While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Federal officials expect a trove of hijacked data, stolen from government agencies in recent years, to jeopardize U.S. national security for more than a generation.
To prevent future intrusions, look no further than the path many hackers exploited to gain access to federal networks in the first place: compromised and stolen user credentials.
Government agencies are now turning to biometric technologies to minimize cyberthreats and streamline system access. The Defense and Homeland Security departments have long used fingerprint readers to help determine physical and digital access. But these and other agencies are increasingly investing in new capabilities. In late January, the National Institute of Standards and Technology issued draft guidance explaining how departments should make use of biometrics for authentication.
Common technologies, such as microphones, web cams, scanners, fingerprint readers and even keyboards and mice, are becoming part of an effective biometric toolkit. Through high-powered software and algorithms, agencies can develop personal signatures for each user, store that information in giant databases in the cloud, and help fortify authentication processes.
Biometrics measure an individual’s unique physical and behavioral characteristics, such as facial dimensions, fingerprints and irises, handprints, voiceprints, gait and signature. The multifactor authentication approach generally includes something the user knows (user name, password or PIN), some object the user has (a token, smart card or mobile phone), and a user’s physical characteristic (a biometric).
Authentication procedures that require users — especially those in high-pressure situations — to remember complicated passwords often don’t weather today’s demanding security climate. Others fall short against cyberespionage.
To strengthen systems and take advantage of the technology, federal agencies are investing in research and development projects that test biometrics for network authentication, says G. Nagesh Rao, chief technologist at the U.S. Small Business Administration’s Office of Investment and Innovation.
The office, which acts as an evangelist for emerging technology, has issued more than 195 awards related to biometric technologies through commercialization and seed funding programs, Rao says.
Among federal agency-funded projects: a biometric key infrastructure that uses biometric signatures; multimodal verification, which takes different biometrics and combines results to improve authentication accuracy; and soft-biometric classification systems that can determine gender, ethnicity and features such as tattoos and scars.
A 2016 report, “Global Biometrics Market in the Government Sector 2016-2020” from research firm Technavio, shows that government investment in biometrics is expected to grow 12 percent annually through 2020. By then, total industry revenues are expected to exceed $100 million, with about a third of that money coming from the U.S. market.
The Pentagon could account for more than half of that revenue, primarily for logical access control and identification systems, the report states.
DOD officials announced in June 2016 that they would replace the Common Access Card, which provides access to physical and digital properties. In its place, the Defense Department will consider solutions that eliminate passwords in favor of multifactor authentication. Pentagon officials expect that biometrics, along with other identity factors, will play a key role in the new solutions. For example, some DOD agencies already use Digital Persona’s brand of fingerprint readers to restrict access and verify identity.
“The DOD’s complex data access environment, combined with the evolving threat landscape, calls for agile, device-agnostic access through strong identification, authentication and authorization,” says Army Lt. Col. James Brindle, a DOD spokesman.
Further, the department’s authentication solutions must support a range of users, he says, including “not only mobile and tactical users, but our mission partners. We likely won’t issue physical credentials to non-DOD workers, but we need to give them access to protected system information.”
Technology companies are working to ensure organizations can take advantage of biometric capabilities in their consumer-grade products.
Hitachi has been developing a finger vein authentication system using a standard smartphone camera. Kofax, which offers a suite of scanning technologies, is measuring stroke, speed and pressure levels of electronic signatures. The Microsoft Surface Pro 4 tablet, used throughout the federal government, features the ability to unlock the device using fingerprints or other unique physical characteristics.
“There’s a huge range of applications for biometrics in government, including logical access control, surveillance and identification,” says Marios Savvides, director of Carnegie Mellon University’s CyLab Biometrics Center.
For instance, the center, whose funding comes from public and private sector entities, has made significant progress on facial and iris recognition. So-called facial pose correction and iris-at-a-distance projects focus on making the process of capturing face and iris images faster and less restrictive. Current technology requires subjects to remain stationary and look directly into a camera.
A cost-effective, user-friendly authentication system that prevents anyone but a computer’s owner from using it — or gaining access to the larger network through multimodal imagery — is also on the horizon.