The Defense Information Systems Agency is broadening its efforts to bolster security by replacing traditional username and password systems with a new pilot planned with the Department of Health and Human Services, which an industry source says would reproduce a practice already being used by many companies to provide an “additional layer” of security.
It’s what some industry types call “behavioral biometrics,” Jeremy Grant, leader of the Better Identity Coalition for the law firm Venable, told Inside Cybersecurity. “This is a technology that has emerged as a valuable tool used by many companies to augment traditional authentication."
The idea of using attributes related to personal mannerisms and habits in addition to unique biometric identifiers such as fingerprints to provide network access was described by HHS chief information officer Jose Arrieta at NextGov’s Emerging Tech Summit on Wednesday.
He said DISA proposed the trial and that the agencies are now “brainstorming” the details, but was enthusiastic about the implications for cybersecurity.
“From a cyber [security] perspective, if you're working in an operating room you log in to whatever equipment you're using and just leave yourself logged in, because you don't have the time to actually do username and password with every log in,” Arrieta said, suggesting, “what if we started to talk at the national levels and say maybe here's how to innovate the use of behavioral-based identity to actually create access to IoT enabled devices?”
He said, then, users would “no longer [be] transmitting security information -- username and password -- across the infrastructure” but “storing it directly in the wireless device. And unless you can mimic my iris, the way that I walk, the way that I talk, my facial scan, my thumbprint... 240 behavioral-based characteristics, you can't get access to the network itself.”
Grant said the practice of using such intimate details, which can include tracking and recording everything from keyboard stroke patterns to heart rate and room temperature and is already popular in certain sectors.
“Behavior analytics is widely used in industries like financial services and health care, where it provides an additional layer of security to organizations worried about attacks that look to compromise identity or authentication,” he said. “Most major cloud services have some of these capabilities built into their identity services as well.”
Proponents of the practice say there are no negative implications for privacy because the tracking doesn’t need to be linked to an individual’s Personally Identifiable Information. But privacy advocates like those at Public Knowledge, have long argued against limited delineations of “sensitive data,” saying efforts to protect privacy should go beyond attributes like name, date of birth, and address. They note a “mosaic theory,” where bad guys can piece together information from different sources even after they have been disassociated.
Dylan Gilbert of Public Knowledge called it “the definition of paradoxical concept” to use intimate personal information to identify someone while saying it's not personally identifiable.
The Better Identity Coalition highlights potential benefits of the practice -- more officially known as “continuous risk-based authentication” -- for cybersecurity in a policy blueprint it released last July .
Arrieta said implementing the practice would also help streamline operations and better allow first responders and others to focus on doing their jobs. -- Mariam Baksh (firstname.lastname@example.org)