Kill the CAC? Why some people really want the military’s ID cards to go away
“I hope Lt. Gen. Skinner succeeds in killing it, but I won’t hold my breath.”
When one of the military’s top cybersecurity generals announced last week that he wanted to get rid of the Common Access Card (the credit card-sized identification badge used across the Department of Defense over the past 20 years), it made at least one Army employee’s heartbeat skip with joy.
“As someone who’s been issuing the damn things for over a decade, they can’t go soon enough,” said the employee on the condition of anonymity since he was not authorized to speak with the press.
The employee works in the security field, where he’s discovered way too many reasons to hate the CAC. One of the biggest is RAPIDS (Real-time Automated Personnel Identification System), a network of software and equipment used to produce CACs. Despite its name, the RAPIDS system is slow, temperamental, and nearly always frustrating to work with.
“The software and equipment are updated from time to time, but it usually gets slower,” the employee said. “I imagine the designers in a meeting lamenting its sluggishness, and jokingly coming up with the name “RAPIDS” … it is anything but rapid.
“I’ve spent entire days on the phone with [RAPIDS] with problems remaining unresolved,” he added.
Not only does RAPIDS slow down the workday, but it also slows down the day of any other Department of Defense service member, civilian or contractor who needs help with their CAC, the Army employee said. One of the most common issues, the employee said, occurs when someone has been locked out of a secure computer. To access a computer or network, CAC users must insert their CAC into a reader and enter a PIN number. They have three chances to enter the PIN right, but if they fail, the card locks and it won’t work on anything, the employee said.
That’s a tough situation, because CAC users need a functioning card to enter certain doors, gates or even dining facilities on a base. To make matters worse, CAC issues often must be sorted out in-person at a RAPIDS-enabled office, which could be a 45-minute drive or more away.
“If your CAC fails, is locked/blocked and your job mostly involves you being on a networked computer (most of us, right?), the work stops,” the employee said. “You show up at my office unannounced, holding your nonfunctioning CAC with a disgusted look on your face like it’s my fault and I have to drop whatever else I might have been working on and spend only the next 30 to 45 minutes with you, if I’m lucky.”
Understandably, it can be a frustrating situation for everyone involved. And sometimes the only fix is a new CAC, which can often take longer than expected. To make a new CAC, the employee needs to verify or upload identity documents, take a picture and two fingerprints, have the users choose a PIN, sign an agreement, and print the information-encoded card … if the printer works, that is.
“This encoding takes four to five minutes and frequently fails, forcing me to start over,” the anonymous employee said. “Pretty aggravating for everyone.”
‘Ain’t broke, don’t fix it’
While the employee who spoke with Task & Purpose had some choice words about the military’s current ID cards, not everyone shared his view, or that of Lt. Gen. Robert Skinner, the director of the Defense Information Systems Agency, who recently suggested that CAC cards be put to rest, permanently. In fact, many observers on social media said the CAC works well enough and it was not worth the risk of the military possibly making the situation worse with a half-baked or overly-complicated replacement.
“Why does the military have an insatiable need to fix something that works?” one Facebook user said in a comment on Air Force amn/nco/snco, a popular military Facebook page. He acknowledged that CAC printers “suck,” and that the Defense Enrollment Eligibility Reporting System, which keeps track of CAC user information, is often down. Even so, he said a possible replacement such as measuring biometrics could make things worse.
“What happens when that technology fails?” he asked. “Just seems like another Pentagon contract that will go to the lowest bidder.”
Another Facebook user pushed back, saying that “just because [CAC] works, doesn’t mean it’s efficient.”
“If we keep up the ‘ain’t broke, don’t fix it mentality,’ we will continue to fall behind our peer adversaries with outdated processes and tech,” that commenter wrote. For example, the private sector uses facial recognition (like on your iPhone) and multifactor authentication, and the military needs to catch up, he said
Without more specifics from Lt. Gen. Skinner, it’s unclear how the military would make a possible CAC replacement effective and efficient. Some observers suggested that it would be more productive not to replace CACs, but to improve them and allow for remote access to military networks. Several commenters pointed out that it’s often difficult for service members and civilians to access military networks while working from home due to the COVID-19 pandemic.
“I think it would be a better use of effort to first enable and ensure that service members can access and use the DOD systems they need,” one reader wrote in response to a recent Task & Purpose story about the military’s Common Access Cards
‘I want to kill the CAC’
The debate was ignited earlier this month, when Air Force Lt. Gen. Skinner said the military can do better when it comes to identity and access management tools.
“I have this notion of — this little mantra of — I want to kill the CAC as the primary authentication mechanism for the department,” Skinner said at a cybersecurity conference.
“We have to have something that’s better,” he added. “Industry has been, I’ll say, using other authentication mechanisms — other things for leveraging identity management, access control. I want to leverage that.”
Though Skinner did not go into specifics, he mentioned wanting to “provide greater options, so it’s not just two-factor authentication, but it’s truly multi-factor,” he said. An example of two-factor authentication is when your Gmail or Facebook account texts you a verification code just to make sure you’re not a hacker. Cybersecurity and technology companies are cooking up even more advanced forms of verification.
“There will be no more passwords to access systems or badges to enter buildings,” wrote the Identity Management Institute in a blog about the future of the industry. “Smart systems will be able to recognize and greet us using some of our personal and distinct features when we use ATMs, enter stores and restaurants, visit online websites, enter office locations, drive cars, and access business systems.”
For his part, the anonymous employee who sorts out CAC-related nightmares as part of his job said he thought a CAC replacement “would undoubtedly include a biometric component,” such as a scan of the user’s face, fingerprint, retina or voice.
The employee broke down multi-factor verification into three categories: something you have (a CAC, a token, a fob); something you know (your PIN, password, or the name of a pet); or something you are (your face, fingerprint or other biometric). A good network or facility entry point should require two of the three, the employee said. It could be a big step forward to get rid of the first category — something you have to carry with you — he added.
“If we do away with #1, the problem of forgotten, lost, failed or locked CACs goes away, provided systems can reliably verify identity with the other two,” the employee said.
The problem is that verifying identity with biometrics can be tricky. For example, taking someone’s fingerprints for the CAC works fine “when the subject is a 20-something who works in an office,” the employee said. But it’s more difficult when the subject has scratches and cuts from working with their hands; or has dry, flaking or peeling skin because it’s wintertime; or has wrinkles from old age. In those cases, the system “barely works at all,” he said.
Though the employee was not sure which biometric would work best, he said that damaged fingerprints are often very difficult to capture or match, which is unfortunate because every RAPIDS action requires a fingerprint capture or match, he said.
“Facial recognition would be cool, with voice perhaps – look into the camera and state your name,” the employee said.
However, that is perhaps easier said than done. The military started using the CAC more than 20 years ago, and it had more than 3.5 million users as of 2011, according to Federal News Network. Even the Department of Defense said in a press release about Skinner’s remarks that there is no sign the CAC is going anywhere yet.
“I hope Lt. Gen. Skinner succeeds in killing it,” the employee said, “but I won’t hold my breath.”
More great stories on Task & Purpose
- Marine Lt. Col. Stuart Scheller sentenced to forfeit $5,000 in pay and gets letter of reprimand
- The best hacks to make military life in the field suck less
- The Sgt. Maj. of the Army wants leaders to stop scheduling training just for the sake of it
- Airman stuck with $19,000 repair bill after gate guards wreck his car
- NCIS wished the US Navy happy birthday with a photo of a Russian warship
- We salute this Army first sergeant for looking exactly how we’ve all felt in the field