GPO: Article 'misstated' facts of offshoring e-passport production

[InfoSec News <alerts () infosecnews org>]

http://www.govexec.com/story_page.cfm?articleid=39630

By Jill R. Aitoro  
Govexec.com  
March 27, 2008  

A recent media report that said the Government Printing Office put 
national security at risk by relying on foreign companies to process the 
latest U.S. biometric passports "mischaracterized and misstated the 
facts significantly," according to GPO's inspector general.

On March 26, The Washington Times posted on its Web site an article that 
questioned whether GPO had placed " cost savings ... ahead of national 
security" because the agency outsourced some e-passport production 
processes to overseas companies. The article referred to an "internal 
Oct. 12 report" from the GPO inspector general's office, saying the 
report noted "significant deficiencies with the manufacturing of blank 
passports, security of components and the internal control for the 
process."

"No internal or external October [2007] report exists," said GPO 
Inspector General J. Anthony Ogden. He said that the quote about 
"significant deficiencies" was from a March 31, 2005, GPO inspector 
general report that outlined concerns with legacy operations used to 
process passports.

"All of those security concerns, which predate the electronic passports, 
were addressed at the time they were brought to the agency's attention 
[and] will be closed out with this reporting period," Ogden said. "The 
agency has continued to cooperate with our office and has asked for our 
assistance in oversight because we both take the passport operations 
seriously. The Washington Times article frankly has mischaracterized and 
misstated the facts significantly."

In response to Ogden's claims, Bill Gertz, the Washington Times defense 
and national security reporter who wrote the article, said, "I stand by 
my reporting."

Gertz added that the Oct. 12 internal report is available online. A 
search using the entire "significant deficiencies" quote pointed to the 
March 31, 2005, semiannual report to Congress that Ogden referred to. 
The search results also included the inspector general's "Semiannual 
Report to Congress," dated April 1, 2007, to Sept. 30, 2007, in which 
the quote appears under a heading referring to the 2005 report and 
restates the security shortcomings. In that section, the inspector 
general concluded, "GPO management provided documentation during this 
reporting period that closed two of the four open recommendations. 
Management is working on implementing corrective actions for the 
remaining two open recommendations."

In response to the Times article, GPO released on March 26 a document 
about work processes it used to produce passports. According to the 
document, and reiterated by GPO spokesman Gary Somerset, the agency 
manufactures passports at its facilities in Washington. The agency will 
soon produce passports at a second secure facility it is constructing in 
Mississippi.

Production of the electronic chip, which is embedded in the cover and 
contains the same information printed on the passport, was outsourced to 
two overseas companies, Amsterdam-based Gemalto and Infineon, based in 
Neubiberg, Germany. No American company meets the standards developed by 
the International Civil Aviation Organization and required by the State 
Department for border crossing procedures that involve the computer 
chip, according to GPO.

The ICAO standards for electronic passports are extensive, including 
requirements for "a machine-readable zone," in which a computer can read 
the data on the chip; one for advanced digital signature protection and 
an integrated circuit chip that stores data. ICAO requires technologies 
for data storage to be non-proprietary, maintain document integrity, 
allow for easy access to the stored data, support quick transmission 
times and provide 20 kilobytes or more of storage on a chip. GPO did not 
specify which ICAO requirements American companies failed to meet.

Raising concern, however, are the Asian locations used for chip 
production. While GPO did not provide details, Somerset noted a CNN 
broadcast that aired on Wednesday, which noted that chips from Gemalto 
and Infineon are made in Singapore and Taipei, then shipped to Thailand, 
where a wireless antenna is inserted by SmartTrac, a Dutch-based 
company. All the components are shipped back to United States, where 
data and photos are attached and downloaded onto the chips.

According to the GPO document, SmartTrac intends to move its production 
plant to the United States in the near future.

"The passports are not manufactured overseas," Somerset said. "A 
component with the chip and inlay [of the antenna] comes from various 
places overseas, but manufacturing is done in Washington and soon-to-be 
Mississippi."

He noted that vendors were fully vetted with inspections of facilities 
and employee background checks, and that all passport components are 
moved via secure transportation, including armored vehicles.

The GPO inspector general said the agency is following other procedures 
to increase security. The agency plans to deploy an inventory tracking 
system, which will authenticate chips embedded in passports when 
delivered to GPO, according to the agency's October 2007 Work Plan. The 
system will be integrated with GPO's network, enabling communication 
with chip manufacturers and the State Department for coordinated 
production and tracking of passports, according to the plan. As part of 
the effort, the Office of the Inspector General will assess the 
performance of controls provided through the system, including chip 
inventory and unusable passport books.

Ray Bjorklund, senior vice president and chief knowledge officer for 
McLean, Va.-based consulting firm FedSources, said offshoring is 
inevitable in a global economy, and issues of security are far more 
complicated than geography.

"You may have brilliant software developers in a less-than-favorable 
nation who are so concerned about their personal integrity to create 
elegant code that you end up with a beautiful set of software," he said. 
"Then you may have nations that have been our friends for centuries with 
rogue software programmers."

Bjorklund said a large enterprise software company headquartered in the 
United States, which he declined to identify, writes the majority of its 
code overseas, and another headquartered overseas that writes most of 
its code in the United States. Both sell to the federal government.

"There's no black-and-white answer," he said. "It's the degree to which 
the customer -- the federal government -- is willing to take on a 
certain level of risk in the context of what that product or system is 
supposed to do."

Members of Congress are looking into the issue, including House Homeland 
Security Committee Chairman Bennie Thompson, D-Miss., and Energy and 
Commerce Committee Chairman John Dingell, D-Mich., who stated in a 
letter to the GPO inspector general that processes could pose "a 
significant national security threat and raises questions about the 
integrity of the entire e-passport program."

Congress has yet to ask the Government Accountability Office to 
investigate the issue. Unless a specific vulnerability is detected, Jess 
Ford, GAO director of international affairs and trade, doesn't expect 
that to change.

"My understanding is that lots of chips used not only for passports but 
other forms of identification are manufactured overseas," he said. 
"Besides, I'm not sure if someone even got hold of the chip, how they 
would use them. There's a lot of security that happens here in the 
United States."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn