Biometrics: From Kabul to Washington
"Advances that we make for a military application would also have application on the business side," Lisa Swan, assistant director of the Army's Biometrics Task Force, said in an interview with GovInfoSecurity.com (transcript below). "If you can imagine the cars stacked up trying to get into a military base early in the morning, if you had iris on the move where cars could simply roll past an iris reader and verify that the driver is in fact someone who has authorized access, that might be able to move the traffic faster and also reduce the manning, so you wouldn't have to have a live guard there or you might be able to have fewer guards there.
Coordinating Defense Department efforts to find new uses of biometrics on the battlefield and back home is the Biometrics Task Force, which leads activities to program, integrate and synchronize biometric technologies and capabilities. The task force also operates DoD's biometrics database that supports the nation's security strategy.
In an interview with GovInfoSecurity.com's Eric Chabrow, Deputy Director Lisa Swan discusses the:
We'll soon post a transcript of an interview with Task Force Director Myra Gray. Click here to listen to listen to audio of that interview, in which Gray discuss how biometrics improves authentication.
ERIC CHABROW: What is the Biometrics Task Force?
LISA SWAN: The Biometrics Task Force is an Army agency but charged with a Department of Defense mission. Our mission is to integrate, synchronize and coordinate efforts across the DOD biometrics community and also to maintain and operate the DOD's authoritative biometric repository.
CHABROW: What is the mission of the Biometrics Task Force?
SWAN: As I see it there are really two key pieces to our mission. The first piece is that coordination across the DOD. There are a lot of different parts of the Department of Defense using biometrics each for their specific mission area. Part of our job is to coordinate across those to really try to help folks work all in the same direction. For example, last year we worked across the biometrics enterprise within DOD to develop the first DOD biometrics enterprise strategic plan. Laying out the top-level goals for the department in terms of biometrics, to help us all move in sync in the same direction. That is part of our mission.
The other large piece of it is operating and maintaining the authoritative biometrics repository for DOD. That is the place where fingerprints, iris scans and so forth are maintained, and we use that for matching, storing and sharing information for various biometric applications across the DOD and also working with our inner agencies and international partners.
CHABROW: You spoke of a biometric enterprise strategic plan, can you discuss that a bit?
SWAN: That is actually something that I am very pleased about because it was a collaborative effort from across the departments. I believe we had 23 different organizations participating and our goal was to develop a top-level document that could set the course so everyone was really on the same page and understood where we were headed. Again, because the department is very broad and there are so many pieces with separate pieces of the mission, it was important to have this top-level guidance that everyone kind of bought into.
There are four main goals. Those are support to military operations, business functions, unity of effort and institutionalization. Of particular interest to your audience I would guess would be business functions, which is really those non-war fighting pieces; things like access to information systems or to facilities or to services like medical services, using biometrics to authenticate that someone is who they claim to be and therefore should have access to a particular type of information or a particular service.
Obviously, our focus and our most urgent need right now is military operations, but business functions is where, I think, we will see biometrics really blossom over the coming years.
Also, institutionalization is a key area and that is really getting biometrics into those established DOD processes. We are at the DOD, so we have a procedure for everything it seems, it is getting biometrics into those established processes so that it is an enduring capability. A lot of what is being done to date was done outside the normal processes in response to urgent need, but now we are becoming more established and so we need to get into those acquisition processes and lifecycle sustainment processes that will keep this an enduring capability.
The last goal is unity of effort, and that is really just making sure that all of the various parts of the community are taking advantage of what each other are doing in terms of biometrics, leveraging efforts across the department, and again with our inner agency and international partners, to get the greatest return on our investment.
CHABROW: Why is biometrics so important for authentication?
SWAN: Biometrics is one of the few ways to have a high degree of certainty that someone is who they claim to be. You can change your name, you can certainly alter your appearance, but it is very difficult to alter your biometrics. And so biometrics offers the opportunity to say with a high degree of certainty that the person is who they say they are, which then gives them access to the right information and services to support whatever their mission is.
CHABROW: Please discuss the evolution of biometrics as a form of authentication in the military.
SWAN: As you know, biometrics have been around for a long time. We certainly, as humans, have used face recognition and voice recognition forever, but typically when we talk about biometrics today we are talking about automated recognition of a person, and there are two key areas, ether biometrics for identification or verification.
Identification is typically looking at the biometric print or scan of an individual and comparing that against many other biometric records to identify; yes this person is John Doe and we know this based on having a previous record of John Doe.
The other side to that, the verification, is a one-to-one match that John Doe says I am John Doe and you compare against his record and yes they do match so you verify. Within DOD, biometrics really got started in the early 2000s in the information assurance area, specifically using biometrics for access to computers and so forth. It really took off from an operational standpoint probably around 2003, early 2004 in terms of being able to be a tool we could use to help identify adversaries hiding among friendly populations, like how we are using it in theater today. It has continued on parallel paths, both for military operations and for business functions, and each of those is helping to inform the other.
CHABROW: What kind of developments occur in combat that might be applied to the business functions?
SWAN: Certainly, any time we are moving the technology forward in either area, it benefits across the board and obviously that is whether you are in DOD or in Department of Homeland Security, or anywhere else. But one of the things I think as an example would be on the military side; we are looking for technologies that can help us do biometrics from a distance. Most of what we do now, certainly fingerprints, are a contact method; iris is not a contact method but it is something that you have to do close in.
We would like to be able to do those things from a distance and so advances that we make for a military application would also have application on the business side, for example, to be able to use iris at a distance or iris on the move to admit someone to a base, for example. If you can imagine the cars stacked up trying to get into a military base early in the morning, if you had iris on the move where cars could simply roll past an iris reader and verify that the driver is in fact someone who has authorized access, that might be able to move the traffic faster and also reduce the manning, so you wouldn't have to have a live guard there or you might be able to have fewer guards there.
CHABROW: Who is conducting the research?
SWAN: The research is being done on a number of fronts. From our perspective, we are talking with the various service laboratories and warfare centers, also with academia and with industry. In particular, in academia there is a group called CITR, which is Center for Identification and Technology Research. It is a consortium of universities working in identification research and so we are one of a number of government and corporate members working in that organization.
There are several different universities; obviously industry has an interest here because this is a growing market for industry. And then, as I mentioned, the service labs, one of the things that we do within the biometrics task force on behalf of DOD is that coordination piece across those various entities to understand and share information on who is doing what in terms of technology and try to influence the direction that goes to move it forward for DOD's benefit.
CHABROW: Characterize the state of the art of biometrics as a means of authentication.
SWAN: Certainly, fingerprints have been around for a very long time, very reliable and technology continues to evolve in terms of storage of fingerprints, in automated recognition, but the science of fingerprints themselves in my estimation has not changed a whole lot. Iris recognition is a little bit newer, and it is continuing to advance. Like fingerprints, it is very reliable and offers some advantages and some disadvantages as compared with other methods. Facial recognition, I think, has come quite a distance in the last few years and continues to have some challenges.
There is no one best biometric, but there are certainly more efforts going on in some areas than others. A significant portion of the research is in collection systems. How do we collect biometrics either easier or faster or perhaps less intrusively, things along that line?
CHABROW: What are some of the privacy concerns that are being raised with biometrics and how is that being addressed?
SWAN: Certainly privacy is an issue that comes up often. Within DOD, it is one of the things that we are very cautious about to make sure that we are only operating within legal means and the biometrics that you collect depend on the situation.
For example, for U.S. persons, we have certain rules that we must follow that are different for non-U.S. persons, but in every case there are policies that dictate what is and what is not allowable in terms of biometrics.
CHABROW: Do you see biometrics as a means of authentication replacing user names and passwords?
SWAN: In some cases, I can see biometrics replacing user names and IDs, certainly not in all, just as there is no one best biometric. Biometrics themselves are not the answer to all our applications, they can certainly help increase the level of assurance that someone is who they claim to be, and perhaps you are using a credential like a smart card and a PIN. If you need even more assurance, you might use a biometric, but in another application, it is certainly possible that you could use a biometric in lieu of a smart card or a user name. I like that idea. I am ready for the day when I don't have to remember account numbers and passwords and various account names.
CHABROW: The reason I raise that, there was a Congressional hearing in the Senate, and a DHS official mentioned developing systems in which individuals can enter those systems without using a password or a username because it would be just less information for people to steal.
SWAN: It is a very good point. You don't have to write down your biometric, you don't have to remember it, and therefore it is more secure in some ways. Certainly there are concerns about how biometric information is stored and it has to be handled very carefully and in a well-thought out manner.
I mentioned earlier that we have policies for how and when we collect biometrics; similarly we have policies for how we share and store biometric information because it is sensitive information. But, it is also very useful for things like not having to worry about your password being compromised, you can change your looks and you can change your credentials, but you can change your biometrics. Likewise, someone can't steal your biometrics very easily.