BIOMETRICS MOVES TO CENTER STAGE
<font SIZE="2"><p>When U.S. forces operating in Afghanistan capture suspected al Qaeda terrorists, they
When U.S. forces operating in Afghanistan capture suspected al Qaeda terrorists, they
are required to take the detainees' fingerprints, photos, names and other personal
information.
been used for fingerprinting. Instead, representatives of the FBI's Criminal Justice
Information Services division in Afghanistan are carrying around laptop computers and
portable fingerprint capture systems. The agents transfer the data, via both telephone
lines and satellite, to FBI offices in the United States, where it is stored in its own
database and also screened against the Integrated Automated Fingerprint Identification
System, the massive FBI database.This screening helps determine
the detainees' true identities and whether they have been associated with other known
terrorists or involved in other criminal activities. "In the
broadest sense, this technology is really being used to enhance not only the FBI's
identification efforts to identify and populate the database of potential terrorists, but
[also] their investigative capabilities," said Robert Bucknam, senior vice president
for government and international affairs at Cross Match Technologies Inc., the Palm Beach
Gardens, Fla., company that provided the fingerprint biometrics technology to the FBI.
The role played by the FBI's fingerprint identification system in the war
on terrorism highlights the growing prominence of biometric technologies since the Sept.
11 attacks in New York and Washington. Biometrics, which is the process of using an
individual's physical or behavioral traits as a form of identification, comes in many
forms.Fingerprint recognition is the best known and most widely
used of the biometrics technologies now available. Another is hand geometry, which
analyzes the length, width and thickness of fingers and palm. Iris and retinal scans,
facial recognition, voice recognition, thermal imaging and signature recognition round out
the list of most common biometrics.Except for fingerprinting,
most biometric technologies had not been widely used before Sept. 11, and many experts
derided biometrics as expensive and unreliable. But homeland security efforts at all
levels of government have given the biometrics industry a shot in the arm.
Congress has mandated that biometrics be considered in many government
applications. For instance, the USA Patriot Act, passed in October 2001, required the
attorney general and secretaries of State and Transportation to conduct a feasibility
study for using a fingerprint scanning system at consular offices abroad and at border
entry points. The goal is to identify individuals who might be wanted in connection with a
criminal investigation before they get visas or enter or exit the country.
Lucas'
organization estimates that government spending on biometric technologies will grow from
$217 million in 2002 to $512 million in 2005.While the dollar
amount may appear small, it is not unusual for biometrics to comprise 5 percent to 10
percent of the value of a contract, said R. J. Langley, a TRW Inc. Technical Fellow
specializing in biometrics research and development. The rest of the money goes into the
back-end systems, such as database management, distribution and analysis.
But proponents said biometric
solutions, even as role players, can significantly enhance security.
NEW FEDERAL PROJECTS
Although companies and federal agencies are exploring a variety of
biometric solutions, most current projects involve fingerprinting. That's because the FBI
has used fingerprints as a form of identification for decades, and both the agency and law
enforcement offices across the country have invested in fingerprint technology, said Tim
Corcoran, a senior systems analyst for biometrics and identification systems with Northrop
Grumman Corp., Los Angeles.In addition, the public is familiar
with fingerprints as a form of unique identifier, he said, and many people have already
submitted fingerprints for one reason or another, from military service to security
requirements for their jobs.Perhaps the best known federal effort
involving biometrics is the Defense Department's smart-card project, administered through
a General Services Administration contract worth up to $1.5 billion over 10 years.From October 2000, when multiple contracts were awarded, to the end of
August, more than 1 million Common Access Cards have been issued. In June, Lt. Gen. Pete
Cuviello, chief information officer for the Army, said the Pentagon plans to include a
biometric identifier on all the cards.A new, major federal effort
requiring a biometric solution is the Transportation Worker Identification Credential
system. The TWIC will be a smart card incorporating some form of biometric identifier,
issued to Transportation Security Administration employees and to those who work in the
aviation industry, according to Mark Emery, acting deputy CIO of TSA. The card will later
be rolled out to workers in the maritime, rail and trucking industries. SIZE="2">"There are millions and millions of people who would make use of this
card," Emery said.TSA had $35 million in funding for fiscal
2002 to conduct research and development for TWIC. Emery said the agency is requesting
continued R&D funding and money for a pilot program in the 2003 budget, with major
funding to begin full-scale implementation in fiscal 2004. TSA
officials have not decided whether to treat this as a standalone program or if Unisys
Corp., which just received the agency's $1 billion infrastructure startup contract, will
administer it, he said.The Justice Department has three
prospective biometrics-related projects under evaluation. In one, the Immigration and
Naturalization Service would run the Overseas Refugee Fingerprinting Program, establishing
fingerprinting facilities at U.S. embassies and refugee camps abroad to identify and track
individuals seeking refugee status in the United States.The
second program, also for the INS, would link the agency's existing automated biometric
identification system, called IDENT, with the FBI's Integrated Automated Fingerprint
Identification System, or IAFIS, to create a single fingerprint identification system.
One of the biggest programs still to be unveiled is the U.S. Entry-Exit
System, intended to systematically track the arrival and departure of foreigners. In
particular, the system is intended to allow the government to establish the identity of
those who intend to visit the United States, verify the identity of those who enter the
country, flag their status if they overstay the terms of their entry documents, and alert
the government if they are or become identified as national security threats.SIZE="2">The agencies are still preparing the request for proposals for these programs,
whose projected costs are uncertain.With the government market
for biometrics expected to heat up, some integrators are investing in their own biometric
solutions.Science Applications International Corp., for instance,
has created a dedicated biometrics laboratory for assessing technologies and how they
integrate into larger systems. The San Diego company is using facial recognition as an
entrance requirement to the lab's offices. If a face doesn't match any records on file,
the person cannot enter. There also are workstations using iris or retinal scanners to log
in.SAIC is working on a contract for the New York Police
Department involving fingerprint biometrics, in which commanding officers in the field can
use a handheld computer to verify police officers' fingerprints and use the information
for time and attendance records and other human resources applications.SIZE="2">"Sept. 11 just advanced the schedule. Everybody was kind of going this way
before the attack," said Mark Gibson, smart solutions division manager at SAIC.
NCI Information Systems Inc., a small integrator with just 1,350 employees,
has selected biometrics as an area where it can stand out. The McLean, Va., company
recently completed integrating a project at Arlington National Cemetery providing a
fingerprint solution for physical access control that ties into time sheet and personnel
functions."Not all the innovation takes place in the
behemoth companies," said Tom Reinhardt, vice president of business development and
homeland security for NCI.Unisys also is looking to provide
biometric solutions to the government. Ed Schaffner, director of positive identification
and access control solutions in the company's public-sector unit, said Unisys is working
with the Defense Department to enhance facial recognition technologies to more accurately
identify individuals. The company also is talking to the State Department about using
biometrics for controlling its network access.TRW's Langley
believes that biometrics will be both crucial to security and ubiquitous in presence.
Consequently, the government should be considering how to develop a biometrics
infrastructure over the next 15 years, such as the frameworks already in place for
electricity, telecommunications and roads, he said.Whether in
their professional or personal lives, people will come to realize that biometrics provide
protection against identity theft, just as the government recognizes biometrics as a
useful tool against fraud and abuse.The growing debate over
privacy vs. security does not have to derail the widespread use of the technology, Langley
said."These stovepipe mechanisms [are] a patchwork system
without an architecture," he said. "There needs to be an overall architecture...
a national infrastructure, but not a national database."Staff Writer Patience Wait can be reached at
pwait@postnewsweektech.com.
Sizing up who will succeed in government IT market
BY JERRY GROSSMAN
Since Sept. 11, investors and market analysts have
correctly identified the government information technology market as a good sector for
investment. While this is a sound strategy for many reasons, all companies will not
prosper. The size and scope of the opportunity in this sector can
differ from company to company, depending on the degree to which each company has aligned
its thinking and organized its resources with market realities. The
continuing migration in government IT from staff augmentation to outsourcing shows no
signs of abating. Historically, government agencies purchased support services to augment
employee teams, managed by supervisors. Today, government executives are looking to buy
solutions. Government entities, faced with shrinking staffs and
retirements of key people, want full-scope capabilities from their service providers,
including situational analysis, alternatives identification and selection, solution
architecture, implementation and -- increasingly -- operation.There
are other factors supporting these IT contracting trends. Military transformation has
high-priority focus on interoperability. The communications element within and between
organizations is paramount. And IT capability is the foundation, the platform upon which
interoperable communications systems will be designed and implemented. SIZE="2">Systems modernizations at the Internal Revenue Service, Federal Aviation
Administration and U.S. Customs Service, among others, will require complex,
enterprise-scope solutions. Another factor is government reorganization, most particularly
the creation of the Department of Homeland Security. As a
consequence of the number and scope of government IT projects, the emergence of Web-based
systems and the goal of improved data sharing among agencies, the Office of Management and
Budget set forth 24 e-government initiatives and placed a temporary hold on major projects
pending OMB review.Taken together, these government objectives,
and the priorities attached to them, provide a target-rich market for well-positioned
government IT companies.For some IT businesses, the emerging
environment is more of a threat than an opportunity. Segmentation of IT companies into
four tiers helps in assessing the performance outlook. Based upon revenue size, the
breakdown is: tier 1, more than $1 billion; tier 2, $250 million to $1 billion; tier 3,
$30 million to $250 million; tier 4, under $30 million.Successful
companies will combine all elements of an effective solution into their offerings.This is a very complex environment, requiring significant resource
mobilization, pricing, costing, negotiating and project management skills. While staff
augmentation has its place, it will capture a shrinking proportion of government budgets,
generally, at lower margins.Typically, tier 1 companies will lead
on large, complex IT projects. In these circumstances, companies in tiers 3 and 4 will
serve as subcontractors. For most of the smaller IT projects, companies in tiers 2 through
4 will be best cast in a prime contractor role. Focus and depth in
critical IT segments will increase in importance for all companies, but is most critical
for tiers 2 and 3. Companies in tier 4 will continue to benefit from contract set asides
under 8(a) and small business preference programs.At the end of
the day, the winners will be companies that can think in terms of problem-solving based
upon available IT. The size and growth of government information management needs,
considered in the context of ongoing upgrades in technology tools, suggest a long-term,
robust market for government IT companies. Well-managed companies
can expect double-digit, organic revenue growth, profit margin expansion and acquisition
opportunities.
Jerry Grossman is managing director at Houlihan Lokey Howard & Zukin Don't think biometric access devices are silver bullets for your security
in McLean, Va. He can be reached at jgrossman@hlhz.com.
vulnerabilities. In fact, if not applied correctly, they can create new gaps in security.
The USA Patriot Act, signed into law in October 2001, gave fresh impetus to
adoption of biometrics, which vendors were earlier touting as password replacement
devices.Now that they've come under close scrutiny by government
and private labs, such as that operated by Washington Technology's sister publication,
Government Computer News, companies have acknowledged that biometric devices are effective
only when used in conjunction with other forms of authentication.To
ensure these devices protect rather than compromise security, it's important to clear up
some misconceptions. The most common of these is that one type of device is good for all
applications. Before thinking about biometrics, you've got to think about precisely what
it is you're trying to protect: an entrance to a building? A computer network? A data
center?Earlier this year, I reviewed both facial and iris
recognition products. Some are designed more for perimeter security than for computer
access. Facial recognition products are less obtrusive than
fingerprint devices. They can adjust to changing appearances of an individual. By
contrast, most fingerprint devices often won't work if the user's authentication finger is
obscured by food, grease or injury.Biometric devices used for
perimeter security are difficult to tamper with, because the servers containing the
biometric data are inside the perimeter or in some remote location. But facial recognition
has the added advantage of letting you record videos of comings and goings.SIZE="2">I've found that in some instances, facial recognition authenticates faster than
fingerprints and is more reliable than many forms of fingerprint recognition, specifically
devices with optical sensors.On the other hand, fingerprint
authentication is a better choice on a standalone computer mainly because, unlike facial
biometrics technology, it is not affected by change in light. Lighting -- direction,
quality and intensity -- seriously impact facial recognition software. And with more
users, the reliability of facial recognition can decline, particularly if you can't
control the lighting and there are shadows. Quite simply, it is easy to fool a facial
recognition engine.This point leads to two other common
misconceptions. One is that the purpose of biometrics is to eliminate the password, and
the second is that trying to fool a biometric device is easy.Because
the technology isn't 100 percent reliable, you should always deploy biometrics along with
regular passwords, or a keypad for door control systems.All
biometric devices read or measure a physical characteristic and store the results in a
database. With most systems, those results -- that is, users' profiles -- are adjusted,
converted into an algorithm and encrypted before storing. The
security weakness with biometrics exists between the device that records the biometric
information and the computer. That middleware could be hacked, giving the unauthorized
user full access.Fortunately, because the industry is assumed to
be on the beginning of a growth curve, companies are getting more specialized, dividing up
the development of software and hardware. This split in development, typified by the
relationship between Panasonic Security and Digital Imaging Co. and Iridian Technologies
Inc., is helping the technology mature and gain customer acceptance.SIZE="2">If a hacker was to gain access to your biometric template, chances are he
wouldn't capture any of your users' physical characteristics, since most systems convert
recorded traits into numbers and characters impossible to reverse engineer.SIZE="2">So where is the industry heading? I believe iris recognition and facial
recognition, where developments are occurring rapidly, are the next big things in
biometric security. They're growing more reliable, but they are not inexpensive. Facial
recognition infrastructures can cost upward of $20,000 to secure a small area.SIZE="2">I have no doubt that biometric technology is here to stay. By itself, it won't
save your network from intelligent and determined evildoers, but it nevertheless can add a
secure layer to your network and act as a stronger deterrent.
Carlos Soto is an associate editor of Government Computer News and
is a technology reviewer with an expertise in security, storage, wireless devices and
digital cameras. His reviews of biometric technologies can be found with this article at
Upcoming contracts
Contactless/Biometric
Technology for Controlling AccessAgency: Navy Space and Naval
Warfare Systems CenterStatus: Pre-RFPPurpose:
Provide access control to facilities and IT networks of the Navy and the rest of the
Defense Department. IDENT/IAFIS
Integration ProjectAgency: Justice DepartmentSIZE="2">Status: Pre-RFPPurpose: Integrate the fingerprint
databases of the Immigration and
Naturalization Service and the FBI into
a single database. Internet
Software Security PackageAgency: Social Security
AdministrationStatus: Pre-RFPPurpose:
Provide security for
applications hosted on the agency's WebSphere applications.
Overseas Refugee
Fingerprinting ProgramAgency: Immigration and
Naturalization ServiceStatus: Pre-RFPStatus: Pre-RFP
NEXT STORY: Wi-Fi in the city