Criticality of Credentialing: Verifying Government Employee Identities
Pattinson is a leading expert on smart cards and using the microprocessor chip to keep identity credential data and biometrics secure and private. Pattinson has been heavily involved in planning and implementing a number of federal government security initiatives including the Department of Defense Common Access Card (CAC); the State Department's electronic passport; the Western Hemisphere Travel Initiative cards; the Department of Transportation's Transportation Worker Identity Credential (TWIC) and the Transportation Security Administration's Registered Traveler program. Pattinson works closely with the General Services Administration, Treasury, Homeland Security, Veterans Affairs and NASA, which all have smart ID programs underway.
TOM FIELD: We're talking today about credentialing and with us is Neville Pattinson, the Vice President of Government Affairs and Standards in North America with Gemalto. Neville thanks so much for joining me.
NEVILLE PATTINSON: Hi, Tom.
FIELD: Neville, just to start out this conversation, why don't you introduce yourself to our audience and tell us a little bit about your role and your responsibilities.
PATTINSON: Certainly, Tom. As you said, I work for Gemalto and I'm actively involved in the government activities that we operate here in North America, specifically around credentialing. As such, I do have a special employee position within the government. I am a Special Advisor to the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. As such, anything I say today doesn't represent that committee, or the Department of Homeland Security's opinions. I also serve as the Vice Chairman of the Identity Council within that organization.
FIELD: So, clearly now, you're active in Washington, D.C. What are some of the areas in which you're trying to effect legislation?
PATTINSON: I spend a lot of time advocating for the use of secure credentialing in government programs, and over the last six years I've been active in Washington working on policy up on Capitol Hill, advising government on the best choices to make for credentialing programs. We looked at all of the identification programs being considered, and historically, we have worked on the transport workers identification credential, the HSPD 12 credential for all federal employees and we have helped and advised on the correct implementation of the U.S. e-passport. Generally, we are looking at whatever credentialing challenge is identified within the U.S. government, for either employees or for citizens. We are looking at giving them the best advice around how to approach identity management within those programs and how to create credentials that can offer the best in security and privacy protection for those programs.
FIELD: This really is a great topic, credentialing. Big picture, what are some of the major challenges that organizations are facing?
PATTINSON: We are in the middle of what I call a "national identity crisis." We lack an important foundation in our society which allows us to trust a person's identity. Our lives are also relying more and more on an online world. We have no formal country-wide trust mechanism presenting or authenticating citizens' identity in real life, or online. We need a trusted digital credential and identity management system to enable an authenticated system at our border for employment verification, e-government 2.0, cyber security, and importantly, protecting the citizens against identity theft. Knowing who we are dealing with in our society is based on today's weak credentials, such as drivers' licenses, birth certificates, Social Security Numbers, etc., and identity theft is a growing concern. Many governments and commercial programs today face the same core problem of being unable to trust a person's identity and to authenticate that they really are who they claim to be. Not being able to fully trust the credentials today or protect somebody's identity from identity theft, for example, is corrupting our ability to enable so many programs efficiently and protect our citizens' identity. Our inability to present a trusted credential in our everyday world is alarming, and our inability to present our identity on a virtual, digital online world is limiting the potential for e-government's financial and commercial applications.
FIELD: Now, Neville, these arguments aren't old, certainly, but why are the challenges of credentialing magnified now?
PATTINSON: We are already overdue in providing adequate protection mechanisms to address the problems of protecting our citizens' identity. We really must protect our citizens from identity theft and have to provide that trusted identity credential for both the real and virtual world. We must present a mechanism which allows citizens to take control and protect their identity. Several programs today are individually realizing identity as the key to moving forward. These are such as the initiative by the Obama administration on e-government 2.0, to move to reach out to citizens and to give much better communication and authenticated communication between citizens and government. We have the healthcare reform initiative going forward, which is very challenging and is looking at providing electronic medical records online, and there are some significant identity management and privacy challenges associated with that. There is also the ongoing problem of identity theft and account theft going on in the financial world. Immigration, a new topic that is running through the legislation right now, deals with how do we verify who is a U.S. citizen and who is entitled to work. The whole area of verifying and looking at employment verification is a hot topic looking at identity management. And additionally, we have cyber security challenges. How do we really know who we are dealing with on the internet? How do we identify people in that virtual world when today we have trouble even presenting a credential and trusting it in the real world?
FIELD: In terms of solutions, what type of credentialing policy do you advocate?
PATTINSON: Obviously one that empowers the user, the employee or citizen to be in control of their identity and to be able to protect their identity. From that perspective, smart card technology is a well proven, trusted and cost-effective technology that has been deployed around the world and many instances of application is requiring identity management. If we combine then other factors of authentication, not just the smart card, but also perhaps a PIN, or perhaps something you are, such as a biometric; you have a great deal of trust in the fact that you really are able to ascertain who is using this particular identity card. With the presence of the card, or the presence of a PIN code, or the biometric, the card can perform an authentication that the user is present, and then authenticate and securely communicate, very importantly, to the online systems or to the terminal at the doctor's desk, or at the bank, that this is the person that they really do claim to be. So, for us, it's really about secure credentials that are based around smart card technology, perhaps with additional factors of authentication in our digital lives today.
FIELD: Neville, a couple of times now you have referenced healthcare. I know you have done a lot of work in that field. Could you discuss the credentialing challenge and potential solutions in that particular industry, and how others can learn from them?
PATTINSON: Indeed. The main goal of healthcare reform is really about electronic health records, providing those health records online, to be accessed by all providers that need to have access to that information. This is a new era that we are moving into that presents significant privacy and security challenges. We really have to insure that we really have the patient in control of their records, not necessarily the provider. So, on that basis, we need to look at having identity management solutions that encompass both patients and employees of the healthcare system. Patient-issued smart card technology can then present their credential at the point of service, if we go to the doctor or an ER, that credential can then authenticate they really are who they say they are, and it can also them access to the provider, to their online medical records.
Without that access authorization, the information isn't available, potentially, to the provider. Once the provider has access to that information, the employee using their identity card can also now access that information and provide accountability, an audit of who has been accessing this information, why, and where, etc. So, this, to me, is missing today in the current goals of the healthcare reform bill, rather. It really needs to have the whole area of identity management solved within the scope of providing true privacy protections to the electronic medical records of the patient and to provide accountability to the provider. It doesn't just stop there. Once you have this information available and the accuracy that will be achieved by not having to fill out forms all the time, by presenting a smart card instead will allow accurate billing of that service that has been provided to the insurance company. And we expect to see a reduced number of rejections of initial claims on the basis that the information is now electronically correct, as far as the patient identification, etc. That should allow cash flow to be better increased, as far as the providers getting reimbursed for their services without having to go through areas of dispute with the insurance companies. Claims processing efficiency should be realized and obviously we are going to see a reduction in paperwork throughout the whole process, which means a speeding up of the whole process.
FIELD: That's a great example. And you've brought up some serious issues here. What will it take now to seriously address the credentialing issues that we all face as a society?
PATTINSON: We certainly have to have first a commitment to recognize that identity management is really a critical factor in many of the applications that we see in our digital lives as we go forward. On that basis, we need to have a strong policy that really supports the need for identity management going forward within these programs, or within a countrywide initiative, potentially. If it is in a particular program, obviously that policy needs to look at the serious need to insure that we know who we are dealing with, both at the citizen level or employee level, whatever the particular implementation. Once that policy is in place, then obviously there is going to be funding required.
That funding needs to come from either the stimulus area, such as the healthcare reform, or it can become part of the fee process, an application fee much like American citizens go forward with today in applying for a passport; there is a fee-based process, or a driver's license, there's a fee-based process there. Once that is organized, then it is down to deployment. And that deployment requires a very strict and methodical enrollment of people into that identity management system. Once the enrollment is underway, the infrastructure needs to be deployed that is now going to recognize these identity cards as they come forward. That infrastructure is not a small challenge by any means, but it is something that has been done in many instances around the world. The benefits realized by going through a deployment with a trusted set of community operatives that are in that environment, as well as the infrastructure to support that identity management group, will provide and yield great benefits in stopping people from attempting fraud and speeding up the process of payment, etc. The credential issue we face will come through realization, followed by good government, strong policy, funding and then a rigorous deployment.
FIELD: Neville, one last question for you, and it's a practical one, really. What's a good first step towards secure, effective solutions and credentialing?
PATTINSON: A good first step would be to pick one. At the moment, we have almost too many identity management challenges facing us in the U.S. society, as I mentioned earlier. If we try and take a bigger picture and look at all of them, and consider trying to solve all of them at once, that may not be achievable in the short-term. So, for me, it's really picking one of these programs and proving it. How can we insure that we've got good, trusted credentials operating well, showing the benefits of realizing who we are dealing with? Perhaps healthcare is the first one that would be a good first step in our society today; that one has funding, inasmuch as the $19 billion of stimulus money that is assigned. There is a critical need to identify patients accurately, to give them the empowerment to access their records, and to then have the accountability of those employees in the healthcare system, along with the payment system efficiency.
That one may be the best first step. There are others that are also good candidates, certainly around immigration. We see a lot of area of need at the moment to identify U.S. citizens within the e-verify program, to really insure that we are having employers only employ valid U.S. citizens. And for that there is a very strong need to upgrade today's U.S. Social Security card from its current printed paper stock that we see today into a trusted digital credential that could project the identity accurately and clearly to an employer when they present that card and to authenticate with a biometric, probably matched inside the card, to show that they are the person who was issued the card. There are many options to take the first step, but I think healthcare and immigration are possibly two areas that probably take a leading area in the priorities that we have today.
FIELD: Neville, you've given us some great ideas and I really appreciate your time and your insight. Thank you.
PATTINSON: Thank you, Tom. I appreciate it. I think we certainly have an exciting future as we hopefully empower citizens to be secure in their future digital lives we currently face, and give them that security to be free.
FIELD: The topic has been credentialing, and we've been talking with Neville Pattinson with Gemalto. For Information Security Media Group, I'm Tom Field. Thank you very much.