Opening the Door to E-Commerce

T

he White House and Congress agree: Agencies need to get rid of paperwork and many of the people who push that paper. Policy-makers are leaning heavily on the agencies to do more business electronically, in program areas and especially in procurement. But as agencies begin to consider doing serious business online, they run up against a harsh reality. The mechanisms that protect most agency information systems today simply are not robust enough for use in electronic commerce on the Internet.

It's not simply a question of beefing up World Wide Web sites and e-mail to keep out hackers. The bigger question is whether your agency can be sure who it's doing business with and meet the legal standards for legitimacy of the transaction, so it will withstand a challenge in court. Until now, signed and certified documents have provided these assurances. But e-commerce will not advance far if a piece of paper must back up each electronic transaction. Digital signatures are the answer.

What's needed is a system for ascertaining people's identity and their standing once and issuing an e-commerce credential that will identify the individuals online. The system must be tamper-proof and preserve privacy and confidentiality while it gives both parties confidence that they know who they are dealing with. That's a tall order in an internetworked world, but fortunately, the technology exists. It's called public-key encryption. (For an explanation of the technology, refer to the Government Information Technology Services Board Web site at http://gits-sec.treas.gov.)

Although public-key technology languished for more than a decade after its introduction in the early 1980s, it now appears headed for widespread use as federal agencies begin to adopt it en masse. Richard A. Guida, chairman of the interagency coordination committee under the aegis of the GITS Board, says more than 4 million certificates identifying authorized users of federal and contractor systems are likely to be issued in the next year or two.

The federal government is ahead of the private sector when it comes to implementing public-key encryption because of lingering concerns in the commercial world about the legality of digital signatures, says Howard Stern, a longtime proponent of electronic commerce and chair of the Federal Electronic Commerce Coalition, an industry consortium.

Under the 1998 Government Paperwork Elimination Act, digital signatures must be considered as valid as those on paper. GPEA also requires agencies to accept and keep documents from the public in electronic form and set up digital signature systems by October 2003.

With the legality of digital signatures for federal operations no longer in doubt, the missing ingredient has been the infrastructure that must undergird a public-key encryption program. A public-key infrastructure, or PKI, is now developing rapidly, particularly at the Defense Department.

What's a PKI?

The infrastructure is a combination of computer hardware, software and services. A PKI can be established in many ways, but there are four essential elements:

  • Policies for issuing certificates and relying on them in the course of agency operations.
  • A registration authority that ascertainsthe identity of individuals and authorizes them to use a system or parts of a system.
  • A certificate authority that anyone can check with to see if an individual is duly registered.
  • Software and communications systems that recognize and transmit authentication and verification codes.

Once a computer user has obtained his or her certificate, the system can be invisible. In fact, many federal computers are equipped today with PKI-aware software such as Lotus Development Corp.'s Notes and Microsoft Corp.'s Exchange and Outlook. When the user enters a password, the certificate in the system may be activated invisibly.

The typical agency may be using some of the elements of a PKI, but agencies usually lack policies and secure processes for issuing certificates and maintaining an online registry. The certification process is important to make a digital signature trustworthy. In this process, a trusted third party essentially verifies that you are who you say you are and that you are authorized to take certain actions.

When workers' job responsibilities change or even when they get a new office or computer, their certificates must be updated right away. Those agencies that have not operated rigorous computer security programs will have to change their ways.

Big Challenge

Most agencies are starting small with pilot programs for some internal users. Setting up a PKI for operations within an agency or with a defined group such as participants in a certain project is doable, but it's not easy. "Part of the difficulty we face right now is that the products are in the early maturation phase," Guida says. The government is committed to using commercial, off-the-shelf (COTS) products, but there are fewer than a dozen complete PKI systems on the market. Standards still are emerging, and business models are not yet firm.

An agency can contract with an outside company to operate its PKI, or it can do the work in-house. If it chooses the latter option, it can buy the software or lease it on a per-transaction basis. Besides the acquisition strategy, the agency must resolve a host of architectural questions that have both technical and operational implications. For example, should there be just one central certificate authority or a hierarchy of subordinate ones? Agencies will approach these issues differently and need not have the same architectures, as long as they adhere to technical standards.

Establishing what's known as a "trusted path" or "chain of trust" between your system and others isn't easy. The software and hardware from several vendors must interoperate to a greater degree than with ordinary Internet communications. Interoperability is an absolute must. "We're not going to go anywhere until we can make sure that interoperability occurs," says Patricia Booth, a senior product manager at Lotus Development Corp.

When agencies engage in e-commerce outside of their own electronic domains, how do users know that they are doing business with legitimate enterprises and not hackers' computers masquerading as something else? In the case of exchanges between two federal agencies, they will communicate through a "federal bridge certificate authority" that Guida is establishing with $530,000 in funding from the National Security Agency. It will cross-certify agencies' transactions. Guida hopes it will be operating early next year. Certificate authorities will maintain online certificate revocation lists like the lists of invalid numbers that credit card issuers publish.

As for doing business with the public, that can be accomplished through the General Services Administration's Access Certificates for Electronic Services (ACES) program. Any day now, GSA's Federal Technology Service is expected to select one or more contractors to issue certificates to the public. At no charge to individuals, they can apply to a designated registration authority and submit three proofs of identity, such as a passport, Social Security number, driver's license or employer reference.

Once ACES is in place, agencies can more comfortably use the Internet for weighty transactions such as accepting tax payments and applications for loans and financial benefits. Many people remember the controversy that erupted when the Social Security Administration tried to deliver earning and benefits statements to individuals via the Web in 1997. The agency quickly pulled the plug on its innovative service when critics pointed out how easy it might be to obtain someone else's earnings history. ACES is supposed to make such services possible. "It certainly is better than PINs [personal identification numbers] and passwords, which are very spoof-able," Guida says.

Pilot Programs

Agencies are gearing up to use the ACES services, but so far most are engaged in limited PKI pilot programs.

One major exception is the Defense Department, which has made a major commitment to going paperless by 2003. To reach that goal, the department will provide PKI services via smart cards to 4 million or so civilian and military employees and contractors by the end of 2002. "There's no question that DoD is the principal engine of change" when it comes to adopting PKI, Guida says. "Security is their business, and it's no wonder that they're good at it."

The Air Force has launched a program to issue certificates to 700,000 people, and the Navy has a comparable program under way. NSA and the Defense Information Systems Agency are coordinating the activities across DoD. The DoD infrastructure will support both classified and unclassified transactions. Under the scheme adopted by Guida's steering committee, there are four levels of security available within the federal PKI. Agencies' internal security policies must conform to these levels if they wish to use the bridge authority.

Other agencies in the vanguard, according to Guida, are the Federal Deposit Insurance Corporation, NASA, the Energy Department and the Federal Aviation Administration. FDIC and the FAA aim to use PKI to Web-enable some of their regulatory activities, he says, while the others are focusing primarily on internal operations, such as human resources and procurement.

The Veterans Affairs Department is perhaps more typical, with small PKI pilots under way in the areas of information security incident reporting, exchanging customer data with other agencies, enrollment verification for education benefits and internal agency operations. Installing a PKI is a major undertaking, says Cathie Ward, who's coordinating the effort in the Office of Information and Technology. She recommends an incremental approach.

The VA hired a McLean,Va., firm specializing in PKI, CygnaCom Solutions Inc., to advise it on the technical and policy issues it will confront. To head off interoperability issues, the VA plans to install a single utility that can be shared by its operating bureaus and offices. It's looking for the next release of Microsoft's NT operating system, called Windows 2000, which is promised for late this year with full PKI capabilities out of the box.

Some federal agencies have shown no signs of serious interest in PKI. But Guida thinks the PKI bandwagon is picking up steam. In his view, public-key encryption is "the gateway to an electronic-commerce-rich future" because of its unique ability to solve a series of security problems that otherwise must be resolved piecemeal.

Many others agree. "PKI is the only technology that is going to work in a broad scheme" for e-commerce, says the Federal Electronic Commerce Coalition's Stern. "People understand what they have to do."

NEXT STORY: Government Executive Magazine