home


In The Boardroom With...

Mr.  Neville Pattinson 
Vice President of Standards and Government Affairs
Gemalto North America
www.gemalto.com 

SecurityStockWatch.com: Thank you for joining us today, Neville. Please give us an overview of your background and your role at Gemalto.

Neville Pattinson: I currently lead the Government Programs activity within the Security business unit of Gemalto North America. In this role, I focus on government based e-documents and identity credentials. This focus has provided several opportunities to be an advisor to U.S. government policy makers, program managers and key technology partners providing products and services to the federal government. In addition to this role, I am the chairman of the Smart Card Alliance and chair of the Smart Card Alliance’s Identity Council; a founding member of the Secure ID Coalition and am currently serving a three year appointment to the Department of Homeland Security’s Data Protection and Integrity Advisory Committee. Any views expressed in this interview are not representative of the Smart Card Alliance or the Department of Homeland Security or the DHS DPIAC.

In my career I have been afforded opportunities to work on several projects which have increased the security of government issued e-documents and identity credentials including the establishment of the first strong identity credential programs in the United States: the personal identity verification (PIV) credential which is widely used throughout the Department of Defense (DoD).

SecurityStockWatch.com: Government activity falls in Gemalto’s Security Business Unit. Please give us an overview of Gemalto solutions for this sector.

Neville Pattinson: Our Security Business Unit is comprised of both enterprise and government programs sectors.

For the enterprise, we replace passwords for network security and online identity management. Our solutions include devices and systems that deliver much higher access security and end-user convenience, by making smart card-based credentials or tokens part of the login process. We work very closely with Microsoft, Citrix and others to make sure our solutions work seamlessly with the most widely used IT infrastructure systems without requiring additional software.

Gemalto’s government programs include several types of government e-documents such as electronic passports, a range of PIV cards for federal employees and other e-credentials for identity, driver’s licenses and healthcare. We provide a complete value chain, from the actual ID, which typically is a microprocessor based smart card in the desired form factor, to systems for device (identity credential) enrollment, issuance, management and use.

Gemalto is the world’s largest epassport supplier, according to the Keesing Journal of Identity. We provide U.S. epassports, for example, but also do many types of other programs all over the world such as supplying national e-ID cards for the Kingdom of Saudi Arabia, serving as the prime contractor for the Electronic Health Card program in Gabon and providing driver’s licenses in Queensland, Australia.

SecurityStockWatch.com: Gemalto recently introduced a new secure USB flash memory device. How does this product fit into Gemalto’s digital security expertise? 

Neville Pattinson: Gemalto is always looking for new and innovative ways to bring both security and convenience to our customers. This past month we introduced the Smart Guardian (SG) FIPS – a zero-foot print secure USB flash memory device leveraging smart card based encryption to secure the stored data and comes with McAfee always on anti-malware and anti-virus protection. The SG FIPS achieved FIPS (Federal Information Processing Standards) 140-2 level 3 validation which is the highest level of certification for this type of device. We have recently added the ability for the SG FIPS to be bound to a PIV card to provide 3 factor authentication. A federal employee can now use their PIV card and it’s PIN to authenticate to the SG FIPS and open the encrypted partition. This is a unique benefit for any PIV or PIV-I user to enhance the security and privacy of the data contained within the SG FIPS token.

Up until now, portable flash memory devices have been banned from use in the federal government due to their lack of security. With the introduction of the SG FIPS, government employees, members of the military and enterprise employees using PIV-I credentials can leverage this type of portable medium without compromising security.

SecurityStockWatch.com: Can you give us an overview of some U.S. government e-document programs?

Neville Pattinson: One of the earliest U.S. government e-document programs was the Department of Defense Common Access Card (CAC), which was started in 2001. This is the identity credential for Department of Defense (DoD) employees, including all American armed forces personnel. It is a photo ID that includes a microprocessor-based smart card. Think of it as a small computer with special security software embedded in the ID. It contains a biometric that along with the chip provides higher security for physical access. In addition, all of DoD employees also use the CAC for online security, to confirm their network identity. DoD IT security managers have been very open about reporting how this significantly improved network security.

CAC was the first U.S. agency-wide smart card ID deployment, but now the whole federal government has a similar e-ID called the Personal Identity Verification (PIV) card. Every federal employee or subcontractor is issued this form of ID. Gemalto was a key player in the definition of FIPS 201, the national standard which defines the PIV card configuration and usage.

Standards and implementation guidelines, security and technical validation processes products, and administrative tools were all developed to support the program. This was a significant stride for the smart card industry, not just because of the revenue, but also because of the development and standardization it fostered, paving the way for more widespread use in the enterprise. A PIV interoperable credential is now spreading into the private sector for defense contractors – it is termed the PIV-I.

The best known federal government e-document program is the electronic passport in which a smart chip is embedded into the passport which allows the information to be read at border crossing using a contactless reader. Gemalto advocated for additional security features beyond the ICAO recommendations for e-passport implementation to enhance the security and privacy of the document and the person carry it. The State Department adopted all of our recommendations in their implemtation. Other federal programs include the Transportation Department’s Transportation Worker Identity Credential (TWIC) and the First Responder Authentication Credential (FRAC).

SecurityStockWatch.com: Is the United States government leading or lagging the rest of the world?

Neville Pattinson: I think mostly leading, but there is a lot more that should be done. The program that best illustrates U.S. leadership is the State Department’s ePassport program. In the wake of 9/11, the United States led the whole world to implement new, higher security passports based on contactless smart card technology. Now some 90 countries are issuing them.

I also think the U.S. is at the forefront in the use of smart cards in the federal government. To my knowledge, no other country has put a smart card in the hands of every federal government employee, including their military. And with over three million users, the U.S. DoD is by far the largest enterprise in the world to use smart card-based two-factor authentication for network security. No one even comes close.

The federal government has correctly concluded that smart card technology is the best way to provide security in person or over a network and has implemented systems to leverage two factor authentication using the PIV credential and a PIN to gain access to the network. Where I think the U.S. has room for improvement is in the ability to provide a more secure citizen credential. Today, the government issued identification is a paper card with a social security number printed on the front. Not only is this an insecure credential it is easily obtained by fraudsters and can be used to steal a person’s identity. This also makes it difficult for the government to verify employment eligibility which is another pressing issue facing the current administration.

SecurityStockWatch.com: How could the U.S. better leverage technology to address these identity concerns?

Neville Pattinson : There are many examples of governments leveraging smart card based technology to protect the identities of their citizens and to ensure proper delivery of government services to eligible persons. For example, Germany, France, and Gabon are using e-IDs to protect healthcare identities. Belgium is protecting children on the Internet with an e-ID. Brazil has a very active e-ID program to secure access to online government services and digitally sign e-commerce transactions. The government even partners with credit card companies to issue the cards.

To argue we don’t need those programs here is to ignore the facts about identity theft and fraud. The United States is in the midst of an identity crisis. Evidence for the problem is apparent in all sectors of our government and economy.

Data breaches have exposed 260 million records containing sensitive personal information in the U.S. since the State of California first started requiring disclosure in January 2005. This leads to credit card fraud and other forms of identity theft.

The Federal Trade Commission reported that for the ninth year in a row, identity theft was the number one consumer complaint category, 26 percent of all complaints.

A U.S. Department of Health and Human Services report concluded that medical identity theft is a significant problem and consumers have the most to lose, yet little is done to authenticate the identity of individuals throughout healthcare.

One organization estimates that in 2007 three percent of annual healthcare spending ($60 billion) was lost to outright fraud.

Other countries are using government e-document programs to address these problems. In the U.S. we are using the technology to provide the highest levels of digital security at the federal level but not offering it to our citizens. Honestly, I do not understand that dichotomy.

SecurityStockWatch.com: In your view, what should be done?

Neville Pattinson: For one thing, the federal government can address the identity crisis by offering citizens a trusted digital identity credential that would prove your identity in person or online, stop others from pretending to be you and prevent others from using your identity credential if lost or stolen. Think of it as an identity-theft-proof passport for the Internet. U.S. citizens would be very interested in that idea.

Another idea is to upgrade the Social Security card. As a government e-document, the Social Security card has the potential to become a digital identity credential that would play an active role in protecting people’s identities and fighting fraud. If this critical identity credential were moved to a smart card where a person’s could be issued a PIN or leverage their biometric information (i.e., fingerprint) to be associated with their social security number, the ability to use this number for fraud or to illegally obtain government services would be dramatically reduced and possibly eliminated. The power of the smart card allows the citizen’s fingerprint to be matched within the smart card removing the need to refer back to an online biometric database for matching each time the citizen presents and authenticates their identity.

Finally, the American Recovery and Restoration Act (ARRA) includes over $19 billion for healthcare IT, and electronic medical records are a big focus. If we do not have a solid healthcare identity foundation, there are tremendous risks of mistaken identity and healthcare fraud. A government e-document healthcare ID would eliminate those risks.

These examples of identity protection could serve as a catalyst to bring about a complete change in the way identity, identity theft, fraud, and overall risk should be viewed. This shift has the potential of bringing about the real change that is needed to ensure our identities are protected. If industry were to respond to government action in the banking sector for example, there would be a shift to more secure chip and pin or EMV payment cards which have proven to render breached data useless since the cards cannot be duplicated.

SecurityStockWatch.com: Is there any traction in Washington for these ideas?

Neville Pattinson : Yes, there is. One important voice is New York Senator Chuck Schumer, chairman of the Senate Immigration Subcommittee, who is an advocate of a biometric-based Social Security card. Verification is essential to the success of any new immigration law; it is the only way to verify who is eligible for employment. Yet today there is no effective way for the nation’s seven million employers to realistically determine someone’s status. Mr. Schumer has correctly argued that is necessary to “significantly diminish the job magnet that attracts illegal aliens to the United States and to provide certainty and simplicity for employers” with a biometric-based employer verification system.

SecurityStockWatch.com: What are other possible benefits of a digital identity credential, like a Social Security card? Could a government e-document ID help with identity theft?

Neville Pattinson: A digital Social Security card would completely turn the tables on fraudsters, because just knowing a Social Security number would no longer be enough to use it. In effect, this renders Social Security numbers stolen in data breaches useless to fraudsters.

It also solves other problems. It provides a way to make government more efficient by providing more secure access to personal services online. And it can spawn multiple “persona” identities in financial services, healthcare and other industries beset by fraud.

We would still have many identifiers in different parts of the government and in the private sector, as we do today; but a digital Social Security card would protect the individual’s root identity in a way that would be far more secure and private than it is now, something a paper card could never achieve.

SecurityStockWatch.com: Thanks again for joining us today, Neville. Are there any other subjects you’d like to discuss?

Neville Pattinson : Your readers know the world is increasingly digital, wireless and interconnected. What they may not have realized before is how Gemalto is at the center of it, providing personal digital security devices that give people convenient and safe ways to communicate, pay and travel.

Our clients are primarily blue-chip companies and government agencies, and our technologies and solutions are critical to their operations. We have a clear view of our role and contribution to society, and a strong base of knowledge and resources to build upon. Gemalto is a financially strong company and our future prospects are bright.

I would really like to encourage your security or technology oriented readers to learn more about Gemalto at http://www.gemalto.com/investors. Our site is full of really interesting examples of our digital security projects all over the world. I want to thank SSW for this opportunity to tell your readers a part of our story today.