Oh no! CIO scissors access cards!

I dislike wires. Especially the hideous tangle of wires associated with a normal PC setup. Two monitors equals four wires. Mouse and keyboard cables. Printers, often more than one. Speakers. Camera, maybe a microphone. USB hub. They all add up to a hard-to-manage tangle.

Granted, wires do their job. They move signals from point A to point B. But they break, look bad, take up space and collect dust bunnies. For people like me, Wi-Fi, Bluetooth and even the proprietary wireless comm setups from vendors like Logitec are like godsends for eliminating wires.

Terry Halvorsen, the Defense Department CIO, has had it with Common Access Cards. Never mind that millions and millions of them now reside in the wallets of DoD employees and uniformed personnel worldwide. Halvorsen, a craggy-faced former paratrooper, wants to get rid of them.

CACs work. They get you on the network. They open gates and doors at installations. There’s a big infrastructure supporting the creation and distribution of the card. But I agree with Halvorsen.  It is time for them to go.

Look at it this way. The first 10 million cars had crank starters. They forced Tin Lizzie’s engine to life. But does that mean we should’ve lived with them forever, putting up with the occasional broken thumb or wrist? People used to flip airplane propellers to get the engine going. I knew a guy who knew a guy who fell into a running prop. Not good. “Trussed up like a turkey” was the expression I remember hearing.

Federal networks regularly get trussed up like turkeys. The CAC is a step ahead of the standard username/password combo that got the Office of Personnel Management and many big companies into serious trouble over the past few years. Nevertheless, Halvorsen says, the CAC’s inherent clumsiness doesn’t give the agility he, and presumably his superiors, say they need.

The access card and the mobile device combo has always been a shotgun wedding. Picture a clunky “sled” glued onto a Blackberry. CACs can impede authentication in battle or other hostile situations. Halvorsen says they’re also incompatible with systems used by NATO allies.

In my view, two other trends besides their form factor render the CAC obsolete. They don’t incorporate the latest thinking in multi-factor authentication. And they don’t easily incorporate the idea of using an employee’s expected network behavior as an authenticating factor. Example. You work 9am-5pm and regularly log onto networks A, B, and C. Under behavior-based authentication, you’d be flagged if you log in at 3 a.m. and try to access networks D, E and F. (This is also the emerging way of detecting malware. That is, not by its signature or profile, but rather by what it does.)

Halvorsen says he wants to add behavior-based authentication. He didn’t elaborate, but did say publicly that DoD is close to establishing an identity standard and methodology that would be shared among allies. He says that even without the access cards, the public-key infrastructure they use will remain. He wants to add multi-factor authentication, of which you can find many types.

It’s an opportunity to also eliminate passwords, a holy grail of cybersecurity. Then you can use your old CAC as a bookmark.