Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: InfoSec News (alertsinfosecnews.org)
Date: Fri Mar 28 2008 - 03:29:28 CDT
By Jill R. Aitoro
March 27, 2008
A recent media report that said the Government Printing Office put
national security at risk by relying on foreign companies to process the
latest U.S. biometric passports "mischaracterized and misstated the
facts significantly," according to GPO's inspector general.
On March 26, The Washington Times posted on its Web site an article that
questioned whether GPO had placed " cost savings ... ahead of national
security" because the agency outsourced some e-passport production
processes to overseas companies. The article referred to an "internal
Oct. 12 report" from the GPO inspector general's office, saying the
report noted "significant deficiencies with the manufacturing of blank
passports, security of components and the internal control for the
"No internal or external October  report exists," said GPO
Inspector General J. Anthony Ogden. He said that the quote about
"significant deficiencies" was from a March 31, 2005, GPO inspector
general report that outlined concerns with legacy operations used to
"All of those security concerns, which predate the electronic passports,
were addressed at the time they were brought to the agency's attention
[and] will be closed out with this reporting period," Ogden said. "The
agency has continued to cooperate with our office and has asked for our
assistance in oversight because we both take the passport operations
seriously. The Washington Times article frankly has mischaracterized and
misstated the facts significantly."
In response to Ogden's claims, Bill Gertz, the Washington Times defense
and national security reporter who wrote the article, said, "I stand by
Gertz added that the Oct. 12 internal report is available online. A
search using the entire "significant deficiencies" quote pointed to the
March 31, 2005, semiannual report to Congress that Ogden referred to.
The search results also included the inspector general's "Semiannual
Report to Congress," dated April 1, 2007, to Sept. 30, 2007, in which
the quote appears under a heading referring to the 2005 report and
restates the security shortcomings. In that section, the inspector
general concluded, "GPO management provided documentation during this
reporting period that closed two of the four open recommendations.
Management is working on implementing corrective actions for the
remaining two open recommendations."
In response to the Times article, GPO released on March 26 a document
about work processes it used to produce passports. According to the
document, and reiterated by GPO spokesman Gary Somerset, the agency
manufactures passports at its facilities in Washington. The agency will
soon produce passports at a second secure facility it is constructing in
Production of the electronic chip, which is embedded in the cover and
contains the same information printed on the passport, was outsourced to
two overseas companies, Amsterdam-based Gemalto and Infineon, based in
Neubiberg, Germany. No American company meets the standards developed by
the International Civil Aviation Organization and required by the State
Department for border crossing procedures that involve the computer
chip, according to GPO.
The ICAO standards for electronic passports are extensive, including
requirements for "a machine-readable zone," in which a computer can read
the data on the chip; one for advanced digital signature protection and
an integrated circuit chip that stores data. ICAO requires technologies
for data storage to be non-proprietary, maintain document integrity,
allow for easy access to the stored data, support quick transmission
times and provide 20 kilobytes or more of storage on a chip. GPO did not
specify which ICAO requirements American companies failed to meet.
Raising concern, however, are the Asian locations used for chip
production. While GPO did not provide details, Somerset noted a CNN
broadcast that aired on Wednesday, which noted that chips from Gemalto
and Infineon are made in Singapore and Taipei, then shipped to Thailand,
where a wireless antenna is inserted by SmartTrac, a Dutch-based
company. All the components are shipped back to United States, where
data and photos are attached and downloaded onto the chips.
According to the GPO document, SmartTrac intends to move its production
plant to the United States in the near future.
"The passports are not manufactured overseas," Somerset said. "A
component with the chip and inlay [of the antenna] comes from various
places overseas, but manufacturing is done in Washington and soon-to-be
He noted that vendors were fully vetted with inspections of facilities
and employee background checks, and that all passport components are
moved via secure transportation, including armored vehicles.
The GPO inspector general said the agency is following other procedures
to increase security. The agency plans to deploy an inventory tracking
system, which will authenticate chips embedded in passports when
delivered to GPO, according to the agency's October 2007 Work Plan. The
system will be integrated with GPO's network, enabling communication
with chip manufacturers and the State Department for coordinated
production and tracking of passports, according to the plan. As part of
the effort, the Office of the Inspector General will assess the
performance of controls provided through the system, including chip
inventory and unusable passport books.
Ray Bjorklund, senior vice president and chief knowledge officer for
McLean, Va.-based consulting firm FedSources, said offshoring is
inevitable in a global economy, and issues of security are far more
complicated than geography.
"You may have brilliant software developers in a less-than-favorable
nation who are so concerned about their personal integrity to create
elegant code that you end up with a beautiful set of software," he said.
"Then you may have nations that have been our friends for centuries with
rogue software programmers."
Bjorklund said a large enterprise software company headquartered in the
United States, which he declined to identify, writes the majority of its
code overseas, and another headquartered overseas that writes most of
its code in the United States. Both sell to the federal government.
"There's no black-and-white answer," he said. "It's the degree to which
the customer -- the federal government -- is willing to take on a
certain level of risk in the context of what that product or system is
supposed to do."
Members of Congress are looking into the issue, including House Homeland
Security Committee Chairman Bennie Thompson, D-Miss., and Energy and
Commerce Committee Chairman John Dingell, D-Mich., who stated in a
letter to the GPO inspector general that processes could pose "a
significant national security threat and raises questions about the
integrity of the entire e-passport program."
Congress has yet to ask the Government Accountability Office to
investigate the issue. Unless a specific vulnerability is detected, Jess
Ford, GAO director of international affairs and trade, doesn't expect
that to change.
"My understanding is that lots of chips used not only for passports but
other forms of identification are manufactured overseas," he said.
"Besides, I'm not sure if someone even got hold of the chip, how they
would use them. There's a lot of security that happens here in the
Subscribe to InfoSec News