‘I want to kill the CAC’ — Pentagon official says it’s time to ditch the military’s longtime ID card

"I want to kill the CAC as the primary authentication mechanism for the department."
A customer hands his Common Access Card over to a technician for renewal inside the military personnel ID card section at Wright-Patterson Air Force Base, Ohio, Feb. 10, 2021. New ID card appointment slots for the following month are released after 1600 on the first Friday of every month. (U.S. Air Force photo by Wesley Farnsworth)

Share

The U.S. military is a big place, and few things about the military experience are universal across all its ranks, branches, jobs and bases. But one thing that has remained a constant is the Common Access Card, or CAC. This credit card-sized identification badge has been used by service members since 1999 to get onto bases, use military computers, access the chow hall, and countless other activities not open to the public at large.

In the decades since, the CAC has become a cultural touchstone among service members who find common ground over the trials and tribulations of having one’s life tied to a 3.375 inch-by-2.125 inch piece of plastic. There’s the folly of accidentally sticking your credit card into the CAC reader; the struggle of taking a decent CAC picture; the anguish of forgetting your CAC at the base gate; and the surprise of finding your CAC doodled all over after you left it unattended all night.

Now, one Department of Defense official says that ditching the CAC could be a vital step for keeping military installations secure.

“I have this notion of — this little mantra of — I want to kill the CAC as the primary authentication mechanism for the department,” said Air Force Lt. Gen. Robert Skinner, the director of the Defense Information Systems Agency and the commander of Joint Forces Headquarters, Department of Defense Information Networks.

“We have to have something that’s better,” Skinner said on Friday at the 2021 Billington Cybersecurity Summit. “Industry has been, I’ll say, using other authentication mechanisms — other things for leveraging identity management, access control. I want to leverage that.” 

Skinner did not get into specifics for what a possible replacement for the CAC might look like, but he mentioned wanting to “provide greater options, so it’s not just two-factor authentication, but it’s truly multi-factor,” he said.

An example of two-factor authentication is when your Gmail or Facebook account texts you a verification code just to make sure you’re not a hacker. It sounds simple, but just last month the Air Force’s first-ever chief software officer, Nicolas Chaillan, said it was a struggle to get military leadership to fix even the most basic information technology issues fixed, including Zero Trust systems like two factor authentication.

“We are running in circles trying to fix transport/connectivity, cloud, endpoints, and various basic IT capabilities that are seen as trivial for any organization outside of the U.S. Government,” wrote Chaillan in a LinkedIn post announcing his resignation last month.

Still, if Skinner has his way, and the military adopts some of the identity and access management tools that cybersecurity and technology companies are cooking up, then the CAC might look as ancient as a skeleton key.

“There will be no more passwords to access systems or badges to enter buildings,” wrote the Identity Management Institute in a blog about the future of the industry. “Smart systems will be able to recognize and greet us using some of our personal and distinct features when we use ATMs, enter stores and restaurants, visit online websites, enter office locations, drive cars, and access business systems.”

It will get even more crazy as everyday devices such as watches, refrigerators, cars and computers become increasingly interconnected and personalized.

“Almost everything will have an identity which will change today’s definition of identity theft,” the Identity Management Institute predicted.

All of that would have sounded very sci-fi back in November 1999, when the Department of Defense created the CAC office, according to the Federal News Network.

“If you look back to what it was back then, there was no civilian standard ID card in the department,” Mike Butler, the deputy director for Identity Services at the Defense Manpower Data Center, told Federal News Network in 2011.

At the time, service members had standardized military ID cards, but there was no overarching strategy for how the DoD was going to use those in the future, Butler explained. The CAC changed all that, providing a military-wide ID card that could store hundreds of data elements about the user, Federal News Network reported. By 2002, the millionth CAC had been issued, and by 2011, the DoD was issuing 10,000 cards a day, and each of the Defense Department’s 3.5 million employees had one.

A decade later, there’s no sign the CAC is going anywhere yet, the Defense Department wrote in its press release on Friday. But Skinner’s statements indicate the winds may shift in the future as the military struggles to keep up with a world of cybersecurity threats that gets scarier by the second.

For better or for worse, getting rid of the CAC would be the end of an era for the millions of service members, civilian employees and contractors who had or still have a CAC of their own. 

More great stories on Task & Purpose

Want to write for Task & Purpose? Learn more here and be sure to check out more great stories on our homepage.