Government leads transition to smart card technology

Aug 1, 2000 12:00 PM, Randy Southerland

Someday everyone will carry a card containing a tiny microprocessor chip, and use it to pay the subway toll, unlock the office door, log onto the corporate computer network, or buy a soda from a vending machine.

The so-called "smart card" will make life easier, while also allowing security directors everywhere to establish a higher level of safety for the companies and facilities they are charged with protecting. Because it contains a chip, the card can both store and process data, unlike the more common magnetic stripe cards that store data but have no processing capability. Smart cards will be able to perform a multitude of functions while achieving a reduction in back-office administrative costs.

At least that's the hope of those behind a multi-billion-dollar program forged by the federal government to develop a smart card that will serve as the "common access card" for its civilian and military employees. Observers say the government push toward "smart" applications could jump-start widespread use of the cards in the private sector as well.

"We will start to see smart cards evolve, and we'll see the mag stripe card virtually disappear over the next five years, even in the financial sector," predicts Anthony Cieri, former director of the U.S. Navy's Smart Card Program.

Smart cards received a major boost last year from a presidential mandate to adopt the technology in the federal sector. Now a multi-billion dollar contract program is sure to make the U.S. government the world's largest consumer of smart cards. Its financial commitment - not to mention the prospects of better security and more highly developed electronic commerce - have also made private industry sit up and take notice. Several companies are developing smart card technology.

In May, the General Services Administration (GSA) awarded five government-wide smart card contracts worth a minimum of $1.5 billion over 10 years. These prime vendors included big names such as KPMG Consulting LLC, Litton/PRC, Electronic Data Systems Corp., 3-G International Inc., and Logicon Inc.

GSA leads the way Mickey Femino, director of the GSA's Smart Card Program, notes, "We worked for nine months with a government committee to help put together the Request For Proposal for this contract. The key is interoperability. We can use multiple vendors and have all their products tested to ensure that they comply with the standards."

Those standards require that the cards perform identification, physical access, logical access, biometrics and cryptographic services.

Security of facilities and networks is perhaps the most important of those functions - and the one that the GSA is working hard to develop. A smart card provides a way to ensure verification that a person is indeed who the card says he is by using it with a PIN number or even loading biometrics onto the card's chip.

GSA has those functions on display at a technology center located in its historic Washington, D.C., headquarters. While the smart card readers and cards are only used in one section of the building, they provide a showplace for other government officials to glimpse how the technology can be used.

"It's the premier demonstration center for the non-military part of the government," says Roy Hayes, president of Systems Engineering Inc., one of the government's primary integrators of smart card technology. "It allows various Secretaries of the Cabinet and high-ranking government officials to come in and view the technology. It shows interoperability on the card. You go in with a contact smart card to open a door, and then it has a series of applications on it such as mail entitlement, personnel readiness, medical and dental information and stored value that could be used, for example, in vending machines."

Two access control smart card readers provided by Group 4 Securitas Technology of Great Britain - one contact and the other contactless - govern entrance and exit from the area. The access control system operates off Group 4's AMAG 450 NT Host System access control software and field panels. The software handles video badging, guard tour via CCTV, and remote systems diagnostics. The cards themselves are a product of SETEC.

As an added level of protection, lost cards can be made inactive by the system so that they can't be used by anyone else.

Hayes comments, "Say your card was stolen, but you didn't want to alert the people that took it that you knew about the theft. You could put it on 'card watch.' As soon as the card is used at any location, an alarm will go back to the central panel and alert the authorities to that location. They can then take appropriate action."

Once the information is entered into the central computer and downloaded to the panel, even if the central computer goes off-line, the panel will not allow that card entry.

Access to applications such as computer networks is regulated by Redwood City, Calif.-based Gemplus' 400 Series Smart Card Readers.

Femino says that the GSA's technology center has on display 14 or 15 applications from 10 different vendors, and they are all on the same card. "This includes everything from access to the facility to biometrics, to medical to electronic purse to kiosks. The key applications now are physical access, logical access including biometrics and cryptographic services."

Interoperability is another touchstone of the smart card program. All cards and readers - no matter which manufacturer provides them - must work together if true savings are to be realized.

"The reader has to be able to read smart card information," says Hayes. "It has to be able to read Secured Equipment Integration Working Group (SEIWG) data in that specific location. As long as you make sure you're reading government-specified SEIWG string and you're presenting it in that specific format, it will work."

Hayes notes that SEIWG is a standard originally set up for magnetic stripe cards, which has now been adopted as a unique identifier for smart cards.

"The same standard is used to create a unique identifier," he explains. "This is the agency code, the system code - that being where they produce the card - the social security number of the individual, and the individual credential series. All those numbers make up a unique code."

Cards across the waves Thousands of miles to the west, the U.S. Navy's Pacific Theater has been the government's primary proving ground for smart cards and the development of its "Common Access Card." With an area of responsibility that extends from the U.S. West Coast to the East Coast of Africa and an operating force of nearly 245,000 sailors, Marines, and civilian employees, it had a critical need for the advantages of the new technology.

"We want to standardize procedures and have this data more readily available," says Lee Hayashi, information security officer for the U.S. Pacific Fleet Command. "It replaces a time-consuming manual process and automates that process."

From its command center in a former World War II-era hospital complex at Camp Smith in Hawaii, Hayashi's unit is testing smart cards for identification and access control. The cards have been issued to the more than 2,500 personnel working there as part of the alphabet soup of military operations including CINCPAC (Commander in Chief of the Pacific), MARFORPAC (Marine Forces in the Pacific), and SOCPAC (Special Operations Command Pacific). They, along with personnel representing other branches of the service, use the card primarily for identification and access to the facility.

The Navy in Hawaii was the first branch of the government to attempt to use smart cards. The Camp Smith facility was outfitted with card readers manufactured by Carson, Calif.-based American Magnetics Corp. Acquired later by Group 4, the company became Group 4 Securitas Technology Corp. in 1997 and continues to provide the hardware and software for the facility. Other vendors, selected by government contracts, are expected to join them.

"The card takes the place of keys," says Hayashi. "It does two things for us. It gives a visual recognition of a person's security clearance and then it provides an audit trail for when a person has entered a space."

During regular duty hours, holders can swipe their cards to gain entry. The card must be used in conjunction with a PIN code at other times.

Hayashi says that the smart card offers the opportunity to greatly reduce the amount of paperwork required to transfer personnel from one base to another.

"Everybody in our headquarters has a security clearance," he explains. "Now when we travel from one organization to another we have to make sure that our security clearance is received on the distant end by the security officer there. Right now that process is almost entirely manual. It's possible that five or six people would have to touch your security clearance on this end and the distant end for you to get there and be productive."

By integrating security systems and personnel records, those widely separated commands could eliminate the need for exchange of paperwork. When all that information is available on a smart card, the military will reap a significant harvest of manpower savings.

"We are pushing very hard to exploit that capability," he says. "For example, on Oahu, Pacific Fleet is a Navy organization separate from us, but we work very closely with them on a daily basis. If personnel from Pacific Fleet were to come up here, they would have to go through the process of passing clearance. They have a compatible system with ours so if we can connect the system - and there is no reason why we cannot - then their security office can pass that person's identification data including his clearance to our security office here. We won't have to go through the manual process of passing his clearance or issuing him another badge."

"Eventually computer data bases will be tied together," notes Hayes of Systems Engineering, whose company worked on the Navy project. "Eventually all of these networks will be tied together on a wide area network. The information can be shared among the various commands, but they won't have access to that command. The local authority with jurisdiction will still control access. If someone shows up at that command, he still won't be able to get access until that local authority gives him access."

Observers say that within the next two years the number of military and civilian personnel carrying smart cards is expected to grow into the hundreds of thousands and eventually millions, while the number of applications the cards are capable of performing should also increase.

A long time in coming While the government may seem to be driving headlong down the smart card path, some observers note that it has taken years to get to this point.

Unlike Europe and Asia, the United States has been slow to adopt smart cards. A student at Stockholm's Royal Institute of Technology, for example, uses his smart card to access university computer services. The Shanghai railway has issued more than 10 million cards to its riders. Here, on the other hand, the cards are seldom seen.

"There are a couple of reasons for that," says Cieri. "We're very slow here to adopt technology born in Europe. You hear the names of the companies in the industry that are producing cards and they're not common U.S. names but rather French and German companies. We want our technology to be invented here."

Unlike much of Europe, the U.S. also has a highly developed telephone system that has allowed for quick confirmations of credit card transactions and other functions through dedicated phone lines. In the U.S., with its decentralized banking and governmental systems, the need and the driving force have not been present. That situation seems about to change.

The great appeal of smart cards lies in the fact that the computer in the card, properly implemented, authenticates that you are the person you claim to be, so that information and payments can be sent back and forth securely and privately, between individuals, businesses, banks and the government. This is possible because the smart card memory can host a variety of biometrics or other "authenticators" such as fingerprints, handprints, voice prints, iris scans, and PINs.

Once authentication has been implemented, smart cards can securely handle account numbers and audit trails for multiple applications. This can be done off-line between the smart card and computer or kiosk or less expensive access devices, rather than requiring on-line connections. For the individual this means easier, safer, and more private access to a wider range of buildings, assets, and services. For organizations, it means faster transactions, reduced data entry costs, reduced fraud loss, and less costly computer systems.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue