Today the product of any significant investment in
infrastructure must be productivity and security. The federal government must
lead in these efforts. There are substantial investments being made in security
across the transportation sector. Operation Safe Cargo, the Transportation
Worker's Identification Credential (TWIC) and our next generation of border
control known as the United States' Visitor and Immigrant Status Indicator
Technology (US-VISIT) are a few examples. I hold out that these systems must
take a positive approach to security in order to have any chance of being
successful. In too many cases today the goal of security is to identify the
bad. Positive security means that everyone that passes through a system is
validated as being good.
This is the only way we can meet the goal of productivity
and security from an infrastructure investment. Systems must quickly and
accurately process everyone.
The benefits from a positive approach to security can be
many, including:
* Recognizes
the scale of the problem;
* Allows
creation of standards for authentication;
* Enables
technology for problem solving;
* Encourages
people to register and participate;
* Focuses
attention on those not registered; and
* Enables the
multiuse of security.
Scale of the problem
The amount of travel, cargo, border crossings, baggage
checked and other items for validation in order to secure travel is on the
order of trillions of transactions on an annual basis. This means that a
ubiquitous transportation security system will have hundreds of millions of
users in the U.S. alone and billions if expanded outside the U.S. This is not
surprising given the size of the U.S. economy and its symbiotic relationship
with transportation.
Scale should not put off pursuing a positive approach. There
are many examples of businesses and technology that deal with issues of this
size. Banking, e-mail and industrial processes all deal with things in
milliseconds (or nanoseconds).
Transportation security must be able to do so as well. Solving the
problem simply means that system architects must scale the problem correctly at
the start--if not it will fail to meet the twin needs (productivity and
security) and will quickly become obsolete.
Standard authentication
There are two questions involved with any security system.
'Who are you?' (authentication) and 'Are you allowed to be doing what you are
doing right now?' (validation/authorization). With respect to the first
question we need to establish standards. Currently there are a number of
substitutes for this question. Driver's licenses, passports, identification
badges, along with additional verification factors such as pictures,
biometrics, signatures and multiple ways of reading and interpreting these
things, e.g., people and machines, currently try to deal with this issue.
Dealing with the many ways of identifying an individual slows things way down.
And this is before we even get to the second and more important question.
Taking a positive approach means you have an opportunity to define
authentication and assure proper identification.
Enabling technology
Any time you create a demand for hundreds of millions of
things you create an opportunity for economies of scale. When this takes place
people and companies will have an incentive to make an investment and the
resulting solution to the demand.
Furthermore you create a much greater probability for a
significant return on investment. Taking a positive approach makes this a
certainty since a positive approach requires scale as stated above. As an
example, programs like the TWIC and a number of other federal programs such as
the Department of Defense Common Access Card (CAC) enable the use of smart
cards. Once this takes place other applications and technology can piggyback on
it.
Encourage the many
There are some preliminary examples where positive
approaches have worked in the transportation industry. In most of these cases
the productivity delivered to the user makes them eager participants.
Almost anyone presented with this value proposition that is
able to take advantage will go for it. The last part is the hitch; in order for
positive security to take place the responsible entity must enable the users or
else leave it to price and demand. In the case of improved productivity, build
it and they will come.
Focus on the few
Creating a system that gets almost everyone to register
makes it extremely difficult to exist outside the system. Negative approaches
to security mean that most people are outside the system making it easy for bad
folks to camouflage themselves with the good.
This fundamental difference alone justifies a positive
approach. If you don't register you only cause yourself a heightened level of
scrutiny.
Multiuse security
When all of the above takes place the benefits multiply. The
fact that a community of users exists can create tremendous economic and social
opportunities. The key to multiuse security is the guarantee of individual
privacy and control. If users know that their information will only be used by
those who need it then they will likely grant more organizations access to
information.
Frequent fliers and other loyalty programs are examples of
multiuse of a credential with only some of the guarantees envisioned here. The
important point is that it gives people multiple reasons to participate, and as
a result positive security can be organically encouraging. This means that a
common credential can exist for many applications. This means that finally
logical and physical security can coexist. This means that commerce, privacy
and security work together. Productivity and security blend into one. TME
RSS: Roads & Bridges Articles
