IT to provide multifaceted security at US borders

The new Bureau of Customs and Border Protection (CBP) is using the security efforts of others to secure the nation’s borders with a state-of-the-art architecture that is spawning a long shopping list of technologies.

Edward J. Kinney, the bureau’s director of IT security, said being part of the U.S. Department of Homeland Security (DHS) involves getting 190,000 federal employees from 22 disparate agencies to work together in “the greatest cultural shift in the federal government since the creation of the Department of Defense.” Kinney oversees the security of an agency with international reach that was created primarily from the former Customs Bureau and Border Patrol. He made the comments yesterday to a group of military and civilian IT professionals at the Federal Information Superiority Conference in Colorado Springs.

The objective of the new CBP organization, and all the security layers, is to provide “a single face at the border” for fast and efficient decision-making on the millions of visitors and billions of imports crossing U.S. borders every week.

Kinney said the new security agenda for the bureau is driving large-scale efforts to encrypt information in storage and transit, authenticate users, provide rule-based authorization policies, single sign-on, radio frequency identification (RFID), content X-ray, and radiation detection with outsourced Internet threat monitoring and detection. And they are just getting started.

Driving this ambitious agenda for the start of the new federal fiscal year, which begins Oct. 1, is a management commitment to planning, process, measurement, documentation and security accreditation, according to Kinney, a career federal IT manager with a background that includes the U.S. Veteran’s Administration and the Internal Revenue Service.

Kinney said the DHS is taking a top-down, architectural approach to integrating disparate IT organizations while implementing security according to the dictates of the Federal Information Security Management Act (FISMA) of 2002. The result is an approach that adheres to Capability Maturity Model design and testing standards.

Security people are assigned to project teams to bring security policy and infrastructure focus early in the planning process, Kinney said. The new security processes and infrastructure includes design controls, procurement, implementation, operation and even replacement, he said.

The actual security accreditation process follows FISMA requirements for evaluating, measuring and accepting security risks, and is centralized for the 149 management processes in Customs and Border Protection. It includes risk assessment for all logical and physical elements of the bureau, including international sites.

“If you can’t measure it, you don’t know what you have,” Kinney said. Congress must like what it sees in the DHS. The House Appropriations Committee on Tuesday approved a US$30.4 billion homeland security bill that exceeded President Bush’s budget request by $1 billion.

Security priorities extend from customs inspectors and border patrol agents in the field to foreign manufacturing plants and ports shipping goods to the U.S., and the layers of infrastructure required to support them.

“The biggest risk we face is physical security in a host country,” Kinney said. Foreign points of origin for goods to be imported into the U.S. are now viewed as an extension of U.S. Customs jurisdiction, so that shipping containers can be inspected and sealed at the source. Containers then will be tracked and authenticated via RFID and other technologies. Insecure containers will be X-rayed and checked for radiation.

Securing the cooperation of foreign governments is as dicey as securing the containers themselves, Kinney said. “You can’t imagine how many people in our organization have not unpacked their bags.”

Securing information in transit and storage became an issue because the Customs Bureau encrypted all data, while much of the new data to be incorporated into the new CBP came from unencrypted sources. Integrating the encrypted with the unencrypted created additional risk. The DHS decided on a public-key infrastructure (PKI) strategy and sought advice from pharmaceutical giant Johnson & Johnson, in New Brunswick, N.J., which is in the midst of one of the world’s largest PKI deployments to date.

Another CBP and DHS initiative that borrows from the experience of others is the extensive use of smart cards, following in the footsteps of the Defense Department’s Common Access Card program. Kinney said smart cards would provide multiple factor authentication and authorization for department personnel.

The smart cards will support a planned single sign-on system that will give a single view of data from multiple applications. This includes information from an IBM mainframe. Agents in the field will access criminal, investigation, visa, tax and other point-of-entry decision support tools from remote systems via encrypted wireless links.