TAMPA, Fla.—The Defense Department official that oversees biometric efforts across the DoD enterprise, including the science and technology portfolio, says at a conference here that his focus has shifted from support of immediate warfighting needs to future threats and ways to counter those threats.
“The idea is to look out five years or so, anticipate what sort of technology threats will exist, use prototyping to figure out what sort of technology pieces can we put in place to counter the threat areas, so as threats mature we already have something in place to counter that threats,” Jon Lazar, deputy director of Defense Biometrics within Office of the Secretary of Defense for Research and Engineering, says during a panel at the Global Identity Summit presented by AFCEA.
Lazar says DoD needs help from industry and other stakeholders in several areas to make biometric systems “more robust” and better for use in all business and mission areas.
First, he says, is the need for “revocable biometrics,” just like a credit card can be revoked.
The DoD’s Information systems are “relatively secure” despite breaches, Lazar says, adding that “The risk with non-biometric information being compromised is a little lower and can often be mitigated more easily.” However, he says, “If biometric information is compromised, it undermines this entire idea of having a biometric enterprise in different business areas because just like a credit card can be revoked a fingerprint cannot be revoked.”
Lazar says he doesn’t know what the solution is here but warned that sooner or later biometric systems will be compromised so there is a need to figure out at the get-go how to “encode them, encrypt them, public-private key them” or whatever so that they are more robust.
“Otherwise, we’re just back to using PINs and passwords,” which no one wants, Lazar says.
The second area is the need for increased automation, particularly as biometric capabilities are layered into all business areas and there is a need to avoid the associated increases in manpower costs that come with use of the technology, Lazar says.
“It’s unsustainable” to increase the manpower that comes with more use of biometrics, he says.
Currently, DoD and some others are have automated processes when it comes to using algorithms to match queries to biometric databases but this is only one part of a process that begins with enrollment. How enrollments can be done without a supervisor is one area of the process that needs to be looked at for automation, Lazar says.
Another, and “bigger,” problem is how to automate the use of contextual data that is associated with a biometric match, Lazar says. He says he doesn’t know the extent to which the use of biometrics will increase but “we can’t afford” to hire “twice the number” of analysts, fingerprint examiners, and other experts that are currently required to support and exploit the technology.
“This is a problem that is going to require some clever work and thought” and there is a need for everyone’s help, Lazar says.
The last area Lazar requested help with is enterprise level detection of sophisticated spoofing.
“The premise is we’re going to be using biometrics a lot more in the future across a lot of different areas,” Lazar says. “I think that raises the likelihood that folks will want to penetrate the system, will want to spoof the systems for financial gain, for access logically or physically, whatever the case may be.”
Spoofing might occur through social engineering at biometric stations, use of disguises, “intentional occlusion,” Lazar says. “There’s all sort of ways to get past biometric checkpoints.”
Lazar adds that his “sense is that handheld devices won’t be sophisticated and powerful enough to do that detection” and instead counter-spoofing will have to be done at the database level.
The market for these capabilities that Lazar wants help from industry, academia and others goes beyond DoD and the federal government to include any business sector where biometrics are used, he says.