[ISN] Outsourced passport work poses risk

From: InfoSec News (alerts@private)
Date: Tue Mar 25 2008 - 22:02:08 PST


http://www.washingtontimes.com/apps/pbcs.dll/article?AID=/20080326/NATION/840186493/1001

By Bill Gertz
The Washington Times
March 26, 2008

The United States has outsourced the manufacturing of its electronic 
passports to overseas companies including one in Thailand that was 
victimized by Chinese espionage raising concerns that cost savings are 
being put ahead of national security, an investigation by The Washington 
Times has found.

The Government Printing Office's decision to export the work has proved 
lucrative, allowing the agency to book more than $100 million in recent 
profits by charging the State Department more money for blank passports 
than it actually costs to make them, according to interviews with 
federal officials and documents obtained by The Times.

The profits have raised questions both inside the agency and in Congress 
because the law that created GPO as the federal government's official 
printer explicitly requires the agency to break even by charging only 
enough to recover its costs.

Lawmakers said they were alarmed by The Times' findings and plan to 
investigate why U.S. companies weren't used to produce the 
state-of-the-art passports, one of the crown jewels of American border 
security.

"I am not only troubled that there may be serious security concerns with 
the new passport production system, but also that GPO officials may have 
been profiting from producing them," said Rep. John D. Dingell, the 
Michigan Democrat who chairs the House Energy and Commerce Committee.

Officials at GPO, the Homeland Security Department and the State 
Department played down such concerns, saying they are confident that 
regular audits and other protections already in place will keep 
terrorists and foreign spies from stealing or copying the sensitive 
components to make fake passports.

"Aside from the fact that we have fully vetted and qualified vendors, we 
also note that the materials are moved via a secure transportation 
means, including armored vehicles," GPO spokesman Gary Somerset said.

But GPO Inspector General J. Anthony Ogden, the agency's internal 
watchdog, doesn't share that confidence. He warned in an internal Oct.
12 report that there are "significant deficiencies with the 
manufacturing of blank passports, security of components, and the 
internal controls for the process."

The inspector general's report said GPO claimed it could not improve its 
security because of "monetary constraints." But the inspector general 
recently told congressional investigators he was unaware that the agency 
had booked tens of millions of dollars in profits through passport sales 
that could have been used to improve security, congressional aides told 
The Times.


Decision to outsource

GPO is an agency little-known to most Americans, created by Congress 
almost two centuries ago as a virtual monopoly to print nearly all of 
the government's documents, from federal agency reports to the 
president's massive budget books that outline every penny of annual 
federal spending. Since 1926, it also has been charged with the job of 
printing the passports used by Americans to enter and leave the country.

When the government moved a few years ago to a new electronic passport 
designed to foil counterfeiting, GPO led the work of contracting with 
vendors to install the technology.

Each new e-passport contains a small computer chip inside the back cover 
that contains the passport number along with the photo and other 
personal data of the holder. The data is secured and is transmitted 
through a tiny wire antenna when it is scanned electronically at border 
entry points and compared to the actual traveler carrying it.

According to interviews and documents, GPO managers rejected limiting 
the contracts to U.S.-made computer chip makers and instead sought 
suppliers from several countries, including Israel, Germany and the 
Netherlands.

Mr. Somerset, the GPO spokesman, said foreign suppliers were picked 
because "no domestic company produced those parts" when the e-passport 
production began a few years ago.

After the computer chips are inserted into the back cover of the 
passports in Europe, the blank covers are shipped to a factory in 
Ayutthaya, Thailand, north of Bangkok, to be fitted with a wire Radio 
Frequency Identification, or RFID, antenna. The blank passports 
eventually are transported to Washington for final binding, according to 
the documents and interviews.

The stop in Thailand raises its own security concerns. The Southeast 
Asian country has battled social instability and terror threats. 
Anti-government groups backed by Islamists, including al Qaeda, have 
carried out attacks in southern Thailand and the Thai military took over 
in a coup in September 2006.

The Netherlands-based company that assembles the U.S. e-passport covers 
in Thailand, Smartrac Technology Ltd., warned in its latest annual 
report that, in a worst-case scenario, social unrest in Thailand could 
lead to a halt in production.

Smartrac divulged in an October 2007 court filing in The Hague that 
China had stolen its patented technology for e-passport chips, raising 
additional questions about the security of America's e-passports.


Transport concerns

A 2005 document obtained by The Times states that GPO was using unsecure 
FedEx courier services to send blank passports to State Department 
offices until security concerns were raised and forced GPO to use an 
armored car company. Even then, the agency proposed using a foreign 
armored car vendor before State Department diplomatic security officials 
objected.

Concerns that GPO has been lax in addressing security threats contrast 
with the very real danger that the new e-passports could be compromised 
and sold on the black market for use by terrorists or other foreign 
enemies, experts said.

"The most dangerous passports, and the ones we have to be most concerned 
about, are stolen blank passports," said Ronald K. Noble, secretary 
general of Interpol, the Lyon, France-based international police 
organization. "They are the most dangerous because they are the most 
difficult to detect."

Mr. Noble said no counterfeit e-passports have been found yet, but the 
potential is "a great weakness and an area that world governments are 
not paying enough attention to."

Lukas Grunwald, a computer security expert, said U.S. e-passports, like 
their European counterparts, are vulnerable to copying and that their 
shipment overseas during production increases the risks. "You need a 
blank passport and a chip and once you do that, you can do anything, you 
can make a fake passport, you can change the data," he said.

Separately, Rep. Robert A. Brady, chairman of the Joint Committee on 
Printing, has expressed "serious reservations" about GPO's plan to use 
contract security guards to protect GPO facilities. In a Dec. 12 letter, 
Mr. Brady, a Pennsylvania Democrat, stated that GPO's plan for 
conducting a security review of the printing office was ignored and he 
ordered GPO to undertake an outside review.


Questionable profits

GPO's accounting adds another layer of concern.

The State Department is now charging Americans $100 or more for new 
e-passports produced by the GPO, depending on how quickly they are 
needed. That's up from a cost of around just $60 in 1998.

Internal agency documents obtained by The Times show each blank passport 
costs GPO an average of just $7.97 to manufacture and that GPO then 
charges the State Department about $14.80 for each, a margin of more 
than 85 percent, the documents show.

The accounting allowed GPO to make gross profits of more than $90 
million from Oct. 1, 2006, through Sept. 30, 2007, on the production of 
e-passports. The four subsequent months produced an additional $54 
million in gross profits.

The agency set aside more than $40 million of those profits to help 
build a secure backup passport production facility in the South, still 
leaving a net profit of about $100 million in the last 16 months. GPO 
was initially authorized by Congress to make extra profits in order to 
fund a $41 million backup production facility at a rate of $1.84 per 
passport. The large surplus, however, went far beyond the targeted 
funding.

The large profits raised concerns within GPO because the law 
traditionally has mandated that the agency only charge enough to recoup 
its actual costs.

According to internal documents and interviews, GPO's financial officers 
and even its outside accounting firm began to inquire about the legality 
of the e-passport profits.

To cut off the debate, GPO's outgoing legal counsel signed a 
one-paragraph memo last fall declaring the agency was in compliance with 
the law prohibiting profits, but offering no legal authority to back up 
the conclusion. The large profits accelerated, according to the 
officials, after the opinion issued Oct. 12, 2007, by then-GPO General 
Counsel Gregory A. Brower. Mr. Brower, currently U.S. Attorney in 
Nevada, could not be reached and his spokeswoman had no immediate 
comment.

Fred Antoun, a lawyer who specializes in GPO funding issues, said the 
agency was set up by Congress to operate basically on a break-even 
financial basis.

"The whole concept of GPO is eat what you kill," Mr. Antoun said. "For 
the average taxpayer, for them to make large profits is kind of 
reprehensible."

Likewise, a 1990 report by Congress' General Accounting Office stated 
that "by law, GPO must charge actual costs to customers," meaning it 
can't mark up products for a profit.

Like the security concerns, GPO officials brush aside questions about 
the profits. Agency officials declined a request from The Times to 
provide an exact accounting of its e-passport costs and revenues, saying 
only it would not be accurate to claim it has earned the large profits 
indicated by the documents showing the difference between the 
manufacturing costs and the State Department fees.

Questioned about its own annual report showing a $90 million-plus profit 
on e-passports in fiscal year 2007 alone, the GPO spokesman Mr. Somerset 
would only say that he thinks the agency is in legal compliance and that 
"GPO is not overcharging the State Department."

Mr. Somerset said 66 different budget line items are used to price new 
passports and "we periodically review our pricing structure with the 
State Department."

Public Printer Robert Tapella, the GPO's top executive, faced similar 
questions during a House subcommittee hearing on March 6. Mr. Tapella 
told lawmakers that increased demand for passports especially from 
Americans who now need them to cross into Mexico and Canada produced 
"accelerated revenue recognition," and "not necessarily excess profits."

GPO plans to produce 28 million blank passports this year up from about 
9 million five years ago.

A State Department consular affairs spokesman, Steve Royster referred 
questions to GPO on e-passports costs.


Congress to weigh in

GPO's explanations have not satisfied lawmakers, who are poised to dig 
deeper.

Mr. Dingell, the House Commerce chairman, said The Times' findings are 
"extremely serious to both the integrity of the e-passport program and 
to U.S. national security" and he has asked an investigative 
subcommittee chaired by Rep. Bart Stupak, Michigan Democrat, to begin an 
investigation.

"Our initial inquiry suggests that more needs to be done to understand 
whether the supply chain is secure and fully capable of protecting the 
manufacturing of this critical document," Mr. Dingell told The Times.

Mr. Stupak said that considering the personal information contained on 
e-passports, "it is essential that the entire production chain be secure 
and free from potential tampering." He added: "The GPO needs to make 
every effort to ensure that future passport components are made in 
America under the tightest security possible."

Michelle Van Cleave, a former National Counterintelligence Executive, 
said outsourcing passport work and components creates new security 
vulnerabilities, not just for passports.

"Protecting the acquisition stream is a serious concern in many 
sensitive areas of government activity, but the process for assessing 
the risk to national security is at best loose and in some cases missing 
altogether," she told The Times.

"A U.S. passport has the full faith and credit of the U.S. government 
behind the citizenship and identity of the bearer," she said.

"What foreign intelligence service or international terrorist group 
wouldn't like to be able to masquerade as U.S. citizens? It would be a 
profound liability for U.S. intelligence and law enforcement if we lost 
confidence in the integrity of our passports."

All site contents copyright 2007 The Washington Times, LLC.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Mar 25 2008 - 22:06:16 PST