By Aaron Kesel
The government wants a phone for its employees that uses an algorithm to track their location, the way they talk, type and even walk, Nextgov reported.
A New York-based company called TWOSENSE.AI and the Defense Department are working together on building a software-as-a-service, a B2B hybrid SAAS product to replace the infamous government Common Access Card (CAC) used by active-duty uniformed service personnel, selected reserve, DOD civilian employees and eligible subcontractors.
TWOSENSE.AI was awarded a $2.42M contract through an Other Transaction Agreement (OTA) by the Army Contracting Command (ACC) to deploy deep neural networks for continuous multifactor authentication, Associated Press reported.
Defense Information Systems Agency (DISA) awarded the $2.4 million contract in October through the Army’s other transaction authority, which allows certain agencies to sign contracts for advanced research without abiding by Federal Acquisition Regulation.
This work originates from DISA’s Assured Identity initiative to create continuous identity security within the DoD, and eventually, replace the Common Access Card (CAC) with traditional and behavioral biometrics.
According to Business Wire, the “initiative builds on and leverages existing partnerships between DISA and Qualcomm for the purpose of hardware-backed device-level hardware attestation (digital key etched for providing trust for sensor data), and Samsung to create the mobile Trusted Execution Environment (TEE) as an extension of their existing SoC capabilities with Knox.”
The press release goes on to state:
TWOSENSE.AI’s machine learning technology models the unique behavior of each user, such as the way they walk, interact with their phone, commute to work, and how and where they spend their time. Through the power of deep learning, algorithms are highly personalized, learning the personal characteristics that make each user unique on an individual level.
This is all done without the use of any extra hardware, according to Dr. Dawud Gordon, CEO of TWOSENSE.AI.
Gordon was asked by Bleeping Computer if the TWOSENSE.AI behavioral monitoring software requires additional hardware to run on a system? To which Gordon stated that, “Our product is software only and relies only on hardware and sensors that are ubiquitously available in every mobile phone, laptop, desktop, and workstation computer,” according to the publication.
Typically government employees use access cards to verify their identities when logging in to Defense Department’s networks or traveling the premise of various bases or government installations. TWOSENSE.AI wants to change that to modernize the process for government employees and require them just to use their smartphones.
According to Nextgov, the software is meant to “constant monitoring of the user’s behavior—including how they walk, carry the device, type and navigate on it and even how they commute to work and spend their free time—and the system will automatically and continuously verify the user’s identity, enabling them to seamlessly work on secure networks without having to plug in a card each time.”
The system then continuously updates a trust score based on the algorithm verifying that the correct person has the device.
The score “is checked to ensure it meets the desired threshold,” Jeremy Corey, chief of the Defense Information Systems Agency’s Cyber Innovation Division, said at the AFCEA Defense Cyber Operations Symposium in May. “This threshold is predetermined by the organization we are piloting our prototype with. This could be configured by the application owner, so long as it is within the authorizing official’s accepted level of risk.”
“Both DISA and TWOSENSE.AI believe that continuous authentication is the cornerstone of securing identity. Behavior-based authentication is invisible to the user, therefore it can be be used continuously without creating any extra work,” Dr. Dawud Gordon, CEO of TWOSENSE.AI said.
It’s worth noting that DISA has been working to develop a series of seven multifactor authentication tools since 2017. In a video DISA posted in December 2017, the seven factors revealed included GPS location, voice recognition, facial recognition, device orientation, trusted peripherals, trusted networks, and gait (walking).
Further, Steve Wallace, technical director at DISA, previously told Nextgov last year that the software would profile “hand pressure and even wrist tension.”
Although, this reporter was able to trace back the first mention of eliminating Common Access Cards to a 2016 article by FCW entitled: “DOD to eliminate common access cards.”
Department of Defense CIO Terry Halvorsen announced on June 14th of 2016, that his agency would be eliminating common access cards for authenticating users on DoD information systems. “We are embarking on a two-year plan to remove CAC cards from our information systems,” Halvorsen said at the Brocade Federal Forum in Washington D.C.
“Frankly, CAC cards are not agile enough to do what we want,” he said. According to Halvorsen, the cards have too much overhead in terms of cost, time and location. It’s difficult, for example, to get to one’s CAC card to access a system when mortar shells are flying.”
Moreover, in November of 2016 mere months later, Halvorsen said he had asked the IT industry to submit proposals for advanced ID management technologies that deliver “10-factor” security without the use of smart cards or any other new hardware, and that he had already received four proposals that he will review, according to Federal News Radio.
“Prototype devices for establishing assured identity are being developed right now,” Vice Adm. Nancy Norton, DISA’s director, said at an AFCEA cybersecurity operations conference in Baltimore in May of last year, FCW reports. “The first few will arrive this summer to assist with determining the right test parameters,” the publication wrote at the time.
The company and the Defense Department argue that this technology would “help secure government data preventing leaks.” Over the years the government has had the leaks of Bradley Manning, Edward Snowden, Joshua A. Schulte, and many others who have leaked information. Such a change in protocol for U.S. agencies utilizing biometric A.I. technology would prevent any leaks of information, which isn’t good for keeping the government accountable and exposing corruption. It’s worth mentioning that if any of these whistleblowers had been required to use their smartphone with these special provisions their information very likely wouldn’t have been released to the public.
Aaron Kesel writes for Activist Post. Support us at Patreon. Follow us on Minds, Steemit, SoMee, BitChute, Facebook and Twitter. Ready for solutions? Subscribe to our premium newsletter Counter Markets.