Medical Privacy • Oct 2000 • Patient Privacy

U.S. Department of Defense Introduced Smart Card

 N E W S B R I E F I N G
= OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
= (PUBLIC AFFAIRS)
= WASHINGTON, D.C. 20301
====================================================
 
DoD News Briefing
 
Under Secretary of Defense Bernard Rostker
 
Tuesday, October 10, 2000 1:30 p.m. EDT
 
(Special briefing on the Department of Defense common access card.
Also participating were Rear Adm. Craig Quigley, deputy assistant secretary
of Defense, public affairs; Paul Brubaker, deputy chief information officer;
Ken Scheflen, director, Defense Manpower Data Center; and Mary Dixon,
director, Access Card Office.)
 
Quigley: Good afternoon, ladies and gentlemen. We're going to break up this
afternoon's press briefing into two parts.
 
The first part here, we're pleased to have with us Dr. Bernard
Rostker, the undersecretary of Defense for Personnel and Readiness; Mr. Paul
Brubaker, the deputy chief information officer; Mr. Ken Scheflen, the
director for the Defense Manpower Data Center; and Mary Dixon, director of
the Access Card Office.
 
They are here with us today to introduce the common access card.
This will replace the current uniform services ID card and is based "smart
card" technology.
 
I'll turn this over now to Dr. Rostker, and then I will follow up
after this presentation with some additional announcements and to take your
questions on other topics.
 
Sir?
 
Rostker: Craig usually tells us to take off our badges, but today I
particularly have my badge on. This is the new smart card or common access
card that we will start issuing throughout the Department of Defense. This
card will go to all of our active-duty, Reserve; for the first time,
civilians; and selected contractors. And it is a card that puts us in the
forefront of e-commerce and security, with the advent of not only the
standard bar coding and magnetic strips, but for the first time a smart
chip.
 
We'll be using this card for access to buildings, to computer
systems, and eventually it has the capability of facilitating electronic
commerce, allowances, mess hall accesses, and the like. And you'll start to
see these cards appearing over the next months and several years. We'll be
using these cards where -- this is an enabling technology at this point --
issuing the cards so that as the applications come online, we will have the
wherewithal to allow our personnel to gain access to the various systems.
 
Now I'm joined here by Mr. Paul Brubaker, who can talk to the
information contents of these cards. Paul?
 
Brubaker: Thanks, Bernie.
 
Bernie covered a lot of the basics of what the common access card
brings us as an enterprise. But let me just say that the common access card
and its role in our public key infrastructure [PKI] are critical to the
successful implementation of many key programs that we have here in the
world of DoD and service technology.
 
One of the most important issues that we faced over the past few
years has been improving the security of our information systems across our
DoD enterprise. One of the things that this will enable us to do -- the
"smart card" -- will give us the capability to digitally sign documents,
transactions and orders, and a lot of other implements that we use to do
business here in the department.
 
The common access card will hold digital certificates, which are a
cornerstone of our defense in-depth strategy. In other words, the deployment
of the common access card moves us one step closer to a significant
milestone in securing our networks, which Bernie mentioned earlier. The
common access card is going to strongly validate the identity of the
cardholder, who will then be given access to a number of services across the
department to which he or she is entitled. These certificates also add
capabilities to encrypt and thus privately exchange sensitive information
over our open networks, such as the NIPRNET [Unclassified but Sensitive
Internet Protocol Router Network]. And I can go into more detail on this
later during questions and answers.
 
The primary distinguishing feature of the common access card, or in
other words, what makes this card smart, is the integrated circuit chip --
this little thing right here which you can see on the display. I view this
chip as a small computer without a monitor or a power supply. A smart-card
reader will provide the power to read the data that's on this integrated
circuit and provide an automated interface between the chip and other
computer systems. The chip has the capability to read, write and perform
various functions and operations on several thousands bytes of information.
The common access card will also be the principal card used to enable
physical access to the department's buildings and controlled spaces, and
will be used to gain access to the department's computer networks and
systems.
 
It will allow Defense employees to digitally sign documents, which I
mentioned earlier, thereby resolving the major impediment to achieving our
e-business and paperless contract goals.
 
The common access card will have two bar codes to support
technologies previously implemented in the department. It will also have a
magnetic stripe, primarily to support physical access to our facilities.
 
The information that will be stored on this card falls into a few
general categories. First of all is identification. Secondly is
demographics, benefits, physical security and card management. The chip will
store certificates that enable the cardholder to digitally sign documents
such as e-mail, encrypt information, and establish secure web sessions to
access and update information via the Internet.
 
We've taken extensive measures to protect individual privacy with
this technology. In fact, we expect the common access card to enhance
individual privacy in the department as paper-based systems are replaced by
computer-based systems.
 
The technology is not entirely new to the department. Since 1993,
the department has been conducting evaluations on multi-technology cards.
The results have clearly shown that when coupled with business process
reengineering, these technologies save time, free money for use on other
requirements, and improve the quality of life for our people and enhance our
mission capability.
 
This particular card is going to be a significant step toward the
revolution in business affairs that you've all heard so much about. One of
the key capabilities of this card is in supporting multiple technologies and
many applications on a single platform. It's important to note that we're
going to have department-wide applications and local or command-specific
applications that are supported by this card.
 
Now, having said all that, we're now open to answer any questions
that you may have.
 
Q: Who will get the contract to build and manage the card?
 
Brubaker: I believe it's EDS. Right? Go ahead. Mary Dixon.
 
Dixon: The initial card was that -- the issuance process, the
software that was done to develop that was a combined effort of a number of
people, both EDS, ActivCard, some of the card manufacturers and a number of
other people. But as we follow along and purchase the bulk of the cards that
we're going to be needing over the next two years, we will do that through
the GSA contract, which has the smart card contract for the entire federal
government. And so that will be competed among the five prime vendors that
have won that contact, and we will get the cards through whatever card
vendor is able to meet our specifications.
 
Q: How much will it cost to buy all the cards that you need?
 
Dixon: Right now we're estimating the cards will cost approximately
$8 apiece, and about 3.4 to 4 million cards. But that will be a
continuing -- you know, once they're issued, that's not the end because we
have 400,000 accession every year, so there will be people leaving and
people coming on board. So it will be about 4 million initial issuance and
then about a million a year after that.
 
Q: If people lose these or they're stolen, what kind of controls are
on them so that they couldn't be copied or used to gain unauthorized access?
 
Rostker: PIN [personal identification number] controls. There's some
information that you have to provide at the time of accession to provide
access. Just having the card would not be sufficient to gain access.
 
Q: Would people who gained access to the card be able to gain
personnel information from it?
 
Rostker: No. All of the information is encrypted. And so you would
have to have the appropriate software and hardware to interface the cards.
But the information on the chip is heavily encrypted.
 
Q: Two questions. Can you tell us a little bit more about the sort
of other end, the reader end? In other words -- you know, in the various
applications, especially, like, access to computer systems? Do you have
to -- I'm just not clear -- to install readers at various computer points?
And my other quick question is, the electronic dog tag for active duty, does
this replace the electronic dog tag?
 
Rostker: No.
 
Q: Okay.
 
Rostker: The electronic dog tag is still in the development stage.
There have been some discussions, but -- of using this, but we have not
resolved that. And so that remains an open issue. Let me talk about
non-computer applications, okay? Everything from entering the building
today.
 
You all have around your necks building passes. Eventually you would
use this to enter buildings. It allows us, for example, to put charges, your
allowances that could be debited from the card as you go through mess lines,
for example. We intend this to be an open architecture so that we would
experience a myriad of uses that we can't even see today. What is clear is
the integration of this, which was tested, for example, by the Navy -- a
smart card -- with the whole move towards public key infrastructure and the
requirement for every person who has access to our computer systems to use
that technology. And that's all integrated now into a single device. And let
me turn that over to Paul again for the computer part.
 
Brubaker: It's important to understand, too, that the card will
limit access to certain individuals. In other words, you may have access to
certain buildings in the national capital region and not others. The
magnetic stripe will be able to tell the system that as you swipe and log
in. It'll either let you in it or won't let you in. The same is true of the
computer systems. As you use the integrated circuit, your certificates will
be on here. So if you're entitled to access certain types of information or
certain applications, you will be -- this card, the certificate on this card
will enable you to do that. It will limit your access to -- or will not
allow you access to applications and systems that you're not entitled to
access.
 
Q: But I guess what I'm just not understanding, I'm sorry, is, like,
physically do you have to now go and install readers on --
 
Rostker: Yes. Yes. Yeah. For example, your desk computer would in
the future have a reader that the card would be placed into, and that is
your key to allow you to use the government computer.
 
Q: And as military people move around, then, do you turn your card
in when there has to be any change to it, or -- how does it get adapted --
 
Brubaker: Your card can get reconfigured.
 
Rostker: You would turn the card in. The card is designed to have a
life of three years. So at the end of three years you would be issued a new
card, and your certificates would be updated. In the interim, changes can be
made to the card.
 
One of the features -- this is a read-write, not just a read only
capability on the chip. And one of the features is encryption. So that as
you are using the card, as information is placed on the card, that
information is heavily encrypted. And these will -- the encryption will be
certified by the appropriate agencies, by the National Security Agency for
us.
 
Q: Is there any battlefield condition -- cold weather, hot weather,
desert -- anything in which this would not work?
 
Rostker: We don't believe so. But that's one of the -- this is still
a (beta ?) test as we move out. So we'll learn things about the life of the
card.
 
I think you know that in the private sector we're starting to see
smart cards also, in -- American Express, I think, was the first. And I know
MasterCard and Visa are soon to follow. So this is the technology that will
be available in the future.
 
Q: What's the cost for the follow-on infrastructure of the readers?
 
Rostker: I don't have --
 
(To staff) Do we have a figure for that?
 
Q: (Off mike) -- is it going to be every DoD computer, every PC,
every laptop?
 
Rostker: Yes. Eventually.
 
Dixon: Yes. Well, it depends, because if you purchase a new
computer, you can today have a smart card reader installed as part of the,
you know, the normal configuration of that computer, in which case you're
talking about maybe a couple of dollars that it would cost. If you have to
buy a reader because your computer currently doesn't have that, then the
cost of the readers vary from anywhere from $20 to up to, if you're buying
it installed with a keyboard, up to $250. So that depends upon how you want
to use the card.
 
Q: And there are more computers than there are people here. I know a
lot of people have several on their desks. So how many --
 
Dixon: But a lot of people don't have any computers. So I think that
the estimate that they did for PKI, when they were estimating the cost of
the readers, which is already in their budget, to buy readers for those
computers, is about $3 million.
 
Brubaker: If we plan this right -- and I anticipate that we will --
chances are as we go through this, the typical refresh of technology, I
know -- I recognize some of you from the NMCI [Navy-Marine Corps Intranet]
news conference -- as they field that technology, they'll field smart card
readers in the new PCs that land on folks' desks. So the infrastructure
tail, if you will, should not be that significant if we plan the deployment
right.
 
Rostker: Let me also say that don't look for tomorrow morning to
expect us to have the PKI infrastructure throughout the department. I was
told this morning, for example, that that date is years in the future,
"years" being three, four years in the future before the entire department
is fully configured to exercise the PKI infrastructure.
 
This is the first step, is having a reader and nothing to put
through it. They use -- at this point, duplicate the current ID technology,
and it gives us the expansion to ensure that we can produce the cards in a
timely fashion, we can control them, we understand their vulnerability to
the wear and tear with our folks, and that they will be here for the future
as we implement the technologies.
 
Q: Can we quote the secretary -- (off mike) -- for government and
State Department? Are you all taking the lead on this whole thing?
 
(?): Yes.
 
Brubaker: In fact, I was just sitting back here thinking to myself,
I just want to let all of you know that we're going to eat our own dog food
here. My organization, the CIO [chief information officer] organization, is
about to outsource its IT infrastructure, and one of the things that we put
in the request for quotes was using smart-card technology according to our
standard, and we are going to have that deployed probably within the next
nine months or so.
 
(Cross talk.)
 
Q: By "we," who do you mean?
 
Brubaker: Oh, by "we"? It's actually --
 
Q: (Off mike.)
 
Brubaker: No, I mean the ASD C3I [assistant secretary of Defense for
command, control, communications and intelligence] organization, and
hopefully that's where -- it's Mr. Money's organization. He's the CIO of the
department; I'm his deputy. We're going to beta test it there and then
deploy it out to all of -- hopefully, deploy it out to all of OSD [Office of
the Secretary of Defense] or make it a standard for all of OSD.
 
Q: Could you get into a little bit more of what information the card
holder must supply so that you know that the card holder is really the card
holder? Is it a password, or is it things that have been contemplated, like
biometric, or could it be any of those things?
 
Dixon: When you're issued the card, you go to an issuing station,
and the first thing they do is they check your -- whatever flash ID cards
you have against what we call the DEERS [Defense Enrollment Eligibility
Reporting System] database, which is the database that has in it all of our
military, civilians - not the contractors yet -- people. And so they will
verify against that database that you are -- against the picture that's in
there, against the information that's in there, that you are who you say you
are.
 
Q: Initially, I mean, when you're using -- accessing the computer --
 
Dixon: When you're using that, what they will do is they will use
basically the PIN number, at this point, yes. There probably will be some
discussion in later years about whether we use also a biometric or not, but
at this point it will be, number one, the certificate that you had issued on
your card, which is what's supposed to authenticate that you are who you say
you are. There's a PKI certificate that was downloaded onto your card when
you were issued your card.
 
Rostker: When I was issued this card, they also took an electronic
reading of my fingerprint, okay? And so in the future, if that level of
security is required on the net, just as you go up through the net to work
the PKI, a verification of fingerprints could be an addition.
 
Now as far as any other information, it's basically the same
information you would give in a descriptive way.
 
The front of my card looks a lot more blank than the picture that
you see there, because there is further information that is required or the
Geneva Convention, since this is the official ID card for active-duty
personnel. So it will be tailored further.
 
But as part of the registration process, a verifiable fingerprint
was taken, and the way it goes, you put your finger down, they take the
fingerprint, then they verify that it's good fingerprint. And we even went
back and put my hand down again. So we have that added --
 
Q: Would -- the readers on the computers, though, would have --
 
Rostker: No, but there are specific --
 
Q: Can I -- let me just --
 
Q: Go ahead.
 
Q: Let me ask -- (inaudible). It seems like what you're saying is
that if you have a number, which I would call just the same as a password,
and you have somebody else's card, then you're off to the races.
 
Rostker: Depending upon this particular application, but that is the
minimum level of additional information.
 
Q: And a lot of people who worry about such things say that the
password is that -- or pass number, whatever -- is the most vulnerable thing
in the whole system. So isn't that sort of a problem?
 
Brubaker: It's -- you know, it's not -- this isn't designed to fix
all of our security problems. But you've actually pointed out something that
is accurate.
 
But let me just tell you what -- something that we're going to do
within the C3I shop. We're going to test both smart card and biometrics.
We're going to link them both. The technology's available to do this now. We
want to test it to see how well it works, because ultimately you do want to
get away from the password.
 
But right now, I mean, as a way to speed deployment and make it easy
on as many people as possible, we thought that this would be the best way to
do it. And we're talking about deploying this for the NIPRNET initially,
which is our unclassified network.
 
Rostker: One of the things we were interested in, in the Army, when
I was undersecretary of the Army, was biofeedback, and particularly
continuous biofeedback, because just signing on to a computer network -- and
then you could walk away from it, and you're signed on. And one of the
things we were interested in, in the battlefield situation, is retina scans
or other continuous feedback, so that if a position was overrun, if a node
in a computer network -- tactical network was compromised, the system would
close down. So there is work in doing that.
 
But for this, the primary is the PIN. Secondary could be
verification of fingerprints, if we had a fingerprint reader. And of course,
security would increase, depending upon the demands we place on the
particular application.
 
(?): Mary, did you want to help clarify that?
 
Dixon: Yes. There's probably two things you need to understand. One
is that, first of all, this is better than a password, because we're now at
two factors. You have to have both the card and a PIN number. You can't get
into your computer system with just the PIN.
 
Secondly, you should also know that the card is designed so that
three -- more than three attempts to guess a PIN will invalidate the card,
so it would then have to be -- you'd have to go back to the issuing station
and have a new password, so that there is some additional security.
 
Q: What's the -- do I understand -- would this become -- is this
going to become the universal U.S. government ID card, or is this just
confined to the Department of Defense?
 
Rostker: At this point, just the Department of Defense.
 
Brubaker: There is a joint program with GSA that we're working on,
for a common access card throughout government. But there are some --
obviously some very clear security issues. I mean, we'll probably have a
higher standard than anybody else -- well, than a lot of folks in
government.
 
Q: (Off mike) -- for instance, the CIA, the National Security
Council -- I mean, you can think of lots of other agencies that need -- are
they developing their own card separate from this one, or are they waiting
to see how yours works, or what?
 
Brubaker: I mean, they're working on -- I mean, obviously, we're not
going to tell them that they can't do what they need to do, if they think
that they need to do something to secure their networks immediately or
secure access to their buildings immediately. But they are looking at what
we're doing and taking an active interest in our particular program.
 
Q: Doesn't it make sense to have one card for all of these agencies,
since they all have the same need for security?
 
Brubaker: Sure. But let's not let the perfect be the enemy of the
good here. I mean, I think it's important that we get positive control over
our situation. We are communicating with GSA; we're participating in their
particular program, which is to design a government-wide, common access
card. But we just -- you know, I don't think it is prudent for us to wait
until that effort matures to the point where we're deploying it
government-wide.
 
Q: Well, just to follow --
 
(?): Go ahead.
 
Q: Well, just to follow that train of thought; if GSA decides on a
different standard or a different kind of card, then all the money you're
spending for this, you'll have to go to something else?
 
Brubaker: No, no. Not at all. In fact, I mean, our efforts are very
closely linked.
 
Mary, you've worked with GSA on this effort. Do you want to give
specifics?
 
Dixon: They have a certain number of standards they've already
developed, and we have complied with every one of those standards so that we
are in compliance with what they are looking towards. And I would tell you
that probably -- having worked with them -- it's unlikely that they would
come up with a card that would require us to throw all of these cards out
and start over again. So that I think when they're talking about a common
card, they want it to be interoperable, and that's the purpose of their
contract that they have, and that's what we have been working towards, is to
have cards that are interoperable; that my card will be able to be read by
the people in the Department of State.
 
Q: Two other quick. One is, what specific information is embedded in
the chip, in this card? For instance, are medical records on this? Is this
something that might be done in the future?
 
Rostker: We still are exploring the whole issue of medical records.
One of the issues on the battlefield is how well this holds up. It would
certainly be in the pocket. We want something that is more available. So
medical records might be, but we are still looking towards the dog tag.
 
Q: Well, initially, what information are you going to --
 
Brubaker: Initially, the certificates for the PKI, the Public Key
Infrastructure.
 
Q: And one last question. Is this sort of a first step toward a
national ID card where everybody in the United States might eventually be
identified by this kind of a card?
 
Rostker: This is a first step for the Department of Defense to enter
the 21st century for e-commerce, for securing our computer networks.
 
Q: I have a question about royalties, please.
 
Are there any royalties paid to the French inventor of this card,
Mr. Moreno? It's a chip that has been equipping the French banking cards and
telephone cards for 20 years.
 
Rostker: I think you would have to take that up with the vendor who
we buy the card from. We purchase the card -- there are, as indicated, GSA
contracts, and whatever the situation is in terms of copyrights and the like
are, at this point, not being addressed by us.
 
Q: The Geneva Convention requires -- what? -- name, rank, and serial
number? I don't think there's a serial number on there. Is the Social
Security the number, or is the bar code the serial number?
 
Rostker: The Social Security number is our serial number and has
been for at least the last 20 to 25 years.
 
Q: So will this replace the military ID card that allows access to
base?
 
Rostker: Yes, that --
 
Q: If so, are you also doing these for spouses and dependents?
 
Rostker: Exactly.
 
Q: So is that in addition to the 3.4 million to 4 million military
ID cards, or is that considered by the --
 
Scheflen: Not doing it for spouses.
 
Q: You're not doing it --
 
Rostker: I'm sorry. Say that again, Ken.
 
Ken Scheflen.
 
Scheflen: At this point we are not giving a chip card to spouses,
dependents, or retirees. The reason is we don't have a requirement that
would justify the cost of an $8 card versus the current card.
 
So they will continue to get the current card that they are getting.
And, in fact, they are all made in the same place. What we've added -- what
we've done is added smart card-producing equipment to the existing suites of
stuff to produce the current card. So a computer terminal in a personnel
office, for any of you who've been there, will be capable of producing
either card.
 
Q: Another question on medical records. I seem to recall a year or
two ago that the surgeons general, the services all were down here and
showed us a prototype of a medical records card. Is that development
continuing? Is it held in abeyance while you proceed with this, or -- ?
 
Rostker: No, it is continuing. I would be less than honest if I said
I wasn't disappointed in the speed with which it's continuing. And one of
the things I've pressed, since I've become the undersecretary, is to move
that project forward.
 
There's issues -- in terms of this card, there are issues of the
memory of the card, as well as its physical access on the battlefield. So
we're still looking towards a medical dog tag. But we're not where I believe
we should be on that issue.
 
Q: Bernie? You're not going to put total medical records at the
moment, but it would seem logical and feasible at least to have blood type
on it. Any thought about that?
 
Rostker: Blood type's on there.
 
(Off mike.)
 
Rostker: Yes, ma'am.
 
Q: Just to go back in the time line of things, I know they said in
maybe three or four years it's going to be Defense-wide. Can you just --
tomorrow -- what's the deal now? I mean, where do you have it now? Can you
specify that?
 
Rostker: Well, starting in a limited number of places in the
Quantico area, Hawaii -- Hawaii?
(?): Hawaii's already tested.
 
Rostker: -- soon to the Pentagon this will be the card that will be
issued and this will be rolled out across the Defense Department. So in its
first incarnation these will be, over the next two or three years, the card
that everyone will have. As we move forward with the applications, the first
Defense-wide application will be as the key for the PKI. Now, obviously, you
have to have both the equipment, and you have to have the people with the
cards to marry up. And that's what's going to take place over the next
several years.
 
Yes, sir.
 
Q: The vendor on this, is this ActivCard, the commercial vendor
providing the -- ?
 
Scheflen: ActivCard is involved. They are the vendor for the
middleware that we are using at the issuing sites, which is a very different
perspective than equipping all the computers and all the other applications
around the department. We have approximately 900 locations that have issuing
stations, 1,500, 1,600 pieces of equipment, there'll be another couple of
hundred put in. And so ActivCard's involvement today is limited to just
those sites that physically issue the cards.
 
Q: And what is "middleware"? What does that mean?
 
Scheflen: That's the -- the middleware is what interprets the card
to the computer.
 
Q: As you transition the active card to this new updated one.
 
Scheflen: Say -- say again.
 
Q: As you take the current card and you update it to include all
these new information?
 
Scheflen: No. The current card, the existing ID card is not relevant
for ActivCard.
 
You know, you basically need a piece of software that tells the
computer how to read the card. Okay? That's what "middleware" is. And in
making cards, you know, we have to tell the computers how to make cards. And
so we -- you know, for our 2,000 or so that wind up with pieces of equipment
that actually issue cards, ActivCard is involved in that, and only that at
this point.
 
Q: Why did they get that contract, and what is it worth?
 
(?): Do you know, Mary?
 
Dixon: I've got to look up the amount of -- I don't know what it's,
what it is worth exactly, because it's a -- I know the budget in terms of
the total amount, and there were a number of contractors involved.
 
So which part they got, I don't know.
 
Q: Well, what is it about their technology that caused you to choose
them to supply the "middleware," quote-unquote.
 
Dixon: The decision got started when we selected a Java 2.1
architecture, and -- because we were looking for a multi-application card
with the ability to securely download applications onto the card after
issuance, and the Java with the open platform -- what used to be the Visa
open platform, is now global open platform -- were big pieces of our ability
to do that. It may be in the future that there will be other technologies,
such as the Windows-powered smart card or the Multos cards are all
multi-application types. But at the time we started this development, the
only thing that was clearly out there in any great numbers that were being
used by the commercial sector was the Java 2.1. And through the work with
Sun, that's how they got into the -- got associated with ActivCard. Now
they've also been working with a number of card vendors.
 
Q: Who -- that is how "they" got associated? Who got associated?
 
Dixon: I'm sorry. The Defense Manpower Data Center did a lot of the
development work for the issuance process. The cards are really
off-the-shelf, commercial off-the-shelf products. And so the first card
that's being issued is an Oberthur card. And -- an Oberthur. That's the
vendor who makes the card. O-b-e-r-t-h-u-r. And there will probably be some
Gemplus cards in there as well.
 
Q: Some what?
 
Dixon: Gemplus. Gemplus is the other card vendor. But that's for the
first 50,000 cards. They were the only ones that had Java 2.1 cards
available at the time. And when we go to the larger order of cards for
January, which is probably going to be around a million cards, that will be
competed through the GSA contract.
 
Q: What kind of chip is on this card? And how much memory does it
have?
 
Dixon: It's a 32K. Has a crypto -- that's a 32K EEPROM [electrically
erasable programmable read-only memory]. And it has -- and it's a crypto
co-processor. And it's just an integrated circuit chip.
 
Q: Does it have a memory storage capacity?
 
Dixon: Yes, 32K.
 
Q: To come back to my question, have there been discussions about
the pros and cons of these chips with European allies? I understand that
it's used by the French military and it's standard in -- (inaudible) --
banks for 12 years and -- (inaudible) -- banks also.
 
Brubaker: We have looked at most of the large smart card and
PKI-on-smart-card rollouts in the world, including the Spanish government
and the Finnish government. The specs for the card that Mary talked about
earlier, essentially a global platform Java card, is becoming the standard
in the industry.
 
There will be many more millions of those produced for the credit
card world, and we're going to buy. What makes our application probably a
little unique from most of the others is it's what's called a
multi-application card. Most of the other rollouts have either been a
banking card of some sort, electronic purse, or they have been a PKI
platform only, as the case in the Spanish government. We're doing both.
We're putting both applications and -- you know, potentially, we could put a
purse on it, if we wanted to. We're definitely putting PKI on it. And it's
the use of Java that allows the card to perform this multi-app function.
 
So, you know, we are very aware of what's going on generally in the
smart card world, and we are in contact with the card vendors and the
chipmakers and the users of this.
 
Q: I understand what you said earlier about encryption. Will the
commercial firm or firms that are supplying these cards, will they also own
the computers where the information on the card is stored? In other words --
or will DoD have all that information about -- personal information about
the cardholder or will there be commercial vendors who will have that
information?
 
Scheflen: No, the commercial vendor sends essentially a blank card.
You know, we personalize it in DoD and, you know, the data is in DoD
computers. There's no vendors -- I guess -- if we're talking chipmakers or
card-makers, no, they don't have any data about anything on the card.
 
Rostker: I think, as you can tell, this is a technical subject that
we're all going to learn a lot more about, from our credit cards and
applications, as the time goes on. We think this is a very significant first
step in moving us towards a series of applications that will allow us to
move towards a paperless series of transactions. And we are most
enthusiastic about the integration of the personnel aspects with the IT
aspects in the PKI, so that we are using one card instead of a myriad of
cards, and eventually there will be one card around your neck instead of a
whole bunch of passes and ID cards. That's our goal, and we think this is an
important day for moving the Defense Department forward.
 
Q: Thank you.
 
"THIS TRANSCRIPT WAS PREPARED BY THE FEDERAL NEWS SERVICE, INC., WASHINGTON DC. FEDERAL NEWS SERVICE IS A PRIVATE COMPANY. FOR OTHER DEFENSE RELATED TRANSCRIPTS NOT AVAILABLE THROUGH THIS SITE, CONTACT FEDERAL NEWS SERVICE AT (202) 347-1400."
 
-END-
 
1
14
 
-- Subscribe or unsubscribe: http://www.defenselink.mil/news/subscribe.html
-- Transcripts on the web: http://www.defenselink.mil/news/briefings.html
-- Backgrounders on the web: http://www.defenselink.mil/news/background.html
-- Department of Defense home page: http://www.defenselink.mil/
-- Today invernment Smart Card Defeated in Minnesota - 1997