The Pentagon has finally inked a deal to pilot behavioral biometric technology to identify those using its computer network, more than a year after then-CIO Terry Halvorsen first pledged to get rid of the ubiquitous Common Access Card.
Vancouver, Canada-based Plurilock announced the deal last week. The company’s BioTrack technology develops a unique profile of users based on the way they interact with computer keyboards, mice and touchscreens.
“After just 20 minutes’ tracking a user’s keystroke style and speed, mouse use, and other behaviors, Plurilock’s software builds a biometric profile unique to that user,” states the company in the release. Behavioral biometrics are thought to provide additional security because they cannot be easily spoofed and they work continuously during the user session, rather than simply identifying the user at the start.
“Today’s systems cannot verify user identity with certainty. Hackers steal passwords and tokens, create fake fingerprint impressions, and even re-route phone authentication codes, fooling computing devices and accounts into providing them with access,” added Plurilock CEO, Ian Paterson. “Plurilock’s advanced system for determining ongoing proof of presence provides a cybersecurity solution that instantaneously recognizes breaches, helps with corporate forensic investigations, and ensures regulatory compliance.”
Because behavioral biometrics can take anywhere from less than a minute to several minutes to complete authentication, they are often used as a secondary measure, employed in the background after the user has logged on by more conventional means. If the program determines the user’s behavior doesn’t fit, then additional security measures, up to and including session termination, can be activated.
Paterson told CyberScoop the company got the deal by responding to a solicitation on the website of the Defense Innovation Unit – Experimental, or DIU-X. He declined to say how much it’s making from the contract — issued under the agency’s Other Transaction Authority for small awards that don’t have to go through the DoD’s vendor contracting system.
The DIU-X Multifactor Authentication for Network Access (MANA) program “integrates several multifactor authentication technologies to build an integrated system,” states the agency’s quarterly report. “DoD’s complex data access environment and evolving threat landscape requires device-agnostic agility, with strong identification and authentication, even when devices or credentials are lost.”
Other technologies being piloted in the program include the increasingly ubiquitous Yubikey — a USB keystick containing an encrypted chip. Ronnie Manning, the PR director for Yubikey maker Yubico, told CyberScoop it was working with the Army’s Communications Electronics Research, Development and Engineering Center to integrate its multi-protocol authentication devices in DoD’s public key infrastructure.
Last year, then-Pentagon CIO Terry Halvorsen told the 2016 Federal Forum, presented by Brocade and produced by FedScoop, that he had a two-year plan to “get rid” of the CAC card, at least for network access.
“We may still use them to get into a building, but we’re not going to to use them for our information systems. We’re going to use true multifactor [authentication],” he said.
“There’s an overhead with CAC cards, and it’s not just a cost overhead. It’s a time overhead, and in my business it’s a location overhead,” he said. “It is really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your system. It just doesn’t work.”
Halvorsen said the need to integrate with other English-speaking “Five Eyes” nations — Australia, Britain, Canada and New Zealand — and NATO allies was another driver behind the decision to abandon CAC cards.
“We’re very close to … an agreed-upon identity standard and methodology” that would allow common network access among allies.
“That’s an unbelievably powerful win for us in terms of combat and information multiplier,” he said, adding that currently, one of his “biggest problems” was ensuring network access for allied officers serving with the U.S. military.