A 2019 report from the Department of Defense’s Office of the Inspector General outlined 266 cybersecurity vulnerabilities at the agency, including many related to identity management. Put simply, the report offers an in-depth illustration of something we already knew: that DoD has its hands more than full attempting to thwart security risks.
In the wake of a rapidly evolving threat landscape, CISOs and other security professionals need to better understand the value of the tools they have at their disposal to reduce their exposure to risk. The foundation of a strong cybersecurity posture is an understanding of what’s taking place on the DoD’s own networks and systems. In particular, identity management relies on additional capabilities like face and voice recognition or fingerprints.
Fingerprinting, for instance, came to the United States in the early twentieth century. In 1902, a man in the New York Civil Service Commission fingerprinted aspiring civil servants when they submitted an application, took the test, and began work. The next year, in the same state, criminals began being fingerprinted upon release. Fast forward over a century and fingerprints have become the most common method to physically identify an individual, and are used everywhere from the DoD to Disney.
An ever-evolving threat landscape
CNBC recently reported on a DoD prototype called “Assured Identity” that layers “additional contextual and biometric factors” on traditionally used passwords and fingerprints. With this technology, soldiers in the field who have to hide their hands or face can access a smartphone securely. In years to come, expect the DoD to continue testing ways to layer traditional security with innovative biometrics solutions, especially since the potential for organized criminal groups, nation states, and others to disturb, game and bypass biometrics security is real.
Yet despite the overall perception that biometrics offer effective additional security, physical biometrics by themselves are not the panacea that many of us would like them to be. Fakes are a very real threat and recent incidents show the fallibility behind the technology. In 2016, experts from the University of North Carolina used publicly available photos and mobile VR technology to compromise facial recognition systems. More recently, accusations surfaced that the popular mobile application FaceApp was uploading users’ photos to the cloud, foreshadowing the potential vulnerabilities of facial biometrics.
Still, biometrics represent an important addition to the DoD’s toolbox. The smartphone prototype offers a microcosm of the layered security that, in years to come, will ideally become standard operating practice across the agency. Identity management focusing on the individual and that leverages behavioral biometrics must be the future of the Defense Department. In the smartphone example, details like a person’s gait, their normal wi-fi connections, and physical biometrics are all combined to create a “trust score” that unlocks the device. The prototype also allows for graduated levels of security based on clearance.
The next generation of identity management
Applying such an approach more broadly will mean tracking things like typing or swiping patterns, mouse movement, and scroll speeds—seemingly minor data points that, compiled together, can be used to build an accurate picture of the way individuals interact with systems and apps via the various devices they use. Basically, it entails taking understanding who is on your network to the next level.
What’s next? Behavioral biometrics. By monitoring a user’s “normal” device, system, app and data usage we can derive behavioral patterns that help establish a baseline upon which future actions can be measured. How and when employees access apps, interact with data, browse particular websites, the company resources they access on a daily basis, and their internal instant messenger engagement all represent unique characteristics. The information which is collected should have privacy-by-design principles applied to it and be encrypted as required so as to also mitigate potential identity theft.
By building a baseline of normal behavior and continually monitoring and evaluating that behavior, federal agencies can quickly flag anomalies and mitigate access to bad actors. Thus, behavioral biometrics enable both continuous authentication and authorization, protecting users and data even if simple authentication elements like passwords are compromised. Because the monitoring of behavioral biometrics happens on an individual level, it offers a more targeted and efficient approach to enforcing security policies. This enables CISOs to maintain less complex policies and deliver a positive IT experience to its users.
The OIG’s report highlighted just how challenging cybersecurity is at the DoD. That’s why every avenue for security must be pursued while enabling users from offices to military bases. Layering multiple security tactics by combining traditional monitoring techniques to include fingerprints and facial recognition and having a granular understanding of user behavior as they interact with DoD systems are two key ingredients for more effective and frictionless security, now and in the future.
Nico Fischbach is the global chief technology officer for Forcepoint.