Defense Media CTO: Wither Biometrics?

Craig Kaucher is the Chief Technology and Information Officer at Defense Media Activity.

April 27, 2010 - Over the past decade, approaches to securing enterprise information systems have evolved from the secure bastion, through defense in depth, to include today the concepts of continuous monitoring and operations. Through this all, many newer, more powerful technologies have emerged and been integrated into various portions of the enterprise information assurance architecture. One particular aspect of information assurance, the password, which is often seen as one of the greatest vulnerabilities of information systems, still seems to be sticking around in some form or another.

Fortunately at the Department of Defense, the Common Access Card (CAC) has alleviated much of the pain of remembering multiple passwords. Unfortunately, the still-required password, as a backup to the CAC, if nothing else, is longer than ever. Combine that with the near infinite number of passwords that almost anyone uses to access anything from on-line banking to e-commerce sites to subscriptions, and the potential for mistakes or intentional bypassing (i.e., writing them down) becomes quite high.

My own theory is that six characters in a password are about all most people will commit to memory most of the time. With each additional character required in a password, I feel there is an increased chance that people will write down the password. By the time a 16 character (or greater) password requirement is reached, my theory is that most people will write their passwords down somewhere. Again, this isn’t scientific, but just my gut feeling.

So why not do away with passwords, or at least the really big ones? Yes, decreasing the length of passwords makes cracking them mathematically more probable, or at least more quickly possible, but this can, as with the CAC, be offset by other factors or multi-factors at one time.

The password is something you know. The CAC (or any other reliable token) is something you have. What about what you are, or in other words, biometrics?

US Marine Corps Sgt. Michael Weaver uses the Biometric Automated Tool Set, Oct. 2008, to enter an Iraqi man's info. (Photo: US Marine Corps Cpl. Tyler W. Hill)

When I was teaching at the Information Resources Management College at National Defense University, I built an information assurance lab. One of the most popular labs was on biometrics. We did hands-on familiarization with fingerprint, face and voice recognition, and iris scanning technologies, looking at their strengths and weaknesses, and emphasizing their potential role in enterprise information assurance.

Biometrics technology seemed to be taking off rapidly. The Department of Defense formed the Biometrics Management Office, and it seemed like in no time, we’d all be accessing Defense Department networks with biometric technologies at the touch of a finger or a glance in the camera.

So what happened? Well, biometrics are still around at the Department of Defense, and they are used in a big way for verifying identity, not necessarily just of Defense Department personnel. The Biometrics Management Office has become the Biometrics Identity Management Agency, and it continues to be the Defense Department’s primary proponent for biometrics, internally to the department, as well as in national and international efforts to advance the use of the technology and standards.

Biometrics are being used for identification of captured or detained personnel in current theaters of war. Likewise, the Department of Homeland Security now requires biometric (fingerprint) identification of travelers to the U.S. from most countries coming through all major air ports of entry.

But back to information assurance for Defense Department systems and networks. When will we see widespread use of biometrics for this purpose? What’s stopping DoD components, or the Department at large, from using biometrics to enhance information assurance? Is it cost? Complexity? Lack of maturity or trust in the technology? If anyone has or knows of any large-scale projects to implement biometrics on an enterprise level to support information assurance, let Armed With Science know.