Outsourcing, H 1B And The Coming E-Passport Security Scandal

A passport is the
ultimate breeder document

for almost everything that requires identification
.
Security is obviously critical. The U.S. government,
along with most countries in the world, has embarked on
programs to design a new generation of passports with
"smart card"
technology. But it`s just changed the tools of crime
from color copy machines to

computers
. And short-sighted cost-cutting, resulting
in offshore outsourcing, has been a

more important priority than reducing the risk of hacker
attacks
.

Smart technology gives
the public a false sense of security because of its
high-tech mystique.

But I spent most of my
career (pre-H
1B invasion
) writing embedded software and designing
the related hardware at

Motorola Government Electronics Division
in
Scottsdale, Arizona. I worked on many projects that were involved with
government secure communication applications. I know
that the risk is very real, even though it may sound
esoteric. Hacker attacks against passports could potentially dwarf

credit card
and

identity fraud

and pose a serious threat to personal privacy and
national security
.

This has many
disturbing implications for immigration reform patriots.
For example, the

Beltway immigration patriot groups
—NumbersUSA, FAIR,
CIS—support the

Real ID
Act. They have bypassed the

real privacy concerns
because they are under the
illusion that this technology will make it impossible to
be in the U.S. illegally.
But it won`t.

Americans have no
choice whether their passports have smart technology.
All passports issued since 2007 are required to include
it. E-passports can be identified by the

international logo
on the front cover.

According to the

State Department
over 48 million U.S. passports with
e-passport smart technology have been issued. Worldwide
over 100 million e-passports are in use by about 50
different countries.

A recent
Scientific
American
article about hardware hacking provides
excellent background for the problems with smart
technology.


"As if

software viruses
weren`t bad enough, the microchips
that power every aspect of our digital world are
vulnerable to tampering in the factory. The consequences
could be dire:



  • Integrated circuits are
    increasingly complex and capable — but also increasingly
    vulnerable to attack.




  • The circuits typically
    include designs from many sources. A `Trojan` attack
    hidden in one of these designs could surface long after
    the circuit has left the factory.


"This is one possible way
that we might experience a large-scale hardware attack —
one that is rooted in the increasingly sophisticated
integrated circuits that serve as the brains of many of
the devices we rely on every day. These circuits have
become so complex that no single set of engineers can
understand every piece of their design; instead teams of
engineers on
far-flung continents
design parts of the chip, and
it all comes together for the first time when the chip
is printed onto silicon. The circuitry is so complex
that exhaustive testing is impossible. Any bug placed in
the chip`s code will go unnoticed until it is activated
by some sort of trigger, such as a specific date and
time — like the Trojan horse, it initiates its attack
after it is safely inside the guts of the hardware."


(The
Hacker in Your Hardware
: The Next Security Threat
,
by John Villasenor, Scientific American, August 4, 2010 Emphasis added)

Tampering with
passport hardware is easy for the engineers who designed
it, or the factory workers who assemble it. And
detection and prevention is much more difficult when the
production process takes place in diverse locations
worldwide, where the U.S. government has little
influence.

The U.S. Government
Accounting Office (GAO)
recognizes that malicious code could be slipped into the
passport hardware—it gives no more than a vague
"reasonable
assurance"
that the passports are secure:


"If properly validated,
the digital signatures on State`s e-passports should
provide those reading the chip data, including DHS,
reasonable assurance that the data stored on the chip
were written by State and have not been altered."

(BORDER
SECURITY
: Better Usage of Electronic Passport
Security Features Could Improve Fraud Detection, GAO,
January 2010)

The components for the
e-passport are manufactured in locations all over the
globe. Brian Ross of ABC news recently did an
excellent report investigating how outsourcing to
foreign countries exacerbates security problems:


"Operation Outsourced: Security of U.S. Passports"

.  He noted that
critical parts of the passport are made in

Thailand
—a country with a significant radical
Islamic population.

What ABC didn`t make
very clear is that

Thailand
is just one of dozens of countries involved
in the manufacture of passports.

Let`s review the
entire picture. The brain of the e-passport is a smart
chip that is manufactured somewhere in the world by
foreign companies like NXP, Infineon, and probably
contracted fabrication plants. The smart chip and
associated hardware is shipped to another foreign
company, Gemalto, for packaging and programming.
Integration of the components is completed after they
are shipped to the Dutch-owned company Smartrac for
assembling the inlay in

Minnesota
or Thailand. The inlay is a laminate
containing a Radio Frequency Identification Device
(RFID) and antenna. Outer layers of sheet material, such
as the passport cover stock, security paper or laser
engrave-able polycarbonate protects the electronics on
the front of the passport.

The final product is
shipped to the U.S. Government Printing Office (GPO) to
employees at secure production facilities in
Washington
, D.C.,
and at the Stennis w:st="on">Space Center
in Mississippi. It`s at those locations where somebody
puts a stamp on the document that says


"Made in the USA".

The GPO ships the
blank passports to the State Department by unsecured
FedEx until they decided to use an armored car company.
The easiest way to

counterfeit passports
is to steal blank passports at
this stage of the operation because they could be
implanted with fake biometric data. There was a debate
on whether to

contract the armored car
out to a foreign-owned
company, but a few diplomats raised a big enough stink
to stop that from happening.

The State Department
has a procedure called
"personalization"
when the personal information of the passport owner is
implanted into the smart card. 
But this is merely the front end of a very large
and complicated process.

At least 60 suppliers
all over the world are used to manufacture components.
Government agents inspect the supply chain, but there
are only about 30 agents to cover the world. 
Typically, inspectors target about 16 companies
that are considered to be the most critical. But during
an audit in 2006, most of those companies didn`t have
documented security plans—and, adding to the concern,
due to budget cuts the GPO only has one employee to
oversee the formal security supply chain assessment
process.

The manufacturing
trail for passports is really even more complex. Thus
the
website
 for
the Dutch-owned supplier NXP reveals that it has 13
manufacturing sites worldwide and 26 R&D centers located
in 12 countries. NXP

engineers in foreign countries
designed the software
to control the smart chips. So it`s doubtful that our
government knows who actually designed it or where.

Gemalto is a company
jointly owned by the Dutch and French with locations
worldwide.


Infineon
, is a German company that makes passport
hardware for many different countries including U.S.
and—China.

Sharing common
technology platforms with other countries is risky
because hackers worldwide can concentrate their efforts
on fewer systems. As these technologies proliferate,
there will be increasing probabilities that somebody
will figure out how to hack them, and their motivation
to do so will increase. Thus the worldwide popularity of
the

Microsoft Windows
operating system has notoriously
facilitated the proliferation of malicious viruses.

And sharing those
systems with countries that have large terrorist
organizations, or with possible adversaries such as
China, obviously exacerbates the risk.
 In 2007, Smartrac
filed a complaint accusing China of stealing its
patented technology for e-passport chips. If
China
did obtain the secrets of the technology, its engineers
could certainly figure out all the vulnerabilities of
e-passports.

Passports are valid
for 10 years. So that`s how long the

Chinese
and the world`s best hackers have to
compromise them. Just imagine how simple it would be if
a hacker with today`s powerful computers was tasked with
hacking a ten year-old computer!

E-passports are so
globalized it`s fair to assume that all citizens from
all countries are in danger of privacy breaches. And if
personal information is pried out of passports,
subsequent improvements won`t help the victims, because
biometric information like fingerprints, face pictures,
and eye scans

lasts the duration of a lifetime.

Passports are morphing
into global identification cards. Robert Mocny, acting
director of the Dept. of Homeland Security

US-VISIT
program, described the push for

globalized
identification in a speech at an
international biometrics and ethics conference in 2006.
(US-VISIT is a system that screens foreigners for
criminal or terrorist connections using their
biographical and biometric data.) Mocny admitted
 to the desire to
implement a worldwide system:
"We have an
ethical responsibility to make the vision of a global
security envelope possible sooner rather than later."

[Countries
obligated to share data,
U.S. official says, By
Chris Strohm, National Journal`s Technology Daily, 
November 29, 2006]

Because of
international agreements, the American public has almost
no voice in the way these passports are to be
manufactured or used. As of June, 2010, the GPO claimed
that it had delivered more than 55 million
 blank e-passports
without a single security breach. But this is an empty
claim, because the e-passport system is only partially
completed. Most U.S. passports are still used as a paper
document because the DHS is behind on installing the
necessary scanners and computers. As of January 2006
only 500 scanners have been deployed. Since then, due to
lack of funding, no additional ones have been installed.

(If the CBP decides to
buy more scanners they will most likely purchase ones
that are

made overseas,
so even those devices are suspect.)

And even though most
U.S. passports haven`t yet been used as e-passports due
to the lack of scanners, they still pose a security
risk. The new passports contain RFID technology.

Which means that they
could broadcast personal information to hackers using a
process called "skimming",
often involving nothing more than a

laptop computer configured as a scanning device.

E-passports are
supplied with a shielding envelope. But owners have to
make sure that their passport is completely closed.
Keeping passports closed at all times is problematic,
especially in Europe where passports are used as ID for
credit cards, to lease cars, or to register to vote,
etc.

And these attacks
would be virtually impossible to detect until the data
is compromised. Two examples of successful attacks:


"A security expert has
cracked one of the U.K.`s new biometric passports,
embarrassing the British government which has touted as
a way of cutting down cross-border crime and illegal
immigration.


"The attack, which uses a
common RFID reader and customized code, siphoned data
off an RFID chip from a passport in a sealed envelope,
said Adam Laurie, a security consultant who has worked
with RFID and Bluetooth technology. The attack would be
invisible to victims, he said.


"`That`s the really scary
thing," said Laurie, whose work was detailed in the
Sunday edition of the
Daily Mail
newspaper. "There`s no evidence of tampering. They`re
not going to report something has happened because they
don`t know.` "



UK biometric passports succumb to hack
, by Jeremy
Kirk, IDG News Service, 06 March 07

And recently, a group
of Indian hackers were caught hacking system software:


"Seven people were
arrested in Andhra Pradesh for hacking the online
passport application software of the Hyderabad regional
passport office, police said Friday. Police Commissioner
A.K. Khan told reporters that seven people, among them
five passport agents, were arrested and a search was on
for two other agents involved in the racket."



Seven held in Andhra for hacking passport software
,
Thaindiannews, June 04, 2010

The
U.S. government has recognized the security threat that
outsourcing to Thailand poses. In June of 2010, Steve
LeBlanc, Managing Director, Security & Intelligent
Documents, GPO, announced that the assembly of the

passports will move to Smartrac`s Chanhassen, Minnesota

facility.

But
this move is no panacea. Smartrac will still produce
passport inlays via the same complicated chain of
foreign suppliers for the components. By the time
Smartrac gets the parts to assemble the inlay, the
malicious code would already be in place. Smartrac would
be very unlikely to discover the sabotage in the
assembly process.

Smartrac produces
inlays for most of the passports in the world so they
will continue to produce inlays at their w:st="on">Thailand
location. Smartrac could shift some of the production of
inlays for U.S. passports back to Thailand if they lack
capacity at the U.S. location or for any other reason
(like for cheap labor) they deem important. As of June
2010 20% of the inlays were still being made in w:st="on">Thailand. 

Hiring foreign workers
in the U.S.
increases
security risks. Allegiance to the United
States isn`t required, and criminal background checks of
foreign nationals are often difficult. Smartrac employs
about 20 people in Chanhassen, which is good for the
local economy, But it`s not clear how many are local,
Smartrac hires foreigners with proof of legal residence
in various support positions, for instance for
"maintenance
manager
"
and
"research
assistant"
 
.  The H-1B
visa would be an excellent conduit for saboteurs to
position themselves into the right places.

Considering that U.S.
government security experts recognize the dangers of
outsourcing, why did they decide to do it? The best
explanation is straight out of the mouth of the GPO when
it responded to a scathing series of articles in the
Washington Times
that raised the same question:


"GPO was shocked to learn
no U.S. company manufactured an integrated circuit that
met the ICAO [International Civil Aviation Organization]
standards and/or rigorous testing. Since 2004, GPO has
encouraged U.S. companies to consider producing ICAO
compliant components."


GPO Responds to Second
Washington Times Story, [PDF]
March 27, 2008

It may seem that the
GPO is making lame excuses, but the reality is that it
probably couldn`t find domestic suppliers. According to
RAND , in 1980 the U.S. had about 60% of the world
semiconductor market share. But over the last 20 years
U.S. companies have outsourced most of their production
capacity. Foreign countries dominate the semiconductor
business.  (See "U.S.
Becomes A Bit Player
In Global Semiconductor
Industry
", by Richard A. McCormack, See
Manufacturing &
Technology News
, February 12, 2010.

The bottom line: it
may no longer be possible for the components used for
e-passports to be produced in the U.S. This lack of
domestic suppliers simply wouldn`t have happened before
1990 because the U.S. government considered it a
national security priority to procure electronic
semiconductors from domestic sources.

Several factors in the
1980s contributed to the decline of the government`s
ability to mandate that domestic suppliers be used for
their contracts: growing consumer buying power,
shrinking military budgets, globalization.

But there is a more
obvious explanation for passport outsourcing—greed and
stupidity. In a scheme that resembles a starving man who
cuts off his legs to satiate his hunger, the GPO made
about $100 million in profits by selling the blank
passports to the State Department
 Probably the GPO
rationalizes that using domestic suppliers for
components would cut profit margins, so they use the
lowest cost bidders, who always happen to be overseas
suppliers.

(A video called
The Myth of
Biometrics` Enhanced Security
by Michael (Micha)
Shafir and David J. Weiss, February 17, 2009 does an
excellent job of illustrating the various threats posed
by e-passports, although the animated person doing the
narrative is rather annoying and the video is partially
an infomercial. Two good articles from the Center for
Public Integrity are


U.S. Lacks Basic Security for e-Passport Manufacturing
,
Key Tool for Border Security Made in High-Risk
Locations,
by John Solomon, June 14, 2010 and


Undercover Feds Able to Easily Obtain Fraudulent
e-Passports, by John Solomon,
.


July 29, 2010

Almost ten years after
9/11, the globalist, see-no evil attitudes of the
bureaucrats and policy elite still leave this country
exposed to crime and terror.


A longer
version of this article will appear in


The Social
Contract.





Rob Sanchez (
email
him) is a Senior Writing Fellow for




Californians for Population
Stabilization

and author of the "Job
Destruction Newsletter"
(sign up
for it



here
)
at




www.JobDestruction.com
.
To make a tax-deductible donation to
Rob Sanchez, click

here
.