BIOMETRICS MOVES TO CENTER STAGE (cover test 3)

Find opportunities — and win them.

<FONT SIZE=2>When U.S. forces operating in Afghanistan capture suspected al Qaeda terrorists, they are required to take the detainees' fingerprints, photos, names and other personal information. </FONT>

Since Sept. 11, investors and

R.J. Langley, a TRW Inc. Technical Fellow, surrounded by multitudes of smart cards. He said he believes biometrics technology can provide greater protection for all applications.

The town of Ashland, Ore.,
allows local businesses to offer
public wireless Internet access
through its fiber-optic backbone.

When U.S. forces operating in Afghanistan capture suspected al Qaeda terrorists, they are required to take the detainees' fingerprints, photos, names and other personal information.

But since early this year, ink and paper have not been used for fingerprinting. Instead, representatives of the FBI's Criminal Justice Information Services division in Afghanistan are carrying around laptop computers and portable fingerprint capture systems. The agents transfer the data, via both telephone lines and satellite, to FBI offices in the United States, where it is stored in its own database and also screened against the Integrated Automated Fingerprint Identification System, the massive FBI database.

This screening helps determine the detainees' true identities and whether they have been associated with other known terrorists or involved in other criminal activities.

"In the broadest sense, this technology is really being used to enhance not only the FBI's identification efforts to identify and populate the database of potential terrorists, but [also] their investigative capabilities," said Robert Bucknam, senior vice president for government and international affairs at Cross Match Technologies Inc., the Palm Beach Gardens, Fla., company that provided the fingerprint biometrics technology to the FBI.

The role played by the FBI's fingerprint identification system in the war on terrorism highlights the growing prominence of biometric technologies since the Sept. 11 attacks in New York and Washington. Biometrics, which is the process of using an individual's physical or behavioral traits as a form of identification, comes in many forms.

Fingerprint recognition is the best known and most widely used of the biometrics technologies now available. Another is hand geometry, which analyzes the length, width and thickness of fingers and palm. Iris and retinal scans, facial recognition, voice recognition, thermal imaging and signature recognition round out the list of most common biometrics.

Except for fingerprinting, most biometric technologies had not been widely used before Sept. 11, and many experts derided biometrics as expensive and unreliable. But homeland security efforts at all levels of government have given the biometrics industry a shot in the arm.

Many people are familiar with the FBI's fingerprint system, a long-standing program. Fewer know that in May, the Office of the Legislative Counsel in the House of Representatives moved to implement iris scanning as a security measure on its computers.

Congress has mandated that biometrics be considered in many government applications. For instance, the USA Patriot Act, passed in October 2001, required the attorney general and secretaries of State and Transportation to conduct a feasibility study for using a fingerprint scanning system at consular offices abroad and at border entry points. The goal is to identify individuals who might be wanted in connection with a criminal investigation before they get visas or enter or exit the country.

"The government sector is projected to become the largest vertical application over the next couple of years, even expected to surpass law enforcement, which is currently the largest," said Jackie Lucas, director of marketing with International Biometric Group LLC, New York. IBG is a biometric integration and consulting firm that works in both the government and commercial sectors.

Lucas' organization estimates that government spending on biometric technologies will grow from $217 million in 2002 to
Langley_R.J
$512 million in 2005.

While the dollar amount may appear small, it is not unusual for biometrics to comprise 5 percent to 10 percent of the value of a contract, said R. J. Langley, a TRW Inc. Technical Fellow specializing in biometrics research and development. The rest of the money goes into the back-end systems, such as database management, distribution and analysis.

Although many manufacturers of iris scan, facial recognition and other biometrics initially touted these technologies as standalone security solutions, most experts agree that the role played by biometrics will be as pieces of an overall solution.

"They tend to be part of the bigger scheme of things," said Mike Brooks, director of the General Services Administration's Center for Smart Card Solutions. As an example, Brooks pointed to a Treasury Department smart-card project in which biometrics was a subcomponent.

But proponents said biometric solutions, even as role players, can significantly enhance security.

"The government ... has come to realize that biometrics is a valuable technique to protect physical places and information. That understanding had grown before Sept. 11 and the anthrax [attacks]," said Walter Hamilton, vice president of business development with SAFLink Corp., a Bellevue, Wash., company that provided the iris scan technology to the House Office of the Legislative Counsel.

NEW FEDERAL PROJECTS

Although companies and federal agencies are exploring a variety of biometric solutions, most current projects involve fingerprinting. That's because the FBI has used fingerprints as a form of identification for decades, and both the agency and law enforcement offices across the country have invested in fingerprint technology, said Tim Corcoran, a senior systems analyst for biometrics and identification systems with Northrop Grumman Corp., Los Angeles.

In addition, the public is familiar with fingerprints as a form of unique identifier, he said, and many people have already submitted fingerprints for one reason or another, from military service to security requirements for their jobs.

Perhaps the best known federal effort involving biometrics is the Defense Department's smart-card project, administered through a General Services Administration contract worth up to $1.5 billion over 10 years.

From October 2000, when multiple contracts were awarded, to the end of August, more than 1 million Common Access Cards have been issued. In June, Lt. Gen. Pete Cuviello, chief information officer for the Army, said the Pentagon plans to include a biometric identifier on all the cards.

A new, major federal effort requiring a biometric solution is the Transportation Worker Identification Credential system. The TWIC will be a smart card incorporating some form of biometric identifier, issued to Transportation Security Administration employees and to those who work in the aviation industry, according to Mark Emery, acting deputy CIO of TSA. The card will later be rolled out to workers in the maritime, rail and trucking industries.

"There are millions and millions of people who would make use of this card," Emery said.

TSA had $35 million in funding for fiscal 2002 to conduct research and development for TWIC. Emery said the agency is requesting continued R&D funding and money for a pilot program in the 2003 budget, with major funding to begin full-scale implementation in fiscal 2004.

TSA officials have not decided whether to treat this as a standalone program or if Unisys Corp., which just received the agency's $1 billion infrastructure startup contract, will administer it, he said.

The Justice Department has three prospective biometrics-related projects under evaluation. In one, the Immigration and Naturalization Service would run the Overseas Refugee Fingerprinting Program, establishing fingerprinting facilities at U.S. embassies and refugee camps abroad to identify and track individuals seeking refugee status in the United States.

The second program, also for the INS, would link the agency's existing automated biometric identification system, called IDENT, with the FBI's Integrated Automated Fingerprint Identification System, or IAFIS, to create a single fingerprint identification system.

One of the biggest programs still to be unveiled is the U.S. Entry-Exit System, intended to systematically track the arrival and departure of foreigners. In particular, the system is intended to allow the government to establish the identity of those who intend to visit the United States, verify the identity of those who enter the country, flag their status if they overstay the terms of their entry documents, and alert the government if they are or become identified as national security threats.

The agencies are still preparing the request for proposals for these programs, whose projected costs are uncertain.

With the government market for biometrics expected to heat up, some integrators are investing in their own biometric solutions.

Science Applications International Corp., for instance, has created a dedicated biometrics laboratory for assessing technologies and how they integrate into larger systems. The San Diego company is using facial recognition as an entrance requirement to the lab's offices. If a face doesn't match any records on file, the person cannot enter. There also are workstations using iris or retinal scanners to log in.

SAIC is working on a contract for the New York Police Department involving fingerprint biometrics, in which commanding officers in the field can use a handheld computer to verify police officers' fingerprints and use the information for time and attendance records and other human resources applications.

"Sept. 11 just advanced the schedule. Everybody was kind of going this way before the attack," said Mark Gibson, smart solutions division manager at SAIC.

NCI Information Systems Inc., a small integrator with just 1,350 employees, has selected biometrics as an area where it can stand out. The McLean, Va., company recently completed integrating a project at Arlington National Cemetery providing a fingerprint solution for physical access control that ties into time sheet and personnel functions.

"Not all the innovation takes place in the behemoth companies," said Tom Reinhardt, vice president of business development and homeland security for NCI.

Unisys also is looking to provide biometric solutions to the government. Ed Schaffner, director of positive identification and access control solutions in the company's public-sector unit, said Unisys is working with the Defense Department to enhance facial recognition technologies to more accurately identify individuals. The company also is talking to the State Department about using biometrics for controlling its network access.

TRW's Langley believes that biometrics will be both crucial to security and ubiquitous in presence. Consequently, the government should be considering how to develop a biometrics infrastructure over the next 15 years, such as the frameworks already in place for electricity, telecommunications and roads, he said.

Whether in their professional or personal lives, people will come to realize that biometrics provide protection against identity theft, just as the government recognizes biometrics as a useful tool against fraud and abuse.

The growing debate over privacy vs. security does not have to derail the widespread use of the technology, Langley said.

"These stovepipe mechanisms [are] a patchwork system without an architecture," he said. "There needs to be an overall architecture... a national infrastructure, but not a national database." *

Staff Writer Patience Wait can be reached at pwait@postnewsweektech.com.

market analysts have correctly identified the government information technology market as a good sector for investment. While this is a sound strategy for many reasons, all companies will not prosper.

The size and scope of the opportunity in this sector can differ from company to company, depending on the degree to which each company has aligned its thinking and organized its resources with market realities.

The continuing migration in government IT from staff augmentation to outsourcing shows no signs of abating. Historically, government agencies purchased support services to augment employee teams, managed by supervisors. Today, government executives are looking to buy solutions.

Government entities, faced with shrinking staffs and retirements of key people, want full-scope capabilities from their service providers, including situational analysis, alternatives identification and selection, solution architecture, implementation and -- increasingly -- operation.

There are other factors supporting these IT contracting trends. Military transformation has high-priority focus on interoperability. The communications element within and between organizations is paramount. And IT capability is the foundation, the platform upon which interoperable communications systems will be designed and implemented.

Systems modernizations at the Internal Revenue Service, Federal Aviation Administration and U.S. Customs Service, among others, will require complex, enterprise-scope solutions. Another factor is government reorganization, most particularly the creation of the Department of Homeland Security.

As a consequence of the number and scope of government IT projects, the emergence of Web-based systems and the goal of improved data sharing among agencies, the Office of Management and Budget set forth 24 e-government initiatives and placed a temporary hold on major projects pending OMB review.

Taken together, these government objectives, and the priorities attached to them, provide a target-rich market for well-positioned government IT companies.

For some IT businesses, the emerging environment is more of a threat than an opportunity. Segmentation of IT companies into four tiers helps in assessing the performance outlook. Based upon revenue size, the breakdown is: tier 1, more than $1 billion; tier 2, $250 million to $1 billion; tier 3, $30 million to $250 million; tier 4, under $30 million.

Successful companies will combine all elements of an effective solution into their offerings.

This is a very complex environment, requiring significant resource mobilization, pricing, costing, negotiating and project management skills. While staff augmentation has its place, it will capture a shrinking proportion of government budgets, generally, at lower margins.

Typically, tier 1 companies will lead on large, complex IT projects. In these circumstances, companies in tiers 3 and 4 will serve as subcontractors. For most of the smaller IT projects, companies in tiers 2 through 4 will be best cast in a prime contractor role.

Focus and depth in critical IT segments will increase in importance for all companies, but is most critical for tiers 2 and 3. Companies in tier 4 will continue to benefit from contract set asides under 8(a) and small business preference programs.

At the end of the day, the winners will be companies that can think in terms of problem-solving based upon available IT. The size and growth of government information management needs, considered in the context of ongoing upgrades in technology tools, suggest a long-term, robust market for government IT companies.

Well-managed companies can expect double-digit, organic revenue growth, profit margin expansion and acquisition opportunities. *

Jerry Grossman is managing director at Houlihan Lokey Howard & Zukin in McLean, Va. He can be reached at jgrossman@hlhz.com.

Don't think biometric access devices are silver bullets for your security vulnerabilities. In fact, if not applied correctly, they can create new gaps in security.

The USA Patriot Act, signed into law in October 2001, gave fresh impetus to adoption of biometrics, which vendors were earlier touting as password replacement devices.

Now that they've come under close scrutiny by government and private labs, such as that operated by Washington Technology's sister publication, Government Computer News, companies have acknowledged that biometric devices are effective only when used in conjunction with other forms of authentication.

To ensure these devices protect rather than compromise security, it's important to clear up some misconceptions. The most common of these is that one type of device is good for all applications. Before thinking about biometrics, you've got to think about precisely what it is you're trying to protect: an entrance to a building? A computer network? A data center?

Earlier this year, I reviewed both facial and iris recognition products. Some are designed more for perimeter security than for computer access.

Facial recognition products are less obtrusive than fingerprint devices. They can adjust to changing appearances of an individual. By contrast, most fingerprint devices often won't work if the user's authentication finger is obscured by food, grease or injury.

Biometric devices used for perimeter security are difficult to tamper with, because the servers containing the biometric data are inside the perimeter or in some remote location. But facial recognition has the added advantage of letting you record videos of comings and goings.

I've found that in some instances, facial recognition authenticates faster than fingerprints and is more reliable than many forms of fingerprint recognition, specifically devices with optical sensors.

On the other hand, fingerprint authentication is a better choice on a standalone computer mainly because, unlike facial biometrics technology, it is not affected by change in light. Lighting -- direction, quality and intensity -- seriously impact facial recognition software. And with more users, the reliability of facial recognition can decline, particularly if you can't control the lighting and there are shadows. Quite simply, it is easy to fool a facial recognition engine.

This point leads to two other common misconceptions. One is that the purpose of biometrics is to eliminate the password, and the second is that trying to fool a biometric device is easy.

Because the technology isn't 100 percent reliable, you should always deploy biometrics along with regular passwords, or a keypad for door control systems.

All biometric devices read or measure a physical characteristic and store the results in a database. With most systems, those results -- that is, users' profiles -- are adjusted, converted into an algorithm and encrypted before storing.

The security weakness with biometrics exists between the device that records the biometric information and the computer. That middleware could be hacked, giving the unauthorized user full access.

Fortunately, because the industry is assumed to be on the beginning of a growth curve, companies are getting more specialized, dividing up the development of software and hardware. This split in development, typified by the relationship between Panasonic Security and Digital Imaging Co. and Iridian Technologies Inc., is helping the technology mature and gain customer acceptance.

If a hacker was to gain access to your biometric template, chances are he wouldn't capture any of your users' physical characteristics, since most systems convert recorded traits into numbers and characters impossible to reverse engineer.

So where is the industry heading? I believe iris recognition and facial recognition, where developments are occurring rapidly, are the next big things in biometric security. They're growing more reliable, but they are not inexpensive. Facial recognition infrastructures can cost upward of $20,000 to secure a small area.

I have no doubt that biometric technology is here to stay. By itself, it won't save your network from intelligent and determined evildoers, but it nevertheless can add a secure layer to your network and act as a stronger deterrent. *

Carlos Soto is an associate editor of Government Computer News and is a technology reviewer with an expertise in security, storage, wireless devices and digital cameras. His reviews of biometric technologies can be found with this article at www.washingtontechnology.com.

Contactless/Biometric

Technology for Controlling Access


Agency: Navy Space and Naval

Warfare Systems Center


Status: Pre-RFP

Purpose: Provide access control to facilities and IT networks of the Navy and the rest of the Defense Department.

 

IDENT/IAFIS Integration Project

Agency: Justice Department

Status: Pre-RFP

Purpose: Integrate the fingerprint databases of the Immigration and

Naturalization Service and the FBI into

a single database.


 

Internet Software Security Package

Agency: Social Security

Administration


Status: Pre-RFP

Purpose: Provide security for

applications hosted on the agency's WebSphere applications.


 

Overseas Refugee

Fingerprinting Program


Agency: Immigration and

Naturalization Service


Status: Pre-RFP

Purpose: Identify and track refugees seeking asylum in the United States.

 

fast to process and inexpensivereliable authentication

 

Coming next issue: Washington Technology looks at the legislative, policy and budgetary victories and struggles of the government IT industry as the 107th Congress comes to a close.

NEXT STORY: Wi-Fi in the city (cover test 3)