Photo: Mark W. Clark
Computer security is one of the primary concerns for many of the nation's companies and government agencies. Billions of dollars is spent each year on preventing external threats from entering protected networks. But the sad truth is that most computer network breaches are caused by sloppy internal security policies and procedures.
Talk to cybersecurity specialists, and they will tell you in choice words that many computer users just don't understand what it takes to protect a network. One problem that is pretty much universal is that people tend to be a bit careless with key security information. They write their passwords on Post-It notes and slap them on the desks beside their computers; they use "1234" or their names and birthdates as passwords; and/or they share passwords with unauthorized users.
The FBI's Criminal Justice Information Systems (CJIS) division has long been concerned about the security of criminal databases used by law enforcement officers. CJIS maintains such databases as NCIC, IAFIS, and VICAP, and these databases contain confidential information about criminals, suspects, and victims. CJIS is responsible for maintaining the privacy of that information, and it doesn't want unauthorized people to access it. In recent years such security breaches have become much more likely as law enforcement agencies are now using the information in the field on easy-to-lose and easy-to-steal devices like laptop computers, tablets, and smartphones.
Three years ago CJIS decided it was time to ask the agencies that use its databases to do a better job of making sure only authorized personnel have access. It issued a mandate that agencies using FBI databases implement a multifactor authentication process that would prevent anyone but the right people from seeing the information. The mandate was scheduled to take effect last October, but CJIS decided to extend the deadline to this October. It's not known if it will be extended again this year.
"CJIS continually extends the deadline because this is an unfunded mandate so some of these agencies just don't have the funding to become compliant," says Jennifer Shoemaker of Panasonic's Public Sector Team.
Complex and Confusing
Experts say most law enforcement agencies are aware of the CJIS database security mandate, but some agencies are having a hard time complying. And budgets are not the only reason.
One complicating factor is that each state also has a mandate for law enforcement database security, and the state requirement may exceed their federal counterpart's. Shoemaker says the differences between the state and federal security mandates can lead to confusion. She offers the following example of how the two mandates can contradict. "Federal CJIS guidelines say that inside the four doors of a police vehicle is a compliant place for your laptop. So federally if the laptop stays inside the vehicle then it doesn't have to comply with this mandate. The state of Florida says that's not the case."
The interpretation of what the feds mean by "stays in the vehicle" is also tricky. On its face it sounds like the clause automatically granting compliance to laptops that stay in police vehicles resolves the vast majority of CJIS compliance concerns for agencies nationwide, as most law enforcement laptops are inside patrol cars. But it doesn't. Shoemaker says "stays in the vehicle" means it literally isn't removed from the vehicle. Since many agencies assign laptops to officers, not vehicles, even if those laptops spend much of the day in vehicle mounts they still need to be fitted with some sort of multifactor authentication protocol to gain federal CJIS compliance.
In order to comply with the CJIS mandate, agencies have to gate access to FBI databases with a two-part authentication protocol. Specifically that means the officer has to both know something and bring something to unlock access.
Knowing something is the easy part. It's the same password procedure that almost every American uses every day on both work and personal devices.
Bringing something is considerably more complicated. Accessing officers have to either carry with them a radio frequency identification (RFID) card, a security token, a dongle, or something in that vein or use some physical aspect of themselves such as a fingerprint or a retinal pattern to unlock the data.
Shoemaker says biometric scanners are by far the most popular secondary authentication method used by the agencies she contacts. Some of the reasons that biometric authentication is so popular with so many agencies is that the scanners are easy to use and can be built into most manufacturers' devices for nominal cost. And there's another reason many agencies prefer biometric access over systems that require officers to carry a separate object: "It's hard to lose your fingerprints," Shoemaker explains.
Facial recognition is another biometric protocol that shows promise. Swiss company KeyLemon has had much success offering a facial recognition security application for the medical and security industries and believes its new facial and voice recognition application could be very popular as a biometric authentication tool for law enforcement. The company hopes to work with computer manufacturers to offer the software to customers as a built-in option, but it is also available in a free evaluation version at www.keylemon.com. The full version can also be downloaded from the company's Website for a $60 one-time fee per user. It runs on Mac OS, Windows, Android, and iOS.
Anthony Gioeli, KeyLemon's vice president of sales and marketing, says the application is easy to install, easy to set up, and more than 90% accurate. No special hardware is needed to use KeyLemon; all it requires is a Web camera and a microphone, both of which are usually built into most laptops. The facial recognition software reads the person's face regardless of facial hair or glasses (though sunglasses can be a problem), and the voice recognition software reads the user's voiceprint regardless of language or accent, according to Gioeli.
Gioeli says there are advantages to having both voice and facial recognition capabilities on the same law enforcement computer. "We recommend officers use the voice recognition or the facial recognition based on conditions. They can either speak to the device or look at it, whichever is more convenient," he explains.
RFID cards are another secondary authentication option. Many law enforcement agencies use key cards for the doors into their stations, so officers have to carry the cards on their person at all times on duty anyway. What some agencies do for secondary authentication on their digital devices is they add RFID chips to the key cards and an application that reads them on the devices they use to access FBI databases. Of course, the downside to this system is that officers can easily lose the cards.
All of this technology can be pretty intimidating for some agencies seeking to gain compliance with the CJIS mandate. Which as discussed can be pretty confusing. Panasonic's Shoemaker says of the federal and state mandates that the guidelines are "very organic and ever changing. It's hard to keep up with."
The mandate and its requirements can be particularly taxing for smaller agencies that don't have IT support. Many of these agencies are now depending on their county sheriffs to lend a computer-savvy hand. "Some IT staffs from sheriffs' offices actually manage the hardware and even the databases for smaller agencies in their counties," Shoemaker says. "Some smaller agencies even access the FBI criminal databases through their local sheriff's office."
And smaller agencies are not the only ones who can find the federal and state CJIS mandates bewildering. Shoemaker says she's seen a lot of turnover in public safety IT and the new hires often are not aware of the mandates or what to do about them.
Shoemaker says one of the most costly aspects of complying with the mandate is the time that law enforcement and public safety IT personnel have to spend determining the best solution to meet their needs and the requirements of the mandate. She recommends that agencies seek out the help of the companies and systems integrators that sell, install, and service their computers.
FOR MORE INFORMATION: