Key Takeaways from the DSI Identity Management Symposium
The Defense Strategies Institute (DSI) recently held an Identity Management Symposium in National Harbor, MD, where identity management (IDM) leaders from both government and industry attended. The goal of the symposium was for the best minds in the Federal IDM space to discuss and debate the most innovative IDM solutions in support of national security. By bringing together well-known IDM leaders in the industry - including Shonnie Lyons, Director of the DHS Office of Biometric Identity Management (OBIM), Gary Stroupe, Section Chief of the FBI Biometrics Services Center, Criminal Justice Information Services (CJIS), Glenn Krizay, Director of the DoD Defense Forensics and Biometrics Agency (DFBA), and Stacey Fitzmaurice, Deputy Administrator at the Transportation Security Administration (TSA) - many discussions were had on the technologies and policies necessary for further development of identity and access management used within the federal government.
During the two-day summit, there were a number of common themes that popped up. Many of these themes have been driving factors throughout the biometrics and IDM industry during the last several years. Issues like civil liberties and civil rights were frequently discussed and discussions on how the government and industry are tackling Identity, Credentialing, and Access Management (ICAM) challenges with Zero-trust Architecture were had as well. As is typical in these types of summits, updates to the "Big Three" data repositories - DHS, FBI, DoD - were given by their respective representatives. By discussing these common themes throughout the summit, it was easy to see the current state of IDM within the federal government and how industry is providing solutions to some of the most challenging problems.
Civil Liberties, Civil Rights, and Privacy
If there is one topic that has dominated the media and news throughout the last couple of years, it is the notion of what role civil liberties, civil rights, and privacy play within the biometrics and IDM space.
With many high-profile cases of biometrics and IDM being utilized in various ways—including Clearview AI's goal of collecting 100 billion images for training of a face recognition algorithm or ID.me's attempt to verify people’s identity to prevent fraud using a selfie style face image—it was important for the speakers to address this issue and how their respective industries are combating or mitigating these issues.
With increased political ramifications (in some states and cities moratoriums of utilizing face recognition have been put in place), many of the speakers talked about how the industry can help dispel negative public opinion. This would open the doors and increase acceptance of a technology that has the potential to bring criminals to justice, reduce identity theft and fraud, create convenience for its users, and capture known or suspected terrorists.
For example, TSA is being open to the public on their use of face recognition at airport security checkpoints. The new Credential Authentication Technology (CAT-2) system uses face recognition to compare a passenger’s live face with the face on their driver’s license, improving the accuracy of verifying the individual versus the TSA Officer doing a manual check.
TSA publishes all of their Privacy Impact Assessments on their website for anyone to read how the face recognition data is being used, how long it is retained, and the opt-in nature of programs. TSA also holds numerous roundtables and demonstrations of the technology with external stakeholders. This allows TSA to be transparent and helps dispel some of the misunderstandings the public may have on the technology’s usage. Other departments also have their own ideas on how to better address public opinion on the use of facial recognition with education and transparency being key.
Educating legislatures is also key to informing the public. Many times the narrative around bias in face recognition algorithms is misleading and should be portrayed more as a success story. Algorithm developers recognized the issues years ago, developing training algorithms that were more diverse, and altering their algorithms to minimize bias.
ICAM and Zero-Trust
One of the main themes at the summit was the implementation of Federal ICAM systems and how to achieve the principles of zero-trust. A core zero-trust tenet that the government should abide by is that no actor, device, network, or protocol operating outside or within any security perimeter should be automatically trusted. Maintain a zero-trust approach to ensure that the user who is performing an action is who they say they are.
This concept fits in perfectly with ICAM, since managing access and credentials is reliant upon accurate verification of the identity. There were many discussions throughout the summit on how to best manage ICAM systems, but one thing remained constant. ICAM systems must strive for a zero-trust architecture to prevent bad actors from gaining access to information they don’t have permissions for and to ensure only the proper level of access is granted to credentialed users. Because of this, ICAM is foundational to the success of zero-trust for authentication and authorization of devices and people.
During one Zero Trust panel all of the panelists agreed on a few core concepts.
First, it was noted that zero-trust architectures aren't implemented in a single release. In order to get closer to a zero-trust state, both government agencies and industry partners need to start small and pick away at a few vulnerabilities one at a time, and then move on. They all noted that it may take years to come to a point where a system owner has confidence in their system, but the work will never be done.
This sentiment leads to the next core concept: zero-trust will never be 100% realized in a system. All panelists noted that whenever someone believes their system or network has reached zero-trust and has mitigated all threats, some new threat will come along and break the system. Zero-trust is a continuing game of cat and mouse, trying to find threats, determining actions for mitigation, and implementing them into the architecture. This process will continue throughout the lifecycle of the system and never fully ends.
The last core tenet mentioned is that zero-trust cannot be too much of a hindrance on the user. If a user is constantly being bombarded to verify their identity in order to determine their access, the user would stop using the system, effectively counteracting the purpose of zero-trust. There has to be a fine balance between security and usability in order for zero-trust architecture with ICAM systems to be effective.
The Big Three
Within the US government, there are three main repositories of biometric and identity data—DHS's IDENT program, FBI’s Next Generation Identification (NGI) system, and DoD's Automated Biometric Identification System (ABIS). Each of these systems had representation at the summit to discuss the state of their enterprise as well as where they are trying to move forward.
One of the biggest takeaways between all three of the main branches, was that interoperability was key. Because all three repositories rely on each other and have constant information sharing, it is prudent that they all work together to continue to make the systems operate well with each other. Although there were technical difficulties with the DoD session, which made the talk difficult to hear, the other two main enterprises had plenty to discuss.
DHS's OBIM is the champion of biometrics for the entire department and handles verifying all identities of people coming into the US. They are the entity that runs and maintains the department’s biometric repository, IDENT. The IDENT system can process hundreds of thousands of transactions a day, with customers requesting identity matches from all over the federal government.
From maritime operations with the U.S. Coast Guard to illegal border crossings with U.S. Customs and Border Protection (CBP), IDENT supports the mission of determining the identity of individuals in question. Typically, this is done utilizing fingerprints for identification; however the department is pushing to start collecting all three main modalities (finger, face, and iris) at all interactions. By collecting all three modalities, the department is mitigating risk of a mismatch. Say, for instance, a bad set of fingerprints is collected. By collecting the other modalities, the department now has other biometrics to determine someone's identity.
Moving forward, DHS is looking forward to the implementation of the Homeland Advanced Recognition Technology (HART) system, which is IDENT’s replacement. HART will not only speed up transactions, it will also lower the need for human fingerprint examiners due to the implementation of a more accurate matcher. HART is targeting Initial Operating Capability (IOC) sometime this year.
DHS By the Numbers
350k: Number of transactions IDENT can process in one day
275m: Number of identities currently within the IDENT system
98.9%: Current match rate for fingerprints within IDENT, meaning 1.1% of matches need verification by a human
99.5%: The match rate requirement for HART when it comes online, reducing the requirement of human examiners
FBI’s NGI system is the main repository of biometric information for all criminal and background checks within the U.S. Local Police Departments (PDs) throughout the country use their system to identify identities for investigative leads. When they were developing NGI, they interviewed hundreds of local PDs to determine their needs, considering they would be the main users of the system.
Although NGI is primarily a fingerprint system, the FBI has pushed for incorporating additional biometrics, including face, iris, and palm prints. For example, the FBI committed to a 7-year pilot on the use of iris to try to build a repository, focused mainly on corrections. This information was successfully used to minimize false releases and track prisoners through the court system.
By transitioning from the Integrated Automated Fingerprint Identification System (IAFIS) to the Advanced Fingerprint Identification Technology (AFIT) subsystem of NGI, the need for manual review of fingerprint matches has significantly dropped—decreasing the need for a very repetitive and demanding job.
Finally, the two main NGI face recognition capabilities were discussed—their face matching service and their Facial Analysis, Comparison, and Evaluation (FACE) system. The NGI face recognition service is used mainly for external investigations and predominantly by local PDs while the FACE system is used by the FBI for internal investigations and is not open to external stakeholders.
Because these types of services are used for investigations there are numerous policies within the department that state that these services can only be used for investigative purposes and cannot be used as justification for warrants of arrest. It’s this type of education and understanding that needs to be portrayed to the legislative bodies as well as to the public.
FBI By the Numbers
50m: The number of palm prints that are currently in the NGI system
50%: The percentage of fingerprint matches that needed to be manually verified by fingerprint examiners under the IAFIS system
500: The number of examiners working 24 hours per day required under IAFIS
5%: The current percentage of fingerprint matches needed to be manually verified by fingerprint examiners after AFIT was put in place
100: The number of examiners now needed for manual review after AFIT was put in place
Conclusion
These are only a handful of interesting topics that were discussed throughout the two-day summit. As the industry continues to grow many of these challenges are going to come to fruition, with other unknown challenges rearing their head. Therefore, it is important for industry and government to regularly get together and brainstorm solutions to these issues. Summits like this play a key role in facilitating open dialogue and advancing a more collaborative effort moving forward.
