To 
meet this challenge, we must first adopt a credential or a 
standard for credentials that will support confidentiality, 
data integrity, identification and authentication, privilege 
and authorization, and nonrepudiation.
    Second, we must provision to protect those credentials. 
This is further complicated by our need in this country to be 
mobile.
    And last, we must achieve these goals without encroaching 
upon civil liberties under which our country was founded.
    The information fog preceding September 11 and the recent 
virus attacks in the headlines leave little time for invention 
and development, especially while we are not taking full 
advantage of significant advancements in the development of 
production and technologies like smart cards, biometrics, and 
asymmetric credentialing. We must certainly agree about the 
urgency to these requirements; yet, for over 5 years we are 
delayed implementing solutions that address many of these 
issues in favor of a more optimal solution that will soon be 
available or a single solution that will be everything to 
everybody.
    Our target should be striving to attain the highest level 
of security currently attainable without sacrificing 
availability to authorized parties. To a large degree, the 
resistance to this technology has been due to fears of the loss 
of privacy and images of ``big brother.'' Although not without 
merit, such fears do not have to be realized if the proper 
approaches, policies, procedures and education are employed. We 
must embrace the technology available today and continue to 
evolve these technologies as advances emerge and technologies 
mature. Instead of reinventing the mouse trap, we must use the 
mouse trap we have and enhance that trap over time.
    The technologies necessary to attain digital security in 
our open society are available. Asymmetric key technology fully 
supports nonrepudiation and ensures user privacy. Identity, 
represented by a key pair, can be managed so that key, the 
private key, is created and retained only by the owner, while 
the associated public key can be freely distributed, thus 
providing the requisite security needed to afford all parties a 
high level of confidence that the individuals attempting access 
into resources are who they claim to be, and that the actioning 
of a transaction can be identified and nonrepudiated, and this 
can be done without compromising or infringing upon the privacy 
of the individual. It has been by adhering to established 
standards, policies and procedures, and enforcing the proper 
use and integration of these technologies, and enforcing the 
laws to provide the requisite ramification for transgression.
    The infrastructure to deploy this technology is currently 
fielded, capable and interoperable, but underutilized. Federal 
leadership is required for the implementation of meaningful and 
efficient security over the Internet to protect sensitive 
information and billions of dollars in transactions each day. 
With your support, the large investment already made in the GSA 
ACES program and the DOD PKI program can be embraced to avoid 
many of the problems that stand in the way of the President's 
e-government initiatives.
    Equally as important is advancement of the technologies of 
smart cards and biometrics, and they can be focused on 
enhancing the existing security tools and ensuring the 
protection of these credentials that are available today. There 
is not currently one solution or technology that will attain 
the desired level of security without sacrificing availability 
and without encroaching on civil liberties; however, through 
proper integration and configuration of smart card, biometric 
and asymmetric key technology, security can be achieved and 
Constitutional rights protected. It is an achievable 
undertaking that will ``provide for the common defense, promote 
the general Welfare, and secure the blessings of liberty to 
ourselves and our prosperity.''
    Thank you for your time and the opportunity to present our 
viewpoint.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Turissini follows:]

    [GRAPHIC] [TIFF OMITTED] T3034.091
    
    [GRAPHIC] [TIFF OMITTED] T3034.092
    
    [GRAPHIC] [TIFF OMITTED] T3034.093
    
    [GRAPHIC] [TIFF OMITTED] T3034.094
    
    [GRAPHIC] [TIFF OMITTED] T3034.095
    
    [GRAPHIC] [TIFF OMITTED] T3034.096
    
    Mr. Putnam. I appreciate the remarks of all of our 
witnesses.
    I'd like to begin with questions from Mr. Rhodes. You 
opened up your remarks with a three-prong test, if you will: 
How will the technology be used, what is the cost-benefit 
analysis, and what are the tradeoffs.
    Mr. Rhodes. Yes, sir.
    Mr. Putnam. I'd like you to answer, how does GAO envision 
smart-card technology being used; to what degree, what scale, 
what applications would be layered on? In other words, are we 
just talking about identity authentication, are we just talking 
about access, or would there be other applications which you 
all would envision?
    Mr. Rhodes. Well, there would be the primary function, of 
course, the authentication of you as who you are, and all that 
would be associated with your identity.
    So that would be mainly in the areas of access, and that 
would be access to location as well as access to system and 
information, etc.; I mean, not unlike the token that you carry 
with you in order to vote. I can't use that token; that's 
yours. It's in your possession, but it gives you access in 
order to do something.
    So in saying, ``Is it just access to a facility or is it 
just access to a system,'' it's really the opener for you to be 
able to exercise your function as a Representative of the 
United States in your role of executing a vote. So that's 
defining it just as access to location or access to 
information. There is that part.
    But then the other two legs, as it were, of detection as 
well as reaction in terms of holistic security approach, it 
would be used as a continual identifier of you wherever you 
were inside the system. You're inside a facility and then you 
log onto a computer and some incident occurs; we will be able 
to know where you are inside the system. So it's not just 
access for you as an individual, but it's also evidence 
collection. It's also forensic analysis from the law 
enforcement standpoint, and it's also reaction from either the 
computer emergency response team or law enforcement to be able 
to isolate the systems that are under attack or a location 
that's having a problem.
    For example, in the release of the Blaster Worm that's gone 
on for the last few weeks, someone has been identified. There's 
a possibility that someone else is colluding with that 
individual. If people had better positive identification of 
themselves, of the system, and of the system to other systems 
involved--it's not just an access point, but it's also an 
identifier of action as well.
    Mr. Putnam. So those are additional values that come from 
having positive ID. Does it pass your second test, which is the 
cost benefit?
    Mr. Rhodes. Depending on what you want to do. If you're 
talking about--I mean, once upon a time, for access to a 
particular system, when I worked prior to coming to GAO, I 
needed a retinal scan in order to actually control the system, 
because it was a high-value asset and it was a high-security 
clearance. I actually had several stages I had to go through 
before I got to that part of the system where I exercised the 
retinal scan. So in that scenario, the cost benefit is the 
function of what are you going to lose if the asset becomes 
compromised.
    And that's really the primary high-level policy statement, 
not unlike the Smart Card discussion that my colleague Joel 
Willemssen talked about on the first panel. There has to be 
that policy established that says, ``This is the hierarchy of 
value.'' What we're really talking about is operation security. 
You're looking at what are the critical assets. You're valuing 
them based on risk, and you're saying what needs to be applied.
    Well, most people view a retinal scan as very intrusive, 
and they aren't willing to sit and go through that process; but 
everybody has their fingerprints, and that's less intrusive. So 
building that connection between value of asset and the 
multiple layers of authentication--something I have, something 
I know, something I am--that's the process for the cost 
benefit. So being able to say, are biometrics cost beneficial? 
Yes, they are.
    Smart cards are cost beneficial as well, depending on how 
you apply them. I mean, the CAC program, as was discussed in 
the earlier panel, incorporates fingerprints. Obviously it's 
cost beneficial for their application, but you might not be 
able to use that to control a spacecraft on orbit.
    Mr. Putnam. I think Mr. Willemssen's comments were right 
on, and his take-away point was that this credentialing 
standardization is the most important first step; and I think 
that was the key point. But at the higher levels, at the higher 
security clearances, if you want access to a silo or access to 
a sub, I think that people are pretty well in agreement and are 
willing to undergo the intrusive nature of the biometric scan. 
But we basically already have that.
    Mr. Rhodes. Absolutely.
    Mr. Putnam. Since.
    Mr. Rhodes. Twenty years ago.
    Mr. Putnam. But if our goal is a governmentwide smart card 
program or even a DOD-wide smart card program, is it still cost 
effective for someone who has no clearance, has no access to 
particularly sensitive material, and you're just using it as a 
nifty way to get around people having keys and people being 
able to get behind the counter at the Social Security 
Administration as opposed to just getting into the public 
building.
    Is that cost benefit always worth it?
    Mr. Rhodes. Well, that's the--your point is--and the 
hierarchy you just went through is the true basis for it. If 
all you're wanting is for somebody to get access into a 
building in order to stand on the other side of the counter and 
talk to some government official you may not necessarily need 
that. However, for the person to get behind that counter in the 
environment we are in now, with the understanding of the threat 
that we have now, it certainly seems that something far beyond 
just my driver's license, which colleagues from our Special 
Investigations Office are testifying on today. We have forged 
credentials for them. At that point, the token at that moment, 
my driver's license, is pretty worthless.
    Mr. Putnam. Especially in any good college town.
    Mr. Rhodes. Yes, especially in any good college town where 
they know that to be old enough to buy a beer, you need a 
photograph of the front of your face, not the profile of your 
face. I mean, these are the points that need to be made.
    One other question, though, that needs to be asked is--and 
the other two panelists have alluded to this--the system behind 
the token has to be clearly designed and built from a security 
standpoint so that, for example, I have the correct token, but 
the system behind it is broken. So now I am authenticated into 
a system where either the enrollment piece isn't good enough or 
the system itself and who is maintaining the system behind it 
aren't good enough.
    Mr. Putnam. This is not your first Technology Subcommittee 
hearing. You've heard stovepipes and interoperability and all 
this kind of stuff for a long, long time, a lot longer than I 
have. This is a question I posed to the first panel.
    How do you juxtapose the goal of access management and 
identity authentication with the fact that there are so many 
thousands of different systems, even within agencies or within 
departments? Until we have interoperability there, will smart 
cards ever really work on a broad basis?
    Mr. Rhodes. Not on a broad basis. I mean, I have seven ID 
cards in my pocket right now, some of which--two of which are 
used for the exact same building. One is to get into the front 
door and one is to get onto a certain floor, because there are 
two different agencies in the building.
    So if I'm talking about physical tokens with my picture on 
it, I think I'm in several hundred access systems around 
Washington and the United States and other government agencies.
    So until you have that interoperability that you're talking 
about, I won't be able to have the ``single sign-on'' where I 
can do what you were asking on the first panel, take my token, 
plug it in. God forbid that my building has a--there's some 
accident that occurs in my building and I need to be evacuated. 
No, I will not be able to take that token and go to a remote 
location and log in unless the infrastructure is there or 
unless the stovepipes are broken, because it can't just be a 
matter of me being able to have complete, unfettered access and 
authentication to the system in front of me. I need to be able 
to go to other places.
    Mr. Putnam. The point you made about the number of ID cards 
you have, you can go down to the Capital Hyatt or the Hilton or 
anywhere, and everybody gets a room card--hundreds of different 
room cards, two per room, 300 rooms in this big, tall hotel. 
All those cards get you in the front door after hours or the 
back door or the parking garage, all of them equally, but 
unequally get you into your discrete room that you have 
business being in. But GAO can't have the same technology.
    Mr. Rhodes. The GAO--I will say this. The GAO does have the 
same technology, but we're only 3,000 people. We're 3,000 
people in 10 locations, and we have a Comptroller General who's 
a power user of technology.
    If you want to have an organization, if you want to be able 
to take the entire Federal Government and say, standardize, 
well, who's the czar of the Federal Government? Who's going to 
use both carrot and stick to get that done? That's the modus 
operandi for the solution.
    I mean, I report directly to the Comptroller General of the 
United States, and he believes that security is important, but 
convenience is also important. And we've struck a balance. So I 
have one ID for the General Accounting Office.
    Mr. Putnam. Well, we're going to have a czarina now.
    Mr. Bergman and Mr. Turissini, give us the private sector 
take on what you've heard this morning. Where are we headed? 
What is your vision for what the Federal Government's approach 
to smart card technology could be?
    Just share that with us, if you would, please, beginning 
with Mr. Bergman.
    Mr. Bergman. Do you want the pleasant answer or the truth?
    Mr. Putnam. Well, you're under oath now. So you're stuck.
    Mr. Bergman. Good point. I think it takes too long time to 
get started and deploy the technology.
    The technology is there in different places, and we need to 
move forward. It was talked about that, we use more and more 
Web-enabled applications, and that's good and fair; but then we 
talk about the Web application having a smart card or smart ID 
credential interacting with the PIN code. So then we have two 
PIN codes talking with each other.
    Where is the evidence that it is the person who is 
authenticated to that particular smart card?
    The technology is here, and I think that it's been said a 
number of times today that we need to get moving and create a 
de facto standard. The technology is not the blockage, and I 
don't think that we have to be that complex in creating all the 
back-end systems, all interacting, because then we need to wait 
for another number of years.
    Private organizations have similar problems. They don't 
have one back-end system even for a small corporation. They 
have hundreds maybe, and the technology still works there, as 
we speak, right now.
    I do think that we have to decide, where we want to go, the 
strategy, the needs, and start to implement it. If we are 
sitting and trying to create the fantastic, unique system, then 
we'll never get there. I don't see any difference between the 
Federal Government versus the corporations in the market out 
there. Let's have the, ``This is the direction we're going,'' 
and then let's move on.
    Mr. Putnam. Mr. Turissini.
    Mr. Turissini. Just to add to that, not only is the 
technology here, but the infrastructure has been invested in 
over the last 5 to 10 years within the DOD, with GSA to do the 
credentialing and to get people identity credentials, not only 
within the government but with our civil citizenry.
    We have, again, neglected to go forth with this technology 
for fears, for stovepipes, for rice bowls maybe, but the bottom 
line is, we can currently credential almost everybody in the 
government and probably everybody in the country.
    The DOD, under the program I'm working, is currently 
credentialing over 10,000 people a day on smart cards, giving 
unique credentials; and those credentials, in the form of 
digital certificates, can be accepted in your data bases, your 
Web-enabled data bases, tomorrow if you choose to do so. It's 
not a long process, nor is it a terribly expensive process.
    We need to get on with the business of securing our 
information resources. You need what is the cost benefit.
    There are very few pieces of information that anybody in 
this government deals with that in the aggregate can't be 
harmful to us outside of the United States, things like flight 
schedules, things like where people land and when they land and 
who's coming in and out of this country. We can't guarantee who 
the bad guys are, but we can guarantee who the good guys are. 
We can credential all the people we need to, so that if you 
don't have a credential, you're under suspicion and you've got 
to go get one or we've got to talk to you a little bit closer.
    So the technology is here. We've invested 5 years, 7 years, 
and a lot of money with GSA and DOD to create the 
infrastructure to field this technology. I say, let's get on 
with the business of doing it; and I think the way that we do 
that is by--they called it ``culture'' earlier. I think it's 
just policy and direction. You need to be told, and you need to 
say, this is the way we're going.
    We have policy that is set up in the forms of certificate 
policies and practice statements. They need to be in force. 
They need to be promulgated.
    As far as the physical versus the virtual, this is my smart 
card CAC. This is my identification into a DOD building. Other 
than the color, I don't know what the culture shock is.
    So physically don't tell the guys at smart card. I don't 
know. It's not that big a deal. But I do have a chip on my 
smart card, and that chip gives me digital capability.
    And, again, the smart card is not my access. It's a 
protection of the credential. That's all it's doing. It's 
protecting the blob, the ones and zeros that are on there that 
identify me, the thing that I went to a work station, gave them 
my three or four forms of ID, gave them my fingerprint and 
guaranteed that I'm going to protect that credential. I can't 
give it to anybody else. It's not like a password that I can 
pass over to him, because it's on here, and I have it, and I'm 
the only one--and I'm responsible for that.
    Mr. Putnam. One of the issues that always comes up in any 
congressional hearing when we're trying to push the Federal 
Government to do particular things is the considerable 
difficulty due to the sheer size of the government, and the 
different requirements based on job classifications and things 
like that.
    To the best of your knowledge, who is the largest 
commercial user of smart card technology that might be a good 
firm for this subcommittee to pay a visit to and see how 
they've made it work?
    Mr. Turissini. Actually, the banking industry is probably 
the best, and I don't know if it's a particular firm, maybe 
Chase Manhattan. But what we've got to be careful about is the 
definition of ``smart card,'' and there are many definitions, 
everywhere from a stored value card to a card like the CAC, 
which is a cryptographic module card, a computer that actually 
protects a credential.
    The biggest user of that kind of credentialing is the DOD. 
Nobody else is really doing that to the extent that the DOD is 
doing. Like I said, over 3 million users right now, and we're 
issuing 10,000 credentials a day. But from a credentialing 
point of view and a smart card in a less secure environment, 
although probably just as critical, the financial community is 
very involved in moving transactions using digital credentials 
and protecting those credentials on some kind of a token, 
whether it's smart card or an IT or something like that.
    Mr. Putnam. Mr. Bergman, do you want to add anything?
    Mr. Bergman. No. The CAC program is definitely the biggest 
one.
    I just want to add there are other projects on their way 
around the world right now, everywhere from Hong Kong to 
Malaysia, to Saudi, to Latvia, Turkey, a number of countries 
out there are doing the same thing right now. And those will 
maybe be bigger or larger deployment when they are deployed, 
but I don't know any bigger than the CAC program as deployed.
    Mr. Putnam. A lot of pressure, Mr. Scheflen.
    Mr. Rhodes, do you want to add anything to that?
    Mr. Rhodes. I would echo the distinction between a smart 
card, which actually has its cryptographic module on it and 
actually has the computer on the card, versus the stored value. 
There are larger implementations in industry that are stored 
value, but there isn't any larger implementation than the CAC 
of a truly smart--on-the-card, intelligent system.
    Mr. Putnam. I may not be truly appreciating that 
distinction. It just seems that you get a little tag to hang on 
your key ring from your supermarket. They take 10 percent off 
every time, you use it and you earn points toward a new ball 
cap. And you get a little card to hang on your key ring that 
you wave in front of the gas pump, and you're allowed to get 
$50, $40 of gas at a time and head on, and they ask you if you 
want a receipt. You don't have to see anybody. You don't have 
to talk to anybody over those intercoms that never work.
    It just seems like the rest of the world is figuring all 
this out reasonably well. I mean, we're buying gas, not getting 
access to missile silos. But still, tens, hundreds of millions 
of dollars' worth of transactions on a fairly frequent basis 
that ordinary citizens are becoming rather accustomed to and 
comfortable with, even though Giant knows that they prefer 
Cheer over Tide or that they buy 12 gallons of milk a month or 
whatever.
    People are dealing with it so that they can get that 10 
percent off. I mean, I think we're in this post-September 11 
world, everybody is focused on ways to sell the government 
something based on security, but the idea that instead of there 
being a paper file that moves around with our 3 million 
military personnel every 2 years, you've got it on something 
the size of your VISA card and you swipe it when you go into 
whatever installation in whatever country on whatever base, and 
you deal with that; and then you perhaps could take that same 
card over to the PX and buy your groceries and you could take 
that same card over and, I mean, have dozens of applications on 
the same smart card above and beyond simple identity 
authentication and access.
    And maybe I'm not appreciating the distinctions here, but 
even if you separate the zebra that is DOD from all the horses 
that are the rest of the government, there's a lot more that we 
can be doing with this, I think, for an awful lot of Federal 
Government employees, than we have.
    Mr. Bergman, could you elaborate some on the match-on card 
technology?
    Mr. Bergman. I would be happy to do that.
    The match-on card technology that we're using, the chip on 
the smart card do the comparison of the template. That means 
that when I log onto my computer, I have my biometric template 
stored on that chip. I put it into my biometric and combined 
smart card reader, which is about a $100 piece of equipment. 
When I do the matching, the matching is done on the smart card. 
That means that my template will not be transformed over to a 
data base somewhere else. From a scalability point of view, 
that's very important. I don't need to have the infrastructure 
built up behind it.
    For instance, take today's discussion about the U.S. VISIT 
program. Does it need to be an infrastructure to allow myself 
with my finger going into a data base somewhere in the world, 
or is it only when I issue a credential that I need to be 
connected back to the data base and say am I a good guy or bad 
guy. After that, once I've got my credential and it's secure 
enough to go around the world and say this is me, there's one 
piece missing in it. That's the validation of it. Is it valid? 
It's OK, it's me, but am I still valid? And there are 
technologies for that as well.
    An example that happened to me last Saturday, returning 
back from Sweden, we were standing, myself and hundreds of 
other people, out in Dulles Airport waiting for INS because the 
back-end system was down. Is that the way we want to build the 
infrastructure? This was just to swipe my passport and my green 
card. Is this the way we protect our borders? That is a pretty 
effective way--``no one can enter.'' Nothing happened for 40 
minutes because the back-end data base was down.
    Those are the kinds of things that we need to think about 
when we deploy a large system. That's why I think you do DOD 
biometric authentication up front on your token, on a sticky 
product. A sticky product is something you have and that you 
use 10 times a day.
    And you talk about convenience. It's convenience for me. 
You can't force people to use security. It's convenience that 
matters.
    I can get into different places. The biometric comparison 
can be done on a card or a token, or it can be done back on a 
data base. And I think the data base is a legacy infrastructure 
and costly, and it's a pretty nonoptimized way of doing 
business today.
    Mr. Putnam. To any of you who wish to answer, how far are 
we from being able to replace the paper passport with a smart-
card type of identification, merged with biometrics?
    Mr. Bergman.
    Mr. Bergman. From a technology point of view, we're not far 
away, but I think along the same line, that we have been 
talking and listening today about the stovepipes.
    If you talk about the passport which is one passport for 
the United States, another one for European countries, I think 
we need to discuss where we are heading. I think that 
biometrics should be on the road map, I think it's a good step 
forward to have my picture, my face on that smart card or 
token, in a readable format.
    To have a smart card on the passports is probably a number 
of years, 5 years, 10 years away--if we decide upon the 
direction. I don't know, but lots of people in this country 
don't even have a passport.
    Those are the kinds of things that we have to sit down and 
decide about the strategy, go for it, and step by step we 
implement it.
    Mr. Putnam. Mr. Rhodes.
    Mr. Rhodes. One point I would make is that INS and State--
at the time of that report, INS and State had issued 5 million 
border crossing cards that included fingerprint or 
fingerprints--probably at about 6.5 million now. But just as 
you had the discussion this morning about the cards are issued, 
but are they application-enabled, well, the cards--you have 6.5 
million cards out there, but they haven't bought enough 
readers. So now the cards are being treated just as any other 
travel document.
    So as they're--how far away are we from this is my digital 
identity on this card and it's recognizable in the United 
States or it's recognizable inside the Federal Government. It's 
a matter of the implementation.
    I can't stress enough what the other panelists, not just 
here but on the earlier panels, said. It is not a question of 
technology; it really isn't. The ID-on-card, match-on-card 
technology is one of the balancing factors for convenience as 
well as privacy concerns. It's a matter of deploying them, 
getting them out, getting people enrolled and making certain 
that the technology is in place.
    Just as you were saying earlier for the earlier panel, when 
is it good enough?
    It's not perfect. As somebody who tests the security of the 
Federal Government on behalf of the legislative branch, putting 
something in place better than a user ID and a password is a 
step in the right direction, even if it's not the greatest 
thing in the world, if it's not the best technology, because 
user IDs and passwords are folly. And you give me 7 days, I can 
break any one of them, and I don't care what it is, because we 
do it.
    So trying to get a token and trying to get some smart card 
combination with biometric technology is superior to what we 
have now, and that's really the question that everyone needs to 
ask, ``Is what we're trying to put in place better than what we 
have now,'' and the answer is, ``Yes.''
    Mr. Putnam. You mentioned face, hand, iris and finger. Are 
they the key biometric features?
    Mr. Rhodes. Those are the four that are most mature.
    Mr. Putnam. Right. So you mentioned that retinal scan is 
probably what most people would consider the most intrusive.
    Mr. Rhodes. No doubt.
    Mr. Putnam. Fingerprint, probably less intrusive.
    Mr. Rhodes. Yes, sir.
    Mr. Putnam. The least intrusive.
    What is the most appropriate biometric characteristic to 
adopt for widespread usage for things like air travel, access 
to unclassified-type facilities and things of that sort that 
would be widely used perhaps on a passport?
    Mr. Rhodes. At least in the technology we've looked at, 
since fingerprint recognition is the most mature, that's 
probably the most appropriate. You'd want to have a fingerprint 
photograph on a card.
    Talking about a single token, you're actually talking about 
multiple identifiers on the token. There's the design of the 
token, the color of the token. There's a shield on it. There's 
probably a magnetic strip on the back as well as an on-board 
chip, and there would be some template inside there for a 
fingerprint.
    Now the question becomes, ``Do you want just a thumb, just 
an index finger? Do you want 10 fingers?'' But the fingerprint 
recognition is the longest lived. I mean, that's the most 
mature technology at the moment, although retinal scan is very 
mature, but you have to sit for a long time, and you have to 
have this thing paint the back of your eye. And people usually 
don't want to take an afternoon and enjoy that. The more 
invasive it is, the more concerns there are.
    Facial recognition is probably the least invasive, but it's 
extremely unstable, because you can do it with a CCTV. You can 
do it with closed circuit television at a stadium or something 
like that; but depending on how the lighting is, how the face 
is turned, the expression on the face, the identification 
points shift, and then they don't necessarily connect properly. 
There's a high false-positive rate. And there's a high false-
negative rate, as well, with facial recognition, facial 
pattern.
    Mr. Putnam. Mr. Turissini, talk a little bit about the 
privacy issues, please. You've raised that in your testimony, 
and understandably there are widespread concerns in the 
populace about privacy issues.
    How do we strike the proper balance?
    Mr. Turissini. Well, as I state in the paper, what you need 
to look at are multiple technologies, not just a single 
technology. Using smart cards with the biometric, with the 
asymmetric credential, allows the personal data, that 
fingerprint or the scan of the face or retina, to be owned and 
carried only by the owner of the fingerprint or the credential.
    What I would be afraid of in a public venue would be to 
have my fingerprint or even a representation of my fingerprint 
to be in a data base to be compared to; and then that would be 
distributed. Because it's not going to be on one data base; 
it's going to go to the next data base. It's kind of like when 
you send an e-mail to eBay and you get 100 junk mails. Well, 
you use your fingerprint on one place, and then your 
fingerprint is all over the world.
    But the big distinction--and I want to bring this back to 
the earlier question, the distinction between the cryptographic 
smart card, the cryptographic function versus just the stored 
value; and that's the same issue, there is this nonrepudiation. 
When you go to a gas station, even when you use your credit 
card, they're not checking to see if Mr. Putnam is swiping that 
card. They're checking to see that Mr. Putnam has money in that 
checking account or that credit card account or something like 
that. They really don't care who you are. They just care that 
you have money to pay the bill.
    In the transactions we're dealing with in the government 
and the protections we're involved with, we not only want to 
know who's touching this data. We want to know what they're 
doing, and we want them to leave a trace of nonrepudiation. We 
don't want people coming into our enclaves and doing something 
and then later being able to say, I didn't do it.
    These viruses are a good example. We have the technology 
today to use digital credentialing, whether in the form of 
digital certificates or in combination with the smart cards and 
the biometrics, so that every e-mail I receive into my enclave 
is identified with the person sending it.
    Now, if I have to go out and get a credential, show three 
forms of ID and sign that I'm going to protect that credential 
and I'm going to put it on a smart card, and then when I send 
you an e-mail, I have to apply that credential to it so that 
you know it came from me, I'm not going to send you a virus, 
certainly not on purpose. I'm not going to create a worm and 
send it to you with my signature on it.
    So the distinction in just stored value versus this 
cryptographic or this strong smart card is really the assurance 
that the person doing the transaction is that person by name, 
rank, Social Security or serial number and not just a bank 
account or not just somebody from Federal Building No. 12 or 
something like that. It really brings every transaction to a 
personal level, not only from a signature, not only from an 
authentication, but also from an auditing point of view. And 
that's why it doesn't matter the level of security from the 
back-end point of view.
    The only thing the credential cares about is your identity. 
Now, what you do with that identity in your back end is your 
choice.
    Now, if you are--and we'll put numbers on it. If you're 
99.9 percent sure that this credential is going to be correct 
because it comes from a trusted third party, and it's protected 
by a biometric or a smart card environment and you're going to 
do a financial transaction, maybe that's all you want is 
authentication by that credential. And if you're going to blow 
missiles up, maybe you want that person and somebody else's 
credential statement. So there's the back end.
    How you react to that identity is kind of a separate 
question. It's not a completely different issue, but it is a 
separate question.
    We have not only the technology but the infrastructure to 
credential, to make that credential available so that you can 
decide what to do with that credential; so that the FAA and TSA 
can say, you know, I've got this card and it's Dan Turissini, 
and Dan Turissini is allowed access in and out of the airports, 
and he's a good guy and he doesn't have a criminal record. And 
the guy that shows up with no ID and no credential, well, we've 
got to take a closer look at that. They're the people that 
should be taking off their shoes and checking their--the heels 
of their shoes and stuff like that.
    So that's the distinction. It's the nonreputable 
authentication of that person and the auditing capability of 
those transactions, rather than to a bank account or to a 
location; it's directly to the person's identity.
    Mr. Putnam. Any other comments from the other panelists?
    Mr. Bergman. From a privacy point of view?
    Mr. Putnam. Yes.
    Mr. Bergman. I fully agree with my panelists here.
    When you demo on a trade show, you demo biometrics. The 
worst you could joke about is saying, ``What's happening right 
now is taking your fingerprint and sending it back to a data 
base.'' The people get really scared.
    The biggest educational problem we have is, Mrs. So-and-So, 
we are not taking your fingerprint. You're using your 
fingerprint to create the digital representation. It's called a 
biometric template. And it's not stored in the data base. And 
it's not a unique concern. Thousands of people have discussed 
that kind of thing, I don't want to have my fingerprint in the 
data base.
    And also, by the way, Minority Report and other interesting 
movies the last years haven't helped because, it's the 
fingerprint, I put the fingerprint somewhere else, and you're 
nailed.
    So I think that the privacy, as you said here before, is 
that the template is one step; and the second step is, I have 
it right here. I control my template. I control my own data 
base, so to speak. That's why I'm concerned about the overall 
infrastructure that's being proposed for the U.S. VISIT and 
TWIC program right now. That's counterproductive to the 
biometric industries from an image template and the storage.
    The privacy is a big concern. And you, Mr. Chairman, said 
before about passport, it's going to be even bigger, because we 
don't deal with only DOD people.
    Mr. Putnam. Elaborate some on the TWIC concern.
    Mr. Bergman. My understanding is that TWIC is proposing to 
have the image going back to a data base and to have 450 point 
of entries fully equipped with biometric devices that could 
capture fingerprints, send that fingerprint back to a data base 
and check if you are a good guy. Otherwise, we don't let you 
over the bridge, so to speak.
    That's the big concern, to have the image back and forth to 
a data base, because as Mr. Turissini said before, it's not one 
data base. It's replicated in different data bases.
    I've been working 5 years for a data base company, so I 
know that. Replication of data base is a special thing. It's 
easier to say, not so easily done.
    Mr. Putnam. That's something we can look into.
    Mr. Rhodes, do you have any final comments?
    Mr. Rhodes. The one point that I would make regarding 
either data base or sending information back is that is at the 
heart of the privacy concern. The question is how--the question 
from a citizen's point of view is, what are you going to do 
with this information, because we've now moved away from, 
you've stolen my identity because you've got my Social Security 
number.
    Now you move into that realm of absolute nonrepudiation, 
because this is the double whorl on my thumb, and this is the 
single whorl on my left index finger, and two of them brought 
together give great authentication of who I am and leave me no 
margin for saying, ``I wasn't there or I'm not this 
individual.''
    The more that information gets passed and the more that it 
becomes replicated, it becomes difficult to synchronize data 
bases, and it becomes difficult to make certain that they're 
all up to date. So the more that it is tied into on-card 
validation as opposed to a larger system where the information 
is being passed, the more it's going to be convenient; and 
ultimately, that's one of the factors that needs to be brought 
in.
    We all know what it was like to try to move through 
Washington, DC, right after September 11th. We couldn't get 
into buildings. Even if you worked there, it was difficult to 
get into a building, and you had the right credentials.
    Trying to get on an airplane during a high-threat period is 
very difficult. Trying to get on an airplane under any 
conditions is difficult these days, but during high threat it's 
very difficult.
    So as more of this technology is applied, if it's 
convenient, if it makes it easier for people to move through 
portals and to get to the services that they need--your point 
about having my medical records on a smart card that's 
biometrically validated back to me, etc., all the conveniences, 
that's great, because the card can speak for me when I can't. 
But I have to make certain that the information on that card 
isn't then able to be used by someone else or that the 
information on that card isn't going to be corrupted or 
unusable because the system I plug into is getting creamed by 
Blaster at that moment. So these are all those balances that 
have to be worked out on the tradeoffs.
    Mr. Putnam. Very good.
    I want to thank this panel for their contributions and 
thank the first panel, as well, particularly those who stayed--
Mr. Willemssen, Mr. Scheflen--and I appreciate your remaining 
and hearing the issues raised by the private sector and Mr. 
Rhodes.
    We obviously have a lot of work to do on this issue, and 
this subcommittee will continue to follow the progress of the 
executive branch's move toward implementing this.
    So, with that, we appreciate all the contributions, and 
just to make sure I'm not forgetting something. If there may be 
additional questions we did not have time for today, the record 
will remain open for 2 weeks for submitted questions an 
answers. With that, we stand adjourned.
    [Whereupon, at 12:35 p.m., the subcommittee was adjourned.]

