Authentication: The Biometrics Advantage
"Identity theft is a grave problem, and it's one that can be very well addressed by adding biometrics to the portfolio of tools that is used to fight identity theft, but it should not just be relied on alone," taskforce Director Myra Gray said in an interview with GovInfoSecurity.com (transcript below).
A concoction of biometrics, passwords, other forms of authentication and just plain old good computer security will help deter identity thieves, she said. "Using biometrics is not going to be the nirvana that eliminates all other methods," Gray said. "It is a very, very powerful tool to add to the portfolio."
In the interview, with GovInfoSecurity.com Managing Editor Eric Chabrow, Gray discusses the:
The Army Biometrics Taskforce leads Department of Defense activities to program, integrate, and synchronize biometric technologies and capabilities and to operate and maintain DoD's authoritative biometric database to support the national security strategy.
Gray, who has headed the taskforce since July 2007, also serves as executive manager of DoD biometrics. She joined the Defense Department 24 years ago as a Naval mathematician, rising through the ranks, with her last position as assistant secretary of the Army for acquisition, logistics and technology in the Future Force Integration Office. She holds a doctorate in research and engineering management from Southeastern Institute of Technology in Huntsville, Ala.
ERIC CHABROW: Please take a few moments to tell us about yourself and the Biometrics Taskforce.
MYRA GRAY: I'm the director of the Biometrics Taskforce as well as the executive manager for Defense biometrics. What we do is enable the various missions within the Department of Defense with the biometrics capabilities.
Biometrics is not something that is judging whether one is good or bad; it is used for identification verification. To say either a person is who they are or to identify the person. The Biometrics Taskforce not only operates the database in which the DoD data are housed, we also work the policy issues and any other strategic issues in the interagency or international arena that DoD has entered in.
CHABROW: Please give an example when you say a policy? What you mean by a policy?
GRAY: Policies would be such as the data that we would share, who we would share it with, how we would store the data, the types of data we would hold, which times we would check the data or not check the data. It could be where we would field the systems. It could just be any number of policies that would govern the use and the enablement with biometrics.
CHABROW: When did the taskforce get started?
GRAY: The taskforce was started in public law in the year 2000. It primarily started to focus on information assurance, but since that time with 9/11 and with operations that we have ongoing overseas, the focus has changed from looking at more of a blue force with logical and physical access to looking at adversaries and the forensics aspect.
CHABROW: How are state of the art biometric technologies being applied on the battlefield and combating cyber terrorism?
GRAY: The state of the art of biometrics, of course, is moving forward in several areas. We really do in S&T (DoD's Science and Technology program) have four primary missionaries that we're looking at for enhancing the state of the art.
The first one has to do with intelligence, and this is the required capability that is needed to perform that intelligence, which also includes increase stand off.
The second one has to do with access, both logical and physical. You have to address within this the high through put and its usability.
The third is forensics, that required capability that we're looking to enhance, deals with latent collection and latent matching. That is where we need to really push the state of the art.
The fourth area is architecture. The required capability includes that data fusion and interoperability because interoperability of the data, the availability across the board of the data that makes it so powerful.
Currently we have biometric modality stored and matched in ABIS - the Automated Biometric Identification System. It includes the fingerprint; it includes palm print; it includes iris; it includes face. We are looking at other emerging modalities that are being researched, and that includes DNA; it includes voice. It would include, say handwriting or gate.
CHABROW: Do you have your own researchers or how do you collaborated with other researchers in dealing with these new technologies?
GRAY: What we do is we leverage both government and industry researchers supporting projects across the board to help advance the technology. We don't do this work in a lab that I own. I leverage the nation's asset, both government and commercial, in order to advance this for everyone's benefit.
CHABROW: What are some of the specific biometric tools and applications being deployed on the battlefield and for combating cyber-terrorism?
GRAY: First of all there is a biometric automated tool set, and it has the capability not only of storing and matching but collecting. Someone on the ground could use this for taking a collection, for doing a match, for storing, and all sorts of forwarding back into the authoritative database. The HIIDE (Handheld Interagency Identity Detection Equipment )system is a smaller system of handheld type system, and it's more used for the matching and identification verification purpose, although it can be used for collection as well. This could be used in intel missions, it could be used base-access missions. It could be used for any law enforcement missions that may be done in that arena.
CHABROW: In other words, we have troops on the ground in Afghanistan or Iraq who have devices that they use to identify friends, foes?
GRAY: This is correct. What it does is help separate from the populist that we are there to support and then the nefarious actors that are in their mist. So what we can do, by knowing who the friends are and who the foes are, we can pull the foes out. And I mentioned forensics earlier, this is done through matching to IED (improvised explosive device) evidence or matching to a record someone that we know has been involved in bad-acting activities before.
CHABROW: Can you give one example or two of how someone would use these battlefield conditions?
GRAY: What they would do with these tests, both the BAT (Biometrics Automated Toolset) and the HIIDE, it does iris, it does face, which is like a photograph but facial recognition, and it does fingerprint. By collecting that information, a person's fingerprint, an iris scan and a photo of their face, we can then later, if we encounter this person, be able to identify them. Let's say you have an installation or an area that you know who should be there. There is the local population that lives in these houses and they go about their daily lives. When they cross through a checkpoint. you know they belong and you can say, "Come on through," because you have positively identified that they belong there. This is the power that it brings, is that positive identification using those modalities that I have mentioned. It is used, of course to filter out those who are known to be terrorist, who are known to have done nefarious acts, this is then how we can pull those out by also identifying them.
CHABROW: What synergies exist between biometric technologies used for military combat purposes and those for business applications that are used throughout government?
GRAY: There is a great synergy between the technologies and the methodologies by the Department of Defense and the military applications and the business applications, in that the technology is the same. Each human being has iris and has fingerprints and has DNA. Let's say you are using a fingerprint to log on to a computer for logical access somewhere, you are putting a fingerprint on a check to cash it somewhere, the same technology used in those business applications are that technology that is used in the military applications. It's a ubiquitous capability that does in no way identify goodness or not goodness of an individual. It is purely identification. What technology you would use to log on to an ATM and get cash could very well be the same one that is used at that checkpoint I mentioned earlier of letting in the right people to a neighborhood and keeping out those who don't belong. Now, as far as the essence itself that is building and supporting this capability, the research that's done for military applications can very well benefit the business world and vice versa.
CHABROW: Is there an example of an application developed for the military that can be used in the business world?
GRAY: Some of the technology already is. Any of the scanners that you may have, let's say a fingerprint scanner, an iris reader, the same technology that is used in an iris reader in the BAT or the HIIDE system that is fielded is the very same technology that may be on an iris scanner that lets you through a door at your place of business. It could be the same technology that reads a fingerprint and lets you cash a check; it is the same technology that is used in theater. The technology is ubiquitous.
CHABROW: It's just the application?
GRAY: It is the application of the technology getting into an office space. You probably don't need something that is rain resistant, dust resistant, and weather resistant of any nature. You wouldn't need that. Ruggedized, maybe it needs to be ruggedized, maybe it doesn't need to be ruggedized. It's just the packaging, the application.
The second thing is building the infrastructure. What do you need to check that data against? You need to check it against the set of people who are authorized to be in this space, or you need to check it against the larger population. You hit it perfectly in that it is the applications, the functions that it is used in the mission sets that make the difference. The technology for the biometric is the same because we all have the biometrics. Each human being has biometrics. It is the utilization of that. It is an identification tool in the various mission threads that makes the difference.
CHABROW: Are biometrics a way we can access computer systems without employing user names and passwords?
GRAY: Actually it's an outstanding method for good strong identity assurance, but before we go throwing out passwords and user names, what I would like to do is articulate that. Biometrics is one tool of many. It should be part of the portfolio that is used to protect against identity theft. There are three basic things that you do with your identity to prove that you are who you are.
Number one is it what you know. That is a password or a log in key.
The second one is what you have. A pass code or a card a magnetic card that lets you through something that it is some token that you have in your hand, a piece of material that will let you into something.
The third is what you are and that gets to the biometrics, which is your iris scans, your fingerprints, something that is uniquely you.
So the power is not just in picking one over another but in setting up a construct that utilized all of those as appropriate. You probably don't need all three of those to buy coffee at the 7-Eleven, but if you were going to get into a super-secure facility somewhere you may very well want to instantiate a methodology for getting into that facility that utilizes all three of those methods, what you are, what you have, and what you know.
CHABROW: I was listening to a congressional hearing the other day. One witness said a problem with passwords and user names is that they identify individuals in easily recognizable ways, something that biometric don't do. One witness suggested that by foregoing passwords and user names, identity theft would be limited. Do you agree?
GRAY: It is certainly a much better way to uniquely identify someone than a password because a password you can write on a piece of paper and someone else can type it in. Let's say one of those magnetic cards; it is not authorizing the human being that is coming. It's saying yes this card is allowed to pass. The biometrics itself is a lot stronger in identifying the person, but is it a perfect system? Not at this point. We still have a way to go with the technology. So before we throw everything else out, I would caution that we strengthen our systems by using biometrics. That will make it a lot stronger.
Identity theft is a grave problem, and it's one that can be very well addressed by adding biometrics to the portfolio of tools that is used to fight identity theft, but it should not just be relied on alone. It has to be something that is part of that portfolio. And it includes other things as well, such as good computer security, good information assurance techniques, firewalls, other methods for keeping people from having access. When we talk about access for identity theft, maybe it isn't just logical access it could also be physical access. Using biometrics is not going to be the nirvana that eliminates all other methods. It is a very, very powerful tool to add to the portfolio.
CHABROW: How is the cost of biometrics technology changed over the years?
GRAY: It's going down and it's getting better. Now, it's not super cheap because we are not there yet. It's not as ubiquitous yet as an ink pen, but you recall the progression of PCs, very expensive not very powerful and now they are almost disposable. I would see as this technology promulgates across the landscape worldwide, as more people get involved in becoming suppliers, as it becomes a commodity whether it's a scanner for an eye or a fingerprint reader for a computer. Whatever it may be, it will become very assessable, inexpensive and easy to use.