Richard Clarke, former presidential advisor on terrorism to Reagan, Clinton and both Bushes, opened the Smart Card Alliance annual fall conference on Monday and gave three directives to the crowd of mostly smart card technology vendors and integrators: “unite, lobby and educate.” Discussing topics ranging from homeland security to identity theft to the role of biometrics in identity security, Clarke’s overriding message to the smart card industry was that it has a very important role to play in helping to make the U.S. more secure, while also being mindful of the public’s concerns over privacy.
“Security and privacy are two sides of the same coin,” he told the members of the Smart Card Alliance, a nonprofit organization working to accelerate the acceptance of smart card technology. He also said that despite the absence of attacks on U.S. soil since Sept. 11, 2001, the threat to our national security is “at least as large as it was three years ago,” and that at the same time, the American public is voicing growing concerns over the loss of privacy through heightened security efforts.
Secure identity cards have embedded microchips that often include an antenna, allowing dual capacity for use with contact or contactless (RFID) readers. Where enabled for contactless uses, most smart cards are compliant with the ISO 14443 standard and operate at 13.56 MHz.
Clarke said that an opt-in system that depends on voluntary participation, like those used for electronic tollway payments, could aid in the wider adoption of smart cards. He also suggested that the smart card industry look at ways to federate and strengthen private and public partnerships. By bringing together organizations that issue or might someday issue smart cards for things like identification or payments, some operational resources could be shared and the number of individual cards to be issued could be kept to a minimum, he said.
He said that we can get to a point where smart cards are used widely for identify security and that this can happen while “preserving the great American values of privacy and civil liberties.” One way to achieve this, he suggested, is for the security industry to work with the American Civil Liberties Union.
While not suggesting measures as extensive as Clarke’s, other speakers throughout the conference echoed the importance of promulgating information on smart cards. This can be done by encouraging integrators of smart card technology implementations to share case studies with other potential implementers and by encouraging coverage of the technology in the national media toward a greater understanding of smart card technology among end users of the cards.
Clarke’s book Against All Enemies, published in March, was critical of the current Bush administration’s response to terrorism after Sept. 11. During his address on Monday he faulted the Bush administration for failing to adequately implement its national strategy to secure cyberspace. But Clarke did suggest that the Homeland Security Presidential Directive 12 (HSPD-12), signed in August, is a move in the right direction. The directive mandates that all federal employees be issued an identification credential that is fraud-resistant and can be electronically authenticated. Though the directive does not specify the use of smart cards, the technology is clearly appropriate for use in meeting the mandate. Clarke said HSPD-12 could spread the use and acceptance of smart cards for secure identification. “If it works for the federal government,” he said, “it might work elsewhere.”
Regarding the privacy concerns that surround the use of RFID technology in the retail environment, Clarke said that now is the time for retailers to work together to adopt a uniform data privacy policy. Otherwise, he said, there will be legislation regulating them to do so.
During a “state of the industry” executive’s panel, Bill Gravell, director of identity management for Northrop Grumman Information Technology, said that at Northrop Grumman and other large corporations where smart smart cards are issued for secure identity and access to facilities, it was important to educate personnel on how the technology works and what types of data it tracks. He noted that the use of secure ID cards in the corporate environment is a social change as much as a business initiative and technological issue, and suggested working through human resources to facilitate this education.