In spite of a reputation for being a technological laggard in some respects, the U.S. military is on the leading edge of one high-tech revolution: the use of smart cards.
Unlike other photo identifications or conventional financial cards, smart cards have an embedded chip – not a magnetic stripe – that allows the cards to hold data such as health records or and even run applications such as public key encryption. Although French and Canadian citizens have long used chip cards to pay for goods and services, smart cards in the United States have for the most part been relegated to a few highly publicized pilot programs and a handful of proprietary implementations over the last two decades – until the military decided to embrace smart cards for their all-in-one I.D. in 2001.
Since 2002, 3.2 million members of the U.S. armed forces and Department of Defense civilian workers have been issued smart cards that allow building and computer network access and enable workers to encrypt email.
Right now, each basic military chip card contains data on the individual cardholder – name, social security number, rank – and three separate public key infrastructure-based digital certificates (one for identity; one to sign email; and one to encrypt email), according to Mike Butler, the director of the Access Card Office at the Defense Manpower Data Center, which oversees the military and Defense Department’s smart card program.
Defense personnel need to insert their cards into readers to gain entrance to certain buildings, and insert them into card readers to sign on to computers. (All 2.2 million Defense Department workstations now have card readers, Butler says.)
Many troops and defense personnel also use their cards to sign and encrypt unclassified email – ensuring tighter computer security and making it more difficult for other people to sniff those unclassified, but possibly sensitive emails that may forecast military movements. Each card also has about 7K of space that each armed forces branch may use as they see fit.
For example, some Navy cards can be used to gain entry to the mess hall.
While the widespread rollout is quite large, it’s not the first foray into smart cards for the government and armed forces. Isolated, smaller projects launched at individual bases by the Army and Navy date back 10 years, says Butler, who ran one of the Navy’s first smart card programs. Back then, he says “there was no real money for smart cards” – and with just 2K of memory on some of those early cards, not much room for more ambitious applications or even much data.
Today’s smart cards sported by the military are, well, smarter.
Aside from having 32K – hardly whopping by current measures of computing power – these cards run on a small, basic Java operating system. JavaCard gives the identification a standard with which software developers and card manufacturers can work. And, that has elicited more competition from would-be vendors, which has caused prices for cards and systems to drop.
“We can enable programs that sit on top of a more open commodity,” says Butler. “(I)t’s always nice to have alternative sources, this makes them compete for business.”
Neville Pattinson, director of technology and government affairs for Axalto, a company that has supplied more than five million smart cards to the Defense Department over the years, says that JavaCard provides card makers and developers – as well as users – with a set of “firewalled sandboxes” to ensure greater security.
Rest oAccording to Aaron Zitzer, director of solutions marketing for ActivCard, which supplies software for the cards, each applet only takes up about 3K or 4K of space.
The Defense Department’s smart card program seems to be setting a standard that other federal agencies will soon be following. The number of smart cards used by government workers could more than double in the next two years on the heels of a February federal mandate that will soon require all federal employees and contractors to use smart cards to carry biometric and cryptographic identification.
The Federal Information Processing Standard 201 mandate came from the National Institute of Standards and Technology Computer Security Division, in response to a Homeland Security Presidential Directive issued last August, which demanded a “common identification standard” for federal employees and contractors in order to enhance security, increase efficiency, and reduce identity fraud.
The goal is to have smart cards serve as the common platform by which “every [federal] agency that authenticates you will do so in the same manner,” says Frederick Ziegel, a security technology analyst for New York City-based Soleil Securities Group.
Ziegel says this will encompass 6.5 million federal employees and at least two million more contractors. Ziegel says that, under this new mandate, government agencies will be expected to have a plan for smart card adoption by June, and start putting in procedures to use them by October.
At the same time, the Defense Department is upping the ante on its program. In less than two months, Butler says, military and Pentagon workers will be issued 64K cards instead of the previous 32K ones. The greater capacity is necessary to incorporate the biometrics applications that the federal mandate requires.
While the new mandate to use smart cards as a federal identifier is an endorsement of the technology, smart card technology still has its share of hurdles to overcome. Without an infrastructure of smart card readers in place outside of defense headquarters, the cards often end up being used as a standard picture I.D. – a rather expensive picture I.D. if it can’t be used for its other authentication and encryption features.
“Infrastructure has been a challenge,” says Ziegel. “If you’re in a battlefield somewhere, and not near a reader, your card’s probably going to be used like your driver’s license.”
Even Butler agrees, “You’re not going to find [readers] out on the back of Humvees yet…they’re not out on the tip of the sword in Iraq.”
Randy Vanderhoof, executive director for the Smart Card Alliance, says that while the military has been critical to expanding the use of smart cards in the United States, the scope and breadth of military services presents a host of logistical issues – from being able to replace spare parts in readers, to ensuring the same cards that work in Washington D.C. are rugged enough for the deserts of Iraq and Afghanistan.
As the military puts more capabilities on a single card, Ziegel points out, they have to be ever mindful particularly during the issuing process that they’re actually authenticating and provisioning the right cards to the right people.
Ultimately, Vanderhoof says, the initial Defense Department program “has broken barriers…because they went first and took the arrows in the back and set the standard for other agencies to follow.”f the article