Biometric Technology Holds the Key to System-Wide IT Security
Over the past twenty five years microelectronics, telecommunications and computer engineering joined forces to precipitate the information technology revolution in which intellectual chores were increasingly alleviated by machines. At the core of this revolution were advances in materials science, which led to more powerful and cheaper semiconductors. Cheap semiconductors in turn allowed rapid advances in the production of computers, computer software, and telecommunications equipment, which in turn led to steep price declines in each of these industries.
Individuals, businesses, and governments took advantage of these dramatic price reductions and major performance improvements and purchased incessantly, creating a proliferation of information technology that has changed the way businesses and governments operate. In so doing, society transferred the control of critical processes to networked computers, computer software and telecommunications systems. It did so without a clear plan or concern for securing these individual IT based systems! It did so without a sense that someone might use these security flaws to gain access to the IT systems for the purpose of creating disruptions, effecting economic havoc and yes, even causing death and destruction!
Today a vast array of networked physical and cyber assets virtually control and sustain the operation of a nation’s critical infrastructure in all key sectors: agriculture and food, water, public health, emergency services, defense industrial base, telecommunications, energy, transportation, banking and finance, chemical industry and hazardous materials, and postal and shipping. Hundreds of thousands of computers, servers, routers, switches and cable have become the nervous system of the critical infrastructure that is vital to the economy and security of a nation.
The terrorist attacks around the world have forced all nations to reexamine their national security focus and place a priority on protecting the homeland. They have also forced consideration of a wide array of unconventional threats, especially cyber attack against the networked information technology systems combining to form a nation’s critical infrastructure.
While society has long recognized that each of these networked physical and cyber assets represents an attractive and viable target for those wishing to illegally acquire information or gain competitive business advantage, and hence should be protected, it is now just coming to grips with the reality that these networked systems are largely unprotected and represent a means where by terrorists could inflict great harm on a nation, it’s citizens and businesses. For example, consider the consequences if terrorists gained access to IT systems controlling a nuclear power plant, a chemical plant, a mass transit system or an airport. Equally consider the consequences if they gained accessed to weapons designs held by a military contractor or to systems controlling the operation of a major financial institution. The consequences would be significant; not only for the key underlying system but for the nation as a whole. Just as we need to establish a variety of defenses at physical access points – airports, seaports, power generation plants, military bases, so too must we establish defenses at the virtual points of access to the controlling IT systems!
It is clear that securing the networked critical infrastructure as well as the underlying IT systems against cyber attack must be a priority for government. Since many of the underlying IT systems are in the hands of the private sector, they too must consider this threat a priority and work collaboratively with government to realize an immediate and effective solution! The challenging question for the IT sector is: How do we secure this vast critical infrastructure on which a nation’s economy and security now rests?
The obvious way is to ensure that the only people granted access to any of the component systems are those authorized to do so and that they have their identity confirmed before access is permitted. Traditional methods of confirming authorization and identity when approving physical and logical access, such as confirming a valid identification document (ID badge), a password or both, are no longer sufficient: both have been shown to be easily compromised especially when confronted by a formidable, focused effort to secure these items for future illicit use.
The clear and convincing solution is to deploy biometric technology to strengthen and secure access. This will ensure that all persons granted access are checked to confirm that they are the same person that was previously enrolled and vetted through a controlled security check. It further mandates a "positive identity confirmation check" as a prerequisite to anyone gaining access to and using any component of a nation’s critical infrastructure, whether that is log on access, subsequent access to a more sensitive system component, access to data records or execution of an application.
While use of biometrics is acknowledged as the solution for enabling positive trusted identification of a person seeking access, the unique needs posed by a cyber attack initiated by someone intending to do harm must be carefully considered when selecting which biometric(s) and how they are to be used.
Biometric technologies such as finger prints and face are beginning to be used more frequently for log on access control of IT systems. However, protecting a vital component of a national infrastructure system calls for features beyond mere log on access protection. For example,
- Post log on access to private and sensitive data and to sensitive applications such as process control software should be secured using biometric authentication;
- Remote access and use of a key underlying IT system should also be secured through biometric authentication; and
- An audit trail should be maintained identifying all persons permitted access, as well as when, from where and for how long. The audit trail must go beyond simple system access details and embrace access to and use of sensitive data records and applications.
Will such additional features be enough? Many experts say NO, unless serious consideration is given to applying a proactive biometric based "watch list check" to enable immediate detection of any person, including a visitor seeking physical access who might pose a potential threat to a key underlying system and hence, the overall critical infrastructure. This requirement is reinforced by the need for certain underlying systems to be globally interoperable from a biometric identification perspective and support continuous infrastructure-wide monitoring and detection for persons known to pose a threat.
Despite the availability of a solution - in the form of biometrics, we have a long way to go to realize a comprehensive, infrastructure-wide solution that protects individuals, businesses and government. The first crucial step is to recognize that proliferation of IT based systems has left us vulnerable to a new form of threat – the cyber attack.
To meet the challenge, governments and the private sector must work collaboratively to deliver a solution that addresses not only the unique needs of the various underlying IT based systems but equally the needs that derive from the systems role as a vital component of the nation’s critical infrastructure. Failure of governments and the private sector to recognize the urgency of this need, to make the right choices when deploying biometrics and work collaboratively to deliver an immediate and effective top to bottom security solution will have dire consequences.
