Building Bridges of Security

The federal government reached a milestone in June with the launch of a program that may ultimately create a governmentwide public-key infrastructure to protect e-government initiatives.The Federal Bridge Certification Authority, which promotes PKI interoperability, has begun working with agencies that built their own security infrastructure but "forgot to put a gate in the wall," said Judith Spencer, chairwoman of the Federal PKI Steering Committee that oversees the PKI effort. The Federal Bridge organization is but one part of a multifaceted federal PKI effort, which also includes the General Services Administration's Access Certificates for Electronic Services program and many ad hoc agency initiatives. The Federal Bridge falls under the umbrella of the Federal Chief Information Officers Council."I would describe the activity on PKI in the government as several related or interrelated yet independent initiatives," said Sathvik Krishnamurthy, vice president, marketing and business development at Mountain View, Calif.-based ValiCert Inc., one of many vendors with a stake in those initiatives.The stake could be lucrative. A study by the Postal Service estimated government spending on PKI and related services at $2 billion.The federal effort has been criticized for being too slow and costly, but Spencer said steady progress is being made on all fronts.The federal program is part of a nascent worldwide PKI market projected to grow from $436 million last year to $3.4 billion in 2006, according to London-based Datamonitor. That growth is driven by the desire to boost Internet commerce in the face of rising threats. "Life is getting really bad out there; there are more known vulnerabilities published every day and more hackers," said Brian O'Higgins, chief technical officer with Plano, Texas-based Entrust Inc.PKI combines software, encryption technologies and security policies to combat these threats. Appended to electronic messages, digital certificates are the coin of the realm. They are issued by certification authorities, which vouch for each certificate holder's identity and the certificate's authenticity each time it is used. PKI furnishes a means to identify users, determine what they are entitled to, verify they are who they say they are and provide privacy via encryption, O'Higgins said.In addition to security concerns, the federal PKI effort is driven by legislation, such as the Health Insurance Portability and Accountability Act and the Government Paperwork Elimination Act, mandating, respectively, higher levels of electronic security and electronic access to government documents and services. To date, reviews of that effort have been mixed. "One way to characterize the federal approach is 'just let everyone do whatever they want,' " said Victor Wheatman, vice president and research director for Gartner Dataquest, San Jose, Calif. "That is not going to work and apparently is not working," he said, pointing to the need for the Federal Bridge to iron out differences between programs. Wheatman and other observers are also skeptical about the long-term viability of the Federal Bridge."It has one very difficult problem: To interoperate with end applications, the Federal Bridge will have to modify those applications," said Nick Piazzola, vice president of federal markets for VeriSign Inc. of Mountain View, Calif. Consequently, if it is to be used on a widespread scale, it will have to get commercial vendors to modify their applications. Other industry officials, like Cylink Corp. President and Chief Executive Officer William Crowell, complain the effort is moving too slowly. "There aren't a lot of completed functioning services built on PKI," Crowell said. In February, the General Accounting Office weighed in, noting progress in individual implementations but adding that "substantial challenges" including cost, scalability and interoperability must be overcome before the technology can be widely and effectively deployed.Acknowledging it has been "a very slow roll," Spencer said. But she said the program "has definitely been gaining momentum." The GAO report was "very helpful," she said. It provided a "very good snapshot of where federal PKI is" and the issues "we have to face." Spencer said the program's cost and scalability concerns will recede. "We know it saves a lot of money, but there are upfront costs," she said. A U.S. Postal Service study pegged those costs at about $2 billion for all the government, said Bob Krause, vice president of e-commerce for the Postal Service. That spending covers investments not only in the product but also in the people, processes and facilities necessary to make the new infrastructure work, said Derek Brink, chairperson of the PKI Forum and director of marketing for RSA Security Inc., Bedford, Mass. Scalability is no longer an issue thanks to technology improvements, including greater bandwidth and processor speeds, Spencer said.It is in fact the only technology with the promise to scale to the size that will be needed by the government. A PIN-password system of that size, for example, would be unworkable, said Brink. Finally, the Federal Bridge is designed to tackle many of the interoperability issues. Begun about three years ago, it will operate as a hub certificate authority providing "a chain of trust" between agency certificate authorities, said Dean Coclin, business development manager at Baltimore Technologies of San Mateo, Calif. Baltimore and Entrust are providing certificate authority technology for the project.For example, "if you have a certificate issued by the Justice Department and want to send an e-mail to somebody at the Department of Labor, that certificate ... would be certified by the Bridge CA," he said. "They would actually sign the Justice Department certificate and then that certificate ... would be sent to the recipient who would be able to verify it because of the 'chain of trust' that has been developed through the Bridge." Aside from agency interoperability, it will be used, possibly within the year, to harmonize transactions between federal, state and international programs, Spencer said. NASA and the National Finance Center are likely to be the first users.But a bridge connection with the private sector is a ways off, she said. "Settling the issues with other governments and states is a little easier than ... with the commercial sector," she said. For now, agencies that need to outreach to businesses and private citizens can use GSA's Access Certificates for Electronic Services (ACES) program, said Spencer. The ACES program offers PKI hardware, software and services that are designed to secure government/citizen transactions.Instead of trying to knit together existing PKIs with independent policies, ACES offers a solution that begins with a policy, said Keren Cummins, vice president of government services at Digital Signature Trust Co. of Salt Lake City. That policy was enunciated by GSA before awarding contracts to AT&T Corp., DST and Operational Research Consultants Inc. in 1999.In the ACES scenario, if a user presents an ACES certificate to an application, there is a little module on that application that looks at the certificate and identifies it as, for example, a DST certificate and then checks immediately the validity of that certificate with DST, Cummins said.ACES is quicker and simpler than the Federal Bridge, but "both approaches are valuable because there are these existing PKIs that do need to interoperate," Cummins said.ACES, however, does have its limitations. Because of Federal Acquisition Regulation restrictions, it can only be used to secure transactions with the federal government, Spencer said. In addition, the program offers only a "medium level" certificate that may not be sufficient for all applications, said Tony Trenkle, deputy associate commissioner for electronic services at Social Security Administration. When it was set up, there were concerns that "if ACES came in with the highest possible certificate ? a so-called gold certificate ? it could be priced out of the market," Trenkle said. Agencies with greater security concerns can obtain the ACES certificates and add "a second-level proofing," he said.Social Security acquired last year Digital Signature Trust services through ACES to build a pilot program allowing employers to supply wage information over the Internet. Initially hosted by Digital Signature Trust, that pilot has now entered a second phase. "We are integrating it into our own process within SSA," Trenkle said, adding "it is still pretty limited with probably a hundred or fewer employers participating."Like many other agencies, Social Security also is crafting PKI initiatives outside of the ACES framework. Working with Booz-Allen & Hamilton Inc. of McLean, Va., the agency is operating separate but similar pilots with the California Medical Association and Department of Veterans Affairs offices in Mississippi testing the use of secure e-mail to send medical records. These programs are designed not only to test technology, but also to look at ways to scale it and ensure that it is HIPAA compliant, he said.Begun May 1, the VA pilot is ongoing, while the California program launched last summer and has entered a second phase in which other technologies, such as secure browsers, are being tested, said Trenkle. Social Security also is slated to become an early user of the Postal Service's Netpost.Certified. Currently being piloted by the Health Care Financing Administration, the program will allow agencies to send secured electronic messages for "exactly 50 cents a transaction," regardless of their size, Krause said.As it deploys across government, it may cost in the 10-cent to 20-cent range, said Chuck Chamberlain, manager of strategic marketing and e-government at the Postal Service."The data that flows through Netpost.Certified never really comes to us, so there is not an issue of privacy or storage," Krause said. "It is a lot like the mail; we don't open or store the mail; we deliver the mail." The program was developed with the help of AT&T and IBM Corp. and uses Cylink's NetAuthority as its certificate authority and ValiCert technology to validate transactions. Vendors will be compensated after the program begins to generate transactions. This is not the Postal Service's first use of PKI. In 1999, the organization introduced PC Postage, which allows citizens to use their own computers to buy stamps over the Internet."There have been about 800,000 digital certificates issued for that program," Chamberlain said. The service is being offered by several commercial vendors that have been licensed by the Postal Service.XXXSPLITXXX-Public key infrastructure, or PKI, combines advanced software, encryption technologies and security policies to create certificates that can be attached to electronic messages. They are issued by certification authorities, which vouch for each certificate holder's identity and the certificate's authenticity each time it is used. The certificate includes a name, serial number, expiration date, a copy of that holder's public key and the digital signature of the issuing authority.