Richard Clarke Addresses Smart Card Industry, Sees Government Use of Smart Cards as Step to Widespread Corporate Use
Adoption Grows with U.S., Canada Shipments to Top 100 Million in 2004, Industry Estimates
PRINCETON JUNCTION, N.J., Oct. 25 /PRNewswire/–Former national security advisor Richard Clarke sees Homeland Security Presidential Directive 12 driving smart card use across the federal government and speeding adoption by enterprises, according to remarks made in a keynote address at the Smart Card Alliance Fall Annual Conference held in San Francisco last week.
“It’s a step that lets you go to the commercial space and make a case that it needs to be implemented there, too,” said Clarke. In Clarke’s view “the state of cyber security is in chaos.” Citing rising identity theft crime that the Federal Trade Commission said affected nine million Americans last year, Clarke challenged financial institutions and e-commerce providers to look beyond the actual cost of fraud today and consider the opportunity cost. Since a teller transaction costs $7 and the same transaction online costs less than five cents, Clarke said the right question for banks to ask is why 65% of their customers don’t go online.
When asked that question, banking customers say it’s because of the lack of security, according to Clarke. “And you know what? They’re right,” Clarke said. “Any system that only requires a password is inherently insecure. Here we have a classic case study of an industry that doesn’t yet fully get it. They are looking at the cost and pain point of the system they have today rather than looking for the opportunities of where they could be if they implemented a smart card system for their customers.”
Clarke sees another opportunity for enterprises that invest in smart card technology–differentiation. “If you can say that your system is more secure, that will increase market share and you’ll want to be the first mover in your vertical to do that. That’s why Citibank did that ad series; that’s why AOL was the first major ISP to offer a secure ID for logon.”
Citing the example of spy Robert Hanson, Clarke reminded the audience that insider fraud is another cyber security problem that smart card technology can address. “Robert Hanson had been an FBI agent for over two decades. He had a top security clearance. Robert Hanson was born in the United States, was an American citizen and he was systematically going throughout the FBI database and finding highly classified information and selling it to Russia. He would go into all sorts of databases that he had no reason to go into because of his job. Nobody noticed.”
The solution as Clarke sees it is to design systems with strong access policies and encryption, and then to monitor them carefully. “We need to have rules about requiring encryption of data at rest, encryption of access and systems, and controls on access,” he said.
Turning to state level programs, Clarke told the audience some of the 9/11 hijackers had been stopped by the police and were using falsified Virginia driver’s licenses. If the police had been able to tell they were fraudulent credentials, things might have gone differently. One 9/11 Commission recommendation is to use the driver’s license system to add to national security by making that system more secure. “Making them smart cards would certainly go a long way to solving that problem if, and this is the important if, if we get the credentialing right.”
Urging Alliance members to work closely with the privacy and civil liberties communities, Clarke said more than 80% of adults have driver’s licenses, and no one sees that as an invasion of privacy. The problem is that the ease of counterfeiting those documents puts the public at risk of identity theft. “We’re not talking changing things, fundamentally. We’re just talking about making them work better. Privacy and security are two sides of the same coin,” Clarke said.
Other News from the Alliance Conference
Smart Card Market Growth: “Collectively between Axalto and other members of the Smart Card Alliance, we see that within this hemisphere over a third of a billion, 350,000,000 smart cards, have been deployed. The numbers are huge. In the U.S. and Canada alone, approximately a hundred million smart cards are being issued during 2004,” said Paul Beverly, president, Americas for Axalto.
New FIPS Federal ID Standard: “The first public draft review of the proposed Federal Information Processing standard (FIPS) for Personal Identity Verification will happen as early as November 8,” Teresa Schwarzhoff, smart card program director, National Institute of Standards and Technology (NIST) announced at the conference. The new standard comes as a result of HSPD 12, and will build on work already done in existing federal smart card programs. More information and a preliminary draft released October 20 are at http://csrc.nist.gov/piv-project.
American and International Interoperability Standards Moving Ahead: “We are moving forward on an ANSI INCITS standard based on the Government Smart Card–Interoperability Specification (GSC-IS) V2.1,” Schwarzhoff also announced. “The really good news is there is a lot of support internationally for the new ISO/IEC 24727 interoperability specification.”
Register Traveler Card a Hit with Minneapolis Frequent Flyers: “The pilot was supposed to last 90 days. After that we tried to take it away. We couldn’t. Everyone–the travelers, the airlines, security and the airport–was so happy with it they wouldn’t let us,” said Bryan Ichikawa, identification solutions architect for Unisys Corporation. Speaking about the company’s pilot for the Transportation Security Administration’s Registered Traveler program, Ichikawa said the program was popular with travelers from the beginning. “The morning we opened the program at 5 a.m. in Minnesota, the line to get a RT card was longer than the line to get through security,” he said. The RT program provides frequent airline travelers with a special ID that allows them to use a shorter security line. In order to obtain a card, travelers have to agree to a background check and biometric identity verification when they use the card.
Sarbanes-Oxley Compliance and Smart Cards: “Sarbanes-Oxley compliance carries a million times more weight with enterprises than savings on password resets,” said Doug Simmons, principal consultant for The Burton Group, on the subject of business case. “Where I’m seeing interest in smart cards is in healthcare and financial services–communities that need strong authentication internally because they have vast databases of personal information to secure.”
Alliance to Enter Latin America: “The U.S. Department of Commerce is pleased to award a Market Development Cooperator Program Grant to the Smart Card Alliance,” said Stephan Crawford, presenting the award to Randy Vanderhoof, executive director of the Smart Card Alliance, at the conference banquet. The purpose of the grant is to help non-profit organizations build business for American companies. The Alliance will use the $288,000 award to establish a Latin American chapter and conduct two regional events, along with other activities to increase the awareness of the benefits of smart card technology in the region.
New Alliance Market Councils: “We are implementing Industry and Market Councils in the Smart Card Alliance as a way to accelerate the adoption of smart cards and attract new members by establishing focused member-driven initiatives in specific sectors,” said Kevin Gillick, chairman of the Alliance and head of corporate marketing for Datacard Group. The Alliance is now soliciting member interest to form initial Councils.
Sun Microsystems and Smart Cards: “Everything we are doing at Sun uses smart cards as a foundation,” said Bill Vass, CIO for Sun Microsystems. Formerly Vass had oversight of all systems at the Department of Defense and the Pentagon. Touting advantages of three-second boot times and $3 million a year in power savings, Vass explained how Sun uses smart cards to secure access to more than 30,000 completely portable and secure Open Desktops using thin clients and server delivered applications. “Think of your desktop as a TV. How much time do you spend maintaining a TV set? When was the last time you got a virus on your TV set?” said Vass. By inserting the smart card into any thin client, users can bring up their desktops in a few seconds. Remove it and the session ends. Since the smart card and the server mutually authenticate and establish a fully encrypted link, the system is highly secure. Vass sees linking the card to physical access control as essential to making it secure against insider threats. “If I write my PIN on a card and give it to you, I can’t even get into my office. It’s the linking of physical and logical access that give you security.”
GSM Strongly Positioned: “As smart phones and wireless communications technologies converge, GSM smart card technology is in a good position,” said Jack Jania, director of field marketing for MobileCom at Axalto. “New over- the-air technologies like the bearer independent protocol and EDGE (Enhanced Data Rates for Global Evolution) will deliver broadband-like data speeds to mobile devices. That will enable operators to deliver on the m-commerce vision. And it’s not that it’s coming. The pieces are there and ready for the operators to deploy.” This bodes well for the industry, as GSM phones require a type of smart card known as a Subscriber Identity Module (SIM).
Progress Demonstrated on Interoperable Transit Farecards: “Rail CEOs established the Universal Transit Farecard Standards program to level the playing field,” said Tom Parker of the Bay Area Rapid Transit System (BART) and chair of the American Public Transportation Association’s UTFS task force. “We wanted to make sure competition for rail systems was open and competitive. This industry is spending $1.2 billion on smart card projects over the next five years. Together we represent roughly ten billion transactions a year. If we come together we can be an entity that will be heard.” As a first step in this direction, the Port Authority of New York and New Jersey presented a working proof of concept demonstration of a Regional Interoperability Standard (RIS) at the meeting. The demo showed interoperability for a transit fare application between five smart cards and four readers. The thinking of the task force is that regional standards can lead to national standards. “Ten years from now the de facto transit fare card in the United States will be a smart card,” said Parker. More information on UTFS is available at http://www.apta.com/about/committees/.
Federal e-Authentication Initiatives: “The Electronic Authentication Guidance for Federal Agencies is about remote identity authentication, not access control. It defines four levels of assurance and says here’s what you need to do for each level. At level four, we really know who you are. And when we say ‘hard crypto token’ for level four we’re talking smart card. At that level, smart card is the only game in town,” said Judith Spencer of the U.S. General Services Administration, who leads government projects for PKI and cross-organizational authentication. The guidance is documented in NIST Special Publication 800-63, available at http://www.NIST.gov.
Next Generation Technology: A new feature of the Alliance conference was the next generation technology fair. Advances in these technologies were presented: biometrics, contactless payment and loyalty, health care smart card solutions, smart card solutions for parking, smart card operating systems, e- passport manufacturing, physical and logical access solutions. The companies presenting were: Aquave Group, Competech Smart Card Solutions, Healthmeans, IPK, MartSoft, Parcxmart Technologies, Safe ID, Secure Network Systems and Voicematch.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to accelerate the acceptance of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. For more information please visit http://www.securetechalliance.org.