jos2248647
Aug 13, 2022
Research Papers / Research Essay (Biometric Security issues and lack of government oversight) [2]
Three areas of weakness-
I have issues keeping my subject concise and not adding unnecessary information.
I have trouble keeping the essay an argument and I keep trying to turn it into an informational paper.
I don't cite effectively This is supposed to be an argumentative research paper.
The digital solutions market is projected to double in size in the coming years, reaching almost 50 billion dollars worldwide. In the last 10 years America saw 300 data breaches involving the theft of over 100,000 records. The average cost of a mega-breach in 2021 was 401 million dollars. The ability to capture specific parts of human biology as a form of security is a huge economic market. Scaling these technologies and bringing them to market has created massive divergent disciplines and achieved various levels of security. With each advancement in technology a new method for using biometrics for security is found. Many terrible versions of biometric security are starting to dominate the market. CISA (Cyber Security and Infrastructure Security Agency) is the federal arm of the cyber security program for the country. CISA is in charge of cyber enforcement in this biometric security area at scale for the American market. We must urge CISA to enforce stronger biometric security policies to prevent weak biometric security adoption from taking over the market and risking our personal security. In doing so it means we must be careful to make sure the fingerprint sensor market isn't flooded with casts of continually aging sensor hardware that will wind up in dumps after every iteration in the technology, and keep flawed scanning modalities from being the norm just because they are easier to implement financially. The scanner technology may be a complex undertaking to explain but the results from the research demonstrates clear winners in the highest security possible categories.
First, Biometric Security needs to be given a context due to the fluid nature of its use in many applications. Biometrics are biological measurements or physical characteristics that can be used to identify individuals. For example, we have fingerprint mapping, iris scanning, and even blood and bone-based identification systems. Biometric security specifically, can be broken down into three types: biological biometrics, morphological biometrics, and behavioral biometrics. In the context of biological biometrics leveraged for security the modalities utilized currently fall primarily on iris scanning and finger printing scan types. These two heavy contenders are the primary pieces to the biometrics market. Many believe the biometrics market to be too young to have applications at scale with common use, but the technology is actually fairly old. The earliest form of biometrics can be traced back to Early Babylon 500BC. The first biometrics ever recorded was in France 1800 for use in criminal applications for identifying body types among inmates. It has evolved steadily since then and is now set to be used as the primary form of most authentication types in the next 15 years. Password, card, and other forms of authentication will eventually go the way of the dodo once this technology is realized in its final state. The problem we have is with in this race to the finish line there are economic and behavioral factors that are preventing this from happening correctly. Research shows that all the different types of biometric technologies have their own unique sets of challenges. Due to these divergent types of applications, we are starting to see use in different types of situations. This non uniform use is one of the many reasons the holes in the technology will continue to plague those using it for security.
The primary contender for securing biometrics is iris-based scanning technology. In all the studies I researched the iris-based scanning technology was the most secure. It had the highest accuracy and presented the hardest form to compromise. But of course, even though it had the best marks for security the issues with it are where our problems begin. The primary failures in iris-based scanning technology start with the "failure to match" issue. This issue is encountered in 2 ways, head tilt and aging iris. Head tilt happens when a user alters the images and influences the temporal comparisons. This basically means the scanner isn't getting a good picture of the iris so authentication can't happen. The second problem encountered is template aging of the iris. You take an initial picture of your eye as a reference picture and as you continue to authenticate your eye continues to change from the original at which point you can no longer use it. As a changing living being this aging eye issue cannot be helped. These two primary areas are of some concern when trying to apply this high security scanning type at scale. However, these issues are simply technological speed bumps not anything preventing this high security style authentication method from taking over the market. Results demonstrated by "'Failure to match' issue does not contribute to the total failure of iris recognition system. Nevertheless, the next generation of iris recognition demands a 'room for improvement' to the existing system (Zainal Abidin). One of the issues with the technology is with the handheld applications of it. In Hofbauer "Mobile NIR Iris Recognition: Identifying Problems and Solutions." They analyzed the problem and determined the issue with getting a steady image "rotation" and the correct algorithm to retrieve relevant markers "CNN segmentation" were the improvement metrics for handheld use of the scanners in the near future. While all of this sound like iris-based scanning technology would be a difficult one to implement, all of the research demonstrates this technology to be the most secure despite its fallbacks.
Below the highest security form of biometrics lies another popular contender fingerprint scanning technology. In much of the research the fingerprint technology has similar metrics to the iris scanning technology due to them both taking images of a relevant biometric marker for analysis. But most of the positive comparative analysis gives fingerprint technology a win primarily because its ease of use. The behavior of humans is a big factor in adoption of technologies. When something is most secure it is least usable. This lazy thought process is why we tend to do the things that are most convenient not the most beneficial. When looking at the reasons for moving to biometrics the most common reasons listed are all due to human incompetence:
Implementing any identification or authentication method is always a trade-off between security and convenience. We lose and misplace IDs all the time. Means of physical access control like keys or access cards can also be lost or stolen. Using passcodes or patterns may seem secure but they are inconvenient, and any shoulder surfer can overlook them and unlock your device. (Thakkar, "What Makes Fingerprint The Most Popular Biometric Modality?")
For this reason, the pursuit of this technology isn't moving for the purpose of maximal security. It's moving at more security and more convenience. Tables showing the comparative differences of fingerprint technology to anything else always equate cost and ease of use. They have metrics for security, but it usually isn't the highest selling factor. The closest study I could come to on the merits of this technology that put it in line with iris recognition was in the research journal "Cyber Security Platform Solution Based on the Facial Imaging and Fingerprinting." This journal took the approach of trying to make the algorithms involved with both technologies more accurate thereby making them both more secure. While I can agree this would make a net increase in security this doesn't bridge the gap between the two of them. It is clearly demonstrated in all the literature that we are using the fingerprint technology for primarily ease of use not highest security.
When talking about human need for convenience it makes sense to note the most important variable in this system, the economic market. While I have been focusing on the technology itself and the positive and negatives of each approach, I would need to describe the costly nature of the technologies. Adoption rates of hardware devices is part of the problem with the biometrics market. The fingerprint scanner hardware technology has steadily been outpacing the iris scanning technology for some time now. "Biometric Devices: Cost, Types and Comparative Analysis." breaks down the price market and does an excellent job showing the average sales price for these cheap fingerprint scanners bottoming out as we approach present time. It only lends itself to assuming the scanners will only get cheaper. Something the iris technology cannot keep up with. This lowered cost for scanner technology is bad for many reasons. Primarily the lower the cost of the scanner the more knock-off types that are produced. Throughout the cyber security world, the primary vector for malware and other types of viruses recently has been supply chain related. The devices on the market are plagued with cheap drivers, or low-quality microchips with built-in backdoors. The market creating such a cheap variety of easily produced scanners will not make for a quality product from ever vendor and leave companies with bad quality control systems feeling the pain when they install cheap security products. Aside from the comprisable issue with cheap products lies the intent of the buyers. The history of adoption of technologies with different security levels has generally run a type of course. The less secure technology gets the common market, and the high security one is left to better paid, higher security systems. By doing this they are causing the best form of security to be used by a privileged few with the funds to keep their important information secure, and letting the common user use the cheap easily maintained version. This would mean most of us would be using what was cheap but worked and we would not see the best in use unless we had the privilege of working in those high security scenarios. The closing section of the article on Bayometrics; "Fingerprint Recognition vs. Facial Recognition: Biometric Modalities Face to Face" gives both technology equal marks and notes this divergence as the inevitable solution for them. This is worst possible scenario for the average consumer. Or anyone without the resources to overcome this eventual hurdle. Having everyone use lower security technology for ease of use, cost, and convenience reasons is exactly what got us in the situation we are in now with cyber security. The disparity between different security systems depending on that company's budget creates the turmoil we see in this arena. Having the biometric scanners starting to exhibit this same behavior is bad for us. I have been part of this force that is trying to combat desperate technologies that are adopted with the cheapest versions and let loose on the public. The agencies that are involved with combating this outcome are numerous. The government has created CISA in order to try and get the cyber threat landscape under control. The organization has several different programs contained in it and can make changes to all kinds of types of information security programs. CISA has successfully started a campaign to address several different areas of concern in this country around securing our critical infrastructure and developing our states information security programs. I would like to see an active campaign to start regulating the biometrics applications market and set standards for use using the frameworks already in place within the market. The government dos an adequate job of enforcing security requirements for high security systems at the national level but they leave the open market with no type of guidance on how they should proceed with newly adopted systems. There is currently no legislation enforcing maximum standards for hardware use in biometric technology. They always use a minimum criterion which has led to all these breaches and stolen information. The legislation required to enforce these items doesn't exist yet and CISA relies on the private companies' risk tolerance level to persuade it to reach out and make sure they are following applicable standards. This on your honor approach has proven to be unsustainable. CISA has been seen to be implementing zero trust and MFA technologies internally, but they continue to ignore this developing situation with the biometric technology for other companies and agencies. We need not only legislation but training on best practices for these types of applications. The research shows where the advancements need to be made but the governing bodies involved with its approach seem to think this is a free market issue. Department of Homeland Security was given 400 million dollars specifically for CISA to develop these types of programs. The executive order given by President Biden earmarked this money and it established a multistate information sharing center. With all these improvements to the cyber landscape at the government level they are tackling a subject with too many derivatives. They will most likely overlook this important developing situation and when it does become a problem it will be too expensive to fix. The law fare approach after the fact, was painful during the initial OPM breaches that started the war on weak security. The government had huge payouts to victims that didn't really fix the damage done to their trust in the government. You would have thought we would learn from this mistake and would have taken an engineer's approach to the security market. As an engineer I would have first looked at all the different security adoption modalities and would have created frameworks for them before starting many of the projects that the government is currently pursuing. Having worked in the government I understand why they are not approaching this biometrics security subject aggressively. Easiest performance metrics come from obvious problems. Start with the easy stuff and work your way down has been a recurring theme with the government institutions. I believe their not tackling this issue adequately and this is creating a situation where low security thresholds are being adopted and we will have situations where people will be victimized before any real change is implemented.
Finally, I leave you with the image of a slowly approaching natural disaster. As this hurricane of problems starts to encroach on your daily life, you will start to feel the burn of lazy security implementation. It will start as a light wind against your windows. I tale here, a news story there, about the theft of some people's personal information. Eventually you and 300 million others are watching their credit and recovering bank account information as you wander this hurricane of loss and lawsuits. All because when we knew the market was trending a certain way and we knew the technology was not being leverages securely, we didn't demand change at the highest levels to make the adopters adhere to the correct standards while we had the chance.
Works Cited
Three areas of weakness-
I have issues keeping my subject concise and not adding unnecessary information.
I have trouble keeping the essay an argument and I keep trying to turn it into an informational paper.
I don't cite effectively This is supposed to be an argumentative research paper.
Battle of the Scans
The digital solutions market is projected to double in size in the coming years, reaching almost 50 billion dollars worldwide. In the last 10 years America saw 300 data breaches involving the theft of over 100,000 records. The average cost of a mega-breach in 2021 was 401 million dollars. The ability to capture specific parts of human biology as a form of security is a huge economic market. Scaling these technologies and bringing them to market has created massive divergent disciplines and achieved various levels of security. With each advancement in technology a new method for using biometrics for security is found. Many terrible versions of biometric security are starting to dominate the market. CISA (Cyber Security and Infrastructure Security Agency) is the federal arm of the cyber security program for the country. CISA is in charge of cyber enforcement in this biometric security area at scale for the American market. We must urge CISA to enforce stronger biometric security policies to prevent weak biometric security adoption from taking over the market and risking our personal security. In doing so it means we must be careful to make sure the fingerprint sensor market isn't flooded with casts of continually aging sensor hardware that will wind up in dumps after every iteration in the technology, and keep flawed scanning modalities from being the norm just because they are easier to implement financially. The scanner technology may be a complex undertaking to explain but the results from the research demonstrates clear winners in the highest security possible categories.
First, Biometric Security needs to be given a context due to the fluid nature of its use in many applications. Biometrics are biological measurements or physical characteristics that can be used to identify individuals. For example, we have fingerprint mapping, iris scanning, and even blood and bone-based identification systems. Biometric security specifically, can be broken down into three types: biological biometrics, morphological biometrics, and behavioral biometrics. In the context of biological biometrics leveraged for security the modalities utilized currently fall primarily on iris scanning and finger printing scan types. These two heavy contenders are the primary pieces to the biometrics market. Many believe the biometrics market to be too young to have applications at scale with common use, but the technology is actually fairly old. The earliest form of biometrics can be traced back to Early Babylon 500BC. The first biometrics ever recorded was in France 1800 for use in criminal applications for identifying body types among inmates. It has evolved steadily since then and is now set to be used as the primary form of most authentication types in the next 15 years. Password, card, and other forms of authentication will eventually go the way of the dodo once this technology is realized in its final state. The problem we have is with in this race to the finish line there are economic and behavioral factors that are preventing this from happening correctly. Research shows that all the different types of biometric technologies have their own unique sets of challenges. Due to these divergent types of applications, we are starting to see use in different types of situations. This non uniform use is one of the many reasons the holes in the technology will continue to plague those using it for security.
The primary contender for securing biometrics is iris-based scanning technology. In all the studies I researched the iris-based scanning technology was the most secure. It had the highest accuracy and presented the hardest form to compromise. But of course, even though it had the best marks for security the issues with it are where our problems begin. The primary failures in iris-based scanning technology start with the "failure to match" issue. This issue is encountered in 2 ways, head tilt and aging iris. Head tilt happens when a user alters the images and influences the temporal comparisons. This basically means the scanner isn't getting a good picture of the iris so authentication can't happen. The second problem encountered is template aging of the iris. You take an initial picture of your eye as a reference picture and as you continue to authenticate your eye continues to change from the original at which point you can no longer use it. As a changing living being this aging eye issue cannot be helped. These two primary areas are of some concern when trying to apply this high security scanning type at scale. However, these issues are simply technological speed bumps not anything preventing this high security style authentication method from taking over the market. Results demonstrated by "'Failure to match' issue does not contribute to the total failure of iris recognition system. Nevertheless, the next generation of iris recognition demands a 'room for improvement' to the existing system (Zainal Abidin). One of the issues with the technology is with the handheld applications of it. In Hofbauer "Mobile NIR Iris Recognition: Identifying Problems and Solutions." They analyzed the problem and determined the issue with getting a steady image "rotation" and the correct algorithm to retrieve relevant markers "CNN segmentation" were the improvement metrics for handheld use of the scanners in the near future. While all of this sound like iris-based scanning technology would be a difficult one to implement, all of the research demonstrates this technology to be the most secure despite its fallbacks.
Below the highest security form of biometrics lies another popular contender fingerprint scanning technology. In much of the research the fingerprint technology has similar metrics to the iris scanning technology due to them both taking images of a relevant biometric marker for analysis. But most of the positive comparative analysis gives fingerprint technology a win primarily because its ease of use. The behavior of humans is a big factor in adoption of technologies. When something is most secure it is least usable. This lazy thought process is why we tend to do the things that are most convenient not the most beneficial. When looking at the reasons for moving to biometrics the most common reasons listed are all due to human incompetence:
Implementing any identification or authentication method is always a trade-off between security and convenience. We lose and misplace IDs all the time. Means of physical access control like keys or access cards can also be lost or stolen. Using passcodes or patterns may seem secure but they are inconvenient, and any shoulder surfer can overlook them and unlock your device. (Thakkar, "What Makes Fingerprint The Most Popular Biometric Modality?")
For this reason, the pursuit of this technology isn't moving for the purpose of maximal security. It's moving at more security and more convenience. Tables showing the comparative differences of fingerprint technology to anything else always equate cost and ease of use. They have metrics for security, but it usually isn't the highest selling factor. The closest study I could come to on the merits of this technology that put it in line with iris recognition was in the research journal "Cyber Security Platform Solution Based on the Facial Imaging and Fingerprinting." This journal took the approach of trying to make the algorithms involved with both technologies more accurate thereby making them both more secure. While I can agree this would make a net increase in security this doesn't bridge the gap between the two of them. It is clearly demonstrated in all the literature that we are using the fingerprint technology for primarily ease of use not highest security.
When talking about human need for convenience it makes sense to note the most important variable in this system, the economic market. While I have been focusing on the technology itself and the positive and negatives of each approach, I would need to describe the costly nature of the technologies. Adoption rates of hardware devices is part of the problem with the biometrics market. The fingerprint scanner hardware technology has steadily been outpacing the iris scanning technology for some time now. "Biometric Devices: Cost, Types and Comparative Analysis." breaks down the price market and does an excellent job showing the average sales price for these cheap fingerprint scanners bottoming out as we approach present time. It only lends itself to assuming the scanners will only get cheaper. Something the iris technology cannot keep up with. This lowered cost for scanner technology is bad for many reasons. Primarily the lower the cost of the scanner the more knock-off types that are produced. Throughout the cyber security world, the primary vector for malware and other types of viruses recently has been supply chain related. The devices on the market are plagued with cheap drivers, or low-quality microchips with built-in backdoors. The market creating such a cheap variety of easily produced scanners will not make for a quality product from ever vendor and leave companies with bad quality control systems feeling the pain when they install cheap security products. Aside from the comprisable issue with cheap products lies the intent of the buyers. The history of adoption of technologies with different security levels has generally run a type of course. The less secure technology gets the common market, and the high security one is left to better paid, higher security systems. By doing this they are causing the best form of security to be used by a privileged few with the funds to keep their important information secure, and letting the common user use the cheap easily maintained version. This would mean most of us would be using what was cheap but worked and we would not see the best in use unless we had the privilege of working in those high security scenarios. The closing section of the article on Bayometrics; "Fingerprint Recognition vs. Facial Recognition: Biometric Modalities Face to Face" gives both technology equal marks and notes this divergence as the inevitable solution for them. This is worst possible scenario for the average consumer. Or anyone without the resources to overcome this eventual hurdle. Having everyone use lower security technology for ease of use, cost, and convenience reasons is exactly what got us in the situation we are in now with cyber security. The disparity between different security systems depending on that company's budget creates the turmoil we see in this arena. Having the biometric scanners starting to exhibit this same behavior is bad for us. I have been part of this force that is trying to combat desperate technologies that are adopted with the cheapest versions and let loose on the public. The agencies that are involved with combating this outcome are numerous. The government has created CISA in order to try and get the cyber threat landscape under control. The organization has several different programs contained in it and can make changes to all kinds of types of information security programs. CISA has successfully started a campaign to address several different areas of concern in this country around securing our critical infrastructure and developing our states information security programs. I would like to see an active campaign to start regulating the biometrics applications market and set standards for use using the frameworks already in place within the market. The government dos an adequate job of enforcing security requirements for high security systems at the national level but they leave the open market with no type of guidance on how they should proceed with newly adopted systems. There is currently no legislation enforcing maximum standards for hardware use in biometric technology. They always use a minimum criterion which has led to all these breaches and stolen information. The legislation required to enforce these items doesn't exist yet and CISA relies on the private companies' risk tolerance level to persuade it to reach out and make sure they are following applicable standards. This on your honor approach has proven to be unsustainable. CISA has been seen to be implementing zero trust and MFA technologies internally, but they continue to ignore this developing situation with the biometric technology for other companies and agencies. We need not only legislation but training on best practices for these types of applications. The research shows where the advancements need to be made but the governing bodies involved with its approach seem to think this is a free market issue. Department of Homeland Security was given 400 million dollars specifically for CISA to develop these types of programs. The executive order given by President Biden earmarked this money and it established a multistate information sharing center. With all these improvements to the cyber landscape at the government level they are tackling a subject with too many derivatives. They will most likely overlook this important developing situation and when it does become a problem it will be too expensive to fix. The law fare approach after the fact, was painful during the initial OPM breaches that started the war on weak security. The government had huge payouts to victims that didn't really fix the damage done to their trust in the government. You would have thought we would learn from this mistake and would have taken an engineer's approach to the security market. As an engineer I would have first looked at all the different security adoption modalities and would have created frameworks for them before starting many of the projects that the government is currently pursuing. Having worked in the government I understand why they are not approaching this biometrics security subject aggressively. Easiest performance metrics come from obvious problems. Start with the easy stuff and work your way down has been a recurring theme with the government institutions. I believe their not tackling this issue adequately and this is creating a situation where low security thresholds are being adopted and we will have situations where people will be victimized before any real change is implemented.
Finally, I leave you with the image of a slowly approaching natural disaster. As this hurricane of problems starts to encroach on your daily life, you will start to feel the burn of lazy security implementation. It will start as a light wind against your windows. I tale here, a news story there, about the theft of some people's personal information. Eventually you and 300 million others are watching their credit and recovering bank account information as you wander this hurricane of loss and lawsuits. All because when we knew the market was trending a certain way and we knew the technology was not being leverages securely, we didn't demand change at the highest levels to make the adopters adhere to the correct standards while we had the chance.
Works Cited