http://www.govexec.com/story_page.cfm?articleid=39630 By Jill R. Aitoro Govexec.com March 27, 2008 A recent media report that said the Government Printing Office put national security at risk by relying on foreign companies to process the latest U.S. biometric passports "mischaracterized and misstated the facts significantly," according to GPO's inspector general. On March 26, The Washington Times posted on its Web site an article that questioned whether GPO had placed " cost savings ... ahead of national security" because the agency outsourced some e-passport production processes to overseas companies. The article referred to an "internal Oct. 12 report" from the GPO inspector general's office, saying the report noted "significant deficiencies with the manufacturing of blank passports, security of components and the internal control for the process." "No internal or external October [2007] report exists," said GPO Inspector General J. Anthony Ogden. He said that the quote about "significant deficiencies" was from a March 31, 2005, GPO inspector general report that outlined concerns with legacy operations used to process passports. "All of those security concerns, which predate the electronic passports, were addressed at the time they were brought to the agency's attention [and] will be closed out with this reporting period," Ogden said. "The agency has continued to cooperate with our office and has asked for our assistance in oversight because we both take the passport operations seriously. The Washington Times article frankly has mischaracterized and misstated the facts significantly." In response to Ogden's claims, Bill Gertz, the Washington Times defense and national security reporter who wrote the article, said, "I stand by my reporting." Gertz added that the Oct. 12 internal report is available online. A search using the entire "significant deficiencies" quote pointed to the March 31, 2005, semiannual report to Congress that Ogden referred to. The search results also included the inspector general's "Semiannual Report to Congress," dated April 1, 2007, to Sept. 30, 2007, in which the quote appears under a heading referring to the 2005 report and restates the security shortcomings. In that section, the inspector general concluded, "GPO management provided documentation during this reporting period that closed two of the four open recommendations. Management is working on implementing corrective actions for the remaining two open recommendations." In response to the Times article, GPO released on March 26 a document about work processes it used to produce passports. According to the document, and reiterated by GPO spokesman Gary Somerset, the agency manufactures passports at its facilities in Washington. The agency will soon produce passports at a second secure facility it is constructing in Mississippi. Production of the electronic chip, which is embedded in the cover and contains the same information printed on the passport, was outsourced to two overseas companies, Amsterdam-based Gemalto and Infineon, based in Neubiberg, Germany. No American company meets the standards developed by the International Civil Aviation Organization and required by the State Department for border crossing procedures that involve the computer chip, according to GPO. The ICAO standards for electronic passports are extensive, including requirements for "a machine-readable zone," in which a computer can read the data on the chip; one for advanced digital signature protection and an integrated circuit chip that stores data. ICAO requires technologies for data storage to be non-proprietary, maintain document integrity, allow for easy access to the stored data, support quick transmission times and provide 20 kilobytes or more of storage on a chip. GPO did not specify which ICAO requirements American companies failed to meet. Raising concern, however, are the Asian locations used for chip production. While GPO did not provide details, Somerset noted a CNN broadcast that aired on Wednesday, which noted that chips from Gemalto and Infineon are made in Singapore and Taipei, then shipped to Thailand, where a wireless antenna is inserted by SmartTrac, a Dutch-based company. All the components are shipped back to United States, where data and photos are attached and downloaded onto the chips. According to the GPO document, SmartTrac intends to move its production plant to the United States in the near future. "The passports are not manufactured overseas," Somerset said. "A component with the chip and inlay [of the antenna] comes from various places overseas, but manufacturing is done in Washington and soon-to-be Mississippi." He noted that vendors were fully vetted with inspections of facilities and employee background checks, and that all passport components are moved via secure transportation, including armored vehicles. The GPO inspector general said the agency is following other procedures to increase security. The agency plans to deploy an inventory tracking system, which will authenticate chips embedded in passports when delivered to GPO, according to the agency's October 2007 Work Plan. The system will be integrated with GPO's network, enabling communication with chip manufacturers and the State Department for coordinated production and tracking of passports, according to the plan. As part of the effort, the Office of the Inspector General will assess the performance of controls provided through the system, including chip inventory and unusable passport books. Ray Bjorklund, senior vice president and chief knowledge officer for McLean, Va.-based consulting firm FedSources, said offshoring is inevitable in a global economy, and issues of security are far more complicated than geography. "You may have brilliant software developers in a less-than-favorable nation who are so concerned about their personal integrity to create elegant code that you end up with a beautiful set of software," he said. "Then you may have nations that have been our friends for centuries with rogue software programmers." Bjorklund said a large enterprise software company headquartered in the United States, which he declined to identify, writes the majority of its code overseas, and another headquartered overseas that writes most of its code in the United States. Both sell to the federal government. "There's no black-and-white answer," he said. "It's the degree to which the customer -- the federal government -- is willing to take on a certain level of risk in the context of what that product or system is supposed to do." Members of Congress are looking into the issue, including House Homeland Security Committee Chairman Bennie Thompson, D-Miss., and Energy and Commerce Committee Chairman John Dingell, D-Mich., who stated in a letter to the GPO inspector general that processes could pose "a significant national security threat and raises questions about the integrity of the entire e-passport program." Congress has yet to ask the Government Accountability Office to investigate the issue. Unless a specific vulnerability is detected, Jess Ford, GAO director of international affairs and trade, doesn't expect that to change. "My understanding is that lots of chips used not only for passports but other forms of identification are manufactured overseas," he said. "Besides, I'm not sure if someone even got hold of the chip, how they would use them. There's a lot of security that happens here in the United States." ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Fri Mar 28 2008 - 00:41:52 PST