William Jackson | Unease persists on Real ID
Connecting state and local government leaders
Cybereye'commentary: Final rules for Real ID cards don't put privacy, security concerns to rest
The Homeland Security Department included some strong statements about its commitment to privacy and security in the final rules issued recently for implementing national standards for state drivers' licenses and ID cards.
In the name of security, the Real ID Act will generate massive stores of data about citizens.
'DHS recognizes that protecting the privacy of Real ID cardholders is a prerequisite to obtaining the public's trust in the Real ID card,' the rules say. 'DHS has addressed those concerns in the final rule to the full extent of its authority by mandating protections for the personally identifiable information DMV's collect, store and use.'
Toward that end, 'DHS intends to issue a set of privacy and security best practices.' These will be based in part on the Federal Information Security Management Act, which defines security standards for most federal IT systems.
But these declarations have not allayed all doubts about the program. In a Jan. 11 letter to DHS Secretary Michael Chertoff, House Homeland Security Committee Chairman Rep. Bennie G. Thompson (D-Miss.) said that the 'final' rules still require a great deal of work; that funding for the program, including implementing security requirements, is inadequate; and that state compliance with Real ID should be contingent upon DHS being able to adequately secure and administer the systems on which the states will rely. Issuing security guidelines at some future date does not cut it, Thompson said.
'After the myriad problems the department has faced in assuring privacy protections in other programs, the failure to once again build these practices into the final rule itself indicates a disturbing pattern,' he wrote.
There are some promising elements in the rule. DHS will not own or control the databases being created, nor the backbone that the states will use to access them. Although it does not require it, it suggests that the backbone could be the existing American Association of Motor Vehicles Administrators' AAMVAnet network.
The DHS calls the network highly secure and points out that, 'the AAMVAnet backbone resides on a private network with no connectivity to the Internet.'
All well and good. But this does not necessarily ensure security, said Chris Dixon, manager of state and local industry analysis for INPUT, and a former official with the National Association of State CIOs.
'The problem is, the backbone system will be touching all the state systems,' which are connected to the Internet, Dixon said.
And states also will be using the backbone to communicate with the Social Security Administration, the State Department, the National Association of Public Health Statistics and Information Systems as well as DHS systems for identity verification.
'A number of the federal databases that the states must use to authenticate source documents are incomplete, unreliable and in dire need of significant enhancements' Rep. Thompson complained in his letter to Chertoff. 'By failing to address the known inadequacies of these databases, the department has ensured operational chaos. Moreover, failing to rectify these deficiencies will compromise the program's mission from its onset.'
And no amount of rulemaking alone can ensure the security of IT system at the state level, Dixon said.
'The key downfall, regardless of what is embedded in legislation, is providing the resources to enforce the security standards,' he said. States do not have the budget, the staffing, the auditing processes or the technology to adequately secure their existing IT systems, let alone the new databases. A survey several years ago by NASCIO showed that the best-provided state in the nation only had half of the money and resources it needed for IT security. 'And that security officer was worried that the state thought he had too much.'
Things have not improved much since then. Although Chertoff boasts that the cost to the states of implementing Real ID has been reduced by 73 percent, from $14.6 billion to $3.9 billion, primarily by extending the time required to get the cards into everyone's hands, these figures do not include the costs of ongoing security.
Thompson complained of 'a gulf between the anticipated costs of this program and the funding provided,' pointing out to Chertoff that 'the administration did not request any funds to implement Real ID' in fiscal 2008.
'The American public's desire for greater identity protection is undeniable,' Chertoff said in announcing the release of the final rules. But it is highly questionable whether Real ID will satisfy this desire or whether it will open up vast new vulnerabilities for hundreds of millions of U.S. citizens and residents.
In the name of security, the Real ID Act will generate massive stores of data about citizens.
'DHS recognizes that protecting the privacy of Real ID cardholders is a prerequisite to obtaining the public's trust in the Real ID card,' the rules say. 'DHS has addressed those concerns in the final rule to the full extent of its authority by mandating protections for the personally identifiable information DMV's collect, store and use.'
Toward that end, 'DHS intends to issue a set of privacy and security best practices.' These will be based in part on the Federal Information Security Management Act, which defines security standards for most federal IT systems.
But these declarations have not allayed all doubts about the program. In a Jan. 11 letter to DHS Secretary Michael Chertoff, House Homeland Security Committee Chairman Rep. Bennie G. Thompson (D-Miss.) said that the 'final' rules still require a great deal of work; that funding for the program, including implementing security requirements, is inadequate; and that state compliance with Real ID should be contingent upon DHS being able to adequately secure and administer the systems on which the states will rely. Issuing security guidelines at some future date does not cut it, Thompson said.
'After the myriad problems the department has faced in assuring privacy protections in other programs, the failure to once again build these practices into the final rule itself indicates a disturbing pattern,' he wrote.
There are some promising elements in the rule. DHS will not own or control the databases being created, nor the backbone that the states will use to access them. Although it does not require it, it suggests that the backbone could be the existing American Association of Motor Vehicles Administrators' AAMVAnet network.
The DHS calls the network highly secure and points out that, 'the AAMVAnet backbone resides on a private network with no connectivity to the Internet.'
All well and good. But this does not necessarily ensure security, said Chris Dixon, manager of state and local industry analysis for INPUT, and a former official with the National Association of State CIOs.
'The problem is, the backbone system will be touching all the state systems,' which are connected to the Internet, Dixon said.
And states also will be using the backbone to communicate with the Social Security Administration, the State Department, the National Association of Public Health Statistics and Information Systems as well as DHS systems for identity verification.
'A number of the federal databases that the states must use to authenticate source documents are incomplete, unreliable and in dire need of significant enhancements' Rep. Thompson complained in his letter to Chertoff. 'By failing to address the known inadequacies of these databases, the department has ensured operational chaos. Moreover, failing to rectify these deficiencies will compromise the program's mission from its onset.'
And no amount of rulemaking alone can ensure the security of IT system at the state level, Dixon said.
'The key downfall, regardless of what is embedded in legislation, is providing the resources to enforce the security standards,' he said. States do not have the budget, the staffing, the auditing processes or the technology to adequately secure their existing IT systems, let alone the new databases. A survey several years ago by NASCIO showed that the best-provided state in the nation only had half of the money and resources it needed for IT security. 'And that security officer was worried that the state thought he had too much.'
Things have not improved much since then. Although Chertoff boasts that the cost to the states of implementing Real ID has been reduced by 73 percent, from $14.6 billion to $3.9 billion, primarily by extending the time required to get the cards into everyone's hands, these figures do not include the costs of ongoing security.
Thompson complained of 'a gulf between the anticipated costs of this program and the funding provided,' pointing out to Chertoff that 'the administration did not request any funds to implement Real ID' in fiscal 2008.
'The American public's desire for greater identity protection is undeniable,' Chertoff said in announcing the release of the final rules. But it is highly questionable whether Real ID will satisfy this desire or whether it will open up vast new vulnerabilities for hundreds of millions of U.S. citizens and residents.
NEXT STORY: NIST to release SCAP FDCC scanner list