The Department of Health and Human Services and the Defense Information Systems Agency are thinking beyond passwords when it comes to network security, and taking a step in identity management that has long been contemplated in government, but not actually implemented.
HHS Chief Information Officer Jose Arrieta said the agencies have developed a pilot aimed at using as many as 240 unique behavioral characteristics, many of them biometrics, to verify the identities of network end-users.
Tracking the unique habits of mobile device users, he said, including the time and place of access, could become the next big trend in network security.
“When you wake up in the morning, you’re connected to a secure Wi-Fi. I’m going to do a facial scan, just like we all unlock our iPhones now. I’m going to do an iris scan, I have thumbprint-tagging capability. When I walk downstairs, I immediately connect to my Whirlpool dryer. I don’t know why our Whirlpool dryer has Wi-Fi connectivity … but it does. It’s an attribute related to you as a person,” Arrieta said Wednesday at NextGov’s emerging technology summit.
Other behavioral attributes include geographic data like temperature and humidity, as well as personal attributes like a person’s walking pace and heart rate.
“Unless you can mimic my iris, the way that I walk, the way that I talk, my facial scan, my thumbprint … you can’t get access to the network itself,” Arrieta said.
For the latter metrics, Arrieta said wearable devices could also come into play. The Army Futures Command is already testing out this concept, in recognition that the technology behind Common Access Cards isn’t suited for the battlefield.
The Army has tested wireless tokens that “can be inserted in a soldier’s pocket, attached to a sleeve or integrated into a wristband like a Fitbit,” and be used to wirelessly connect to a network, with a PIN or biometric measurement as a secondary login. Users would automatically get logged out from the network once they’re a certain distance away.
Arrieta said this concept could be useful for the HHS’s first responders, who need to access multiple networks to receive information, each with different usernames and passwords to remember.
“If I could give them a wireless device that uses behavioral-based identity to provide that access, that would be empowering, that would streamline and allow them to focus in on their jobs,” Arrieta said.
Other IT leaders within HHS have also signaled their willingness to experiment with network access.
Oki Mek, the agency’s chief technology officer, hinted last week that HHS has looked at ways to wean its workforce off passwords.
“I don’t believe in passwords, to be honest with you. I think you should start looking at multi-factor [and] biometrics — anything that’s at least two-factor,” Mek said Aug. 8 at MeriTalk’s cybersecurity brainstorming event. “Passwords are too easily penetrated [and] at the end of the day, the biggest risk to your systems or your information is the users, not the hackers. If you’re not properly trained or not really safeguarding the passwords, that’s a big vulnerability.”
Mek added that the agency is moving toward a zero-trust model that approaches network security in terms of physical security, setting up multiple checkpoints for each level of data sensitivity.
“You come to the gate, you have to get checked. You come into the building, you have to get checked. And then, in some cases, you have a small room, like a SCIF or something, where you have to get checked as well. You dissect the building into rooms, into who has access to what,” Mek said.
Arrieta said two officials within DISA’s innovation office — Maj. Nikolaus Ziegler, the office’s military director, and innovation leader Sherri Sokol — had reached out following HHS’s successful rollout of HHS Accelerate.
HHS Accelerate garnered lots of attention last December when it became the blockchain tool in government to receive an authority to operate. It now pulls live data from about 100,000 contracts worth nearly $25 billion in annual spending, and looks for opportunities where the agency can negotiate lower prices for commonly purchased items across its many components.
While some agency officials remain skeptical of blockchain, Arrieta said HHS continues to seek out agency partners to franchise the HHS Accelerate model out to other procurement shops.
But in the meantime, Arrieta said HHS would continue to run tests on HHS Accelerate through October and scale it up in January.
“We get this question a lot, and I just almost stopped answering it: ‘Why blockchain? I could’ve done that with a normal database.’ My answer for all the people that think that is, ‘Well, why haven’t you done it?’ The federal acquisition system has been around since 1949. A lot of people have tried, [but] why haven’t you done it? It’s as simple as that — until you do it, it can’t be done,” Arrieta said.