Small wonder: According to the American Association of Port Authorities (AAPA), 2 billion tons of domestic and import/export cargo move through American ports annually. Add the fact that about 750,000 people are estimated to “get regular access to ports,” said DHS Secretary Michael Chertoff during an April 25, 2006, news briefing, and the scope of securing America’s ports is breathtaking.
To meet this challenge, DHS and TSA have been testing the “Transportation Worker Identification Credential” (TWIC). Intended to be issued to prescreened dock workers, longshoremen, sailors, and others who have regular access to ports, TWIC is meant to serve as a reliable, highly-secure, and nontransferable form of ID.
The TWIC ID Card
Under the current TSA model, each TWIC ID will be loaded onto a credit card-sized SmartCard. Designed to be carried by dock workers, the TWIC SmartCard will be checked by electronic card readers located at port entrances. To enhance security, each TWIC SmartCard will be marked with Guilloché patterns (the elaborate line designs found on banknotes), micro text, UV printing, and holographic overlays.
Structurally, each SmartCard will comply with the Federal Information Processing standard 201-1. During the prototype stage, the test SmartCard was fitted with a 64k contact Integrated Circuit Chip, a 4k (DesFire v6contactless) Integrated Circuit Chip, and a dual-interface card Integrated Circuit Chip. It also had a magnetic stripe, two-dimensional bar code, linear (3 of 9) bar code, unique serial number, and an ICAO-standard digital photo of the bearer.
“SmartCards were chosen a few years ago because they are a proven technology,” said TSA spokesman Darrin Kayser. “They make it possible to deploy the TWIC system quickly and affordably.”
The Enrollment Process
To obtain a TWIC card, workers will apply at a TWIC enrollment center. During the enrollment process, their photos and fingerprints will be taken and recorded. “Biometrics will ensure we know the individual is who they say they are,” Kayser said. The specifics will be determined during TSA’s rule-making process.
Using this data, the TSA will run background checks on the workers. Not only will their names and biometric data be compared against lists of known and suspected terrorists, but TSA will also be able to check each TWIC applicant’s criminal record history and immigration status. At the end of the process—based on rules which have yet to be finalized—TSA will decide whether the applicant can safely be issue a TWIC ID, or not.
TWIC in Action
After workers have been issued TWIC SmartCards, getting access to restricted areas will be as simple as slipping their cards into an electronic card reader. But make no mistake—getting the card is no guarantee of indefinite access. This is because the TWIC ID will be compared against the relevant DHS/TSA databases every time it is used. If something has happened that disqualifies the user from gaining access, TSA will advise the facility operator to deny access.
Once TWIC is in place, this one piece of standardized ID should replace the myriad of different IDs currently in use at America’s ports. The result will be a standardized form of identification for anyone having access to America’s ports, controlled and cross-referenced through a centralized set of secure databases.
Will TWIC interface with other clearance systems such as Secure Flight, Registered Travel, and Border Crossing cards? In theory, the answer is yes. The reason is that TWIC and these other programs will be compatible with Federal Information Processing Standards (FIPS), Kayser said. “By using FIPS, we are ensuring we are working from the same standards as other government programs.”
The Test Run
In 2005, TSA enrolled about 4,000 dock workers and other transportation-related personnel in a trial program. Launched at 26 sites nationwide, workers used TWIC cards and card readers for more than six months. The data from that trial is now being analyzed.
“Since that test was run, we’ve received over 1,900 comments on the TWIC system,” Kayser said. “We are using that feedback to help us decide on final rules for deploying and managing TWIC.” These rules will cover everything from enrollment and issuing procedures to criteria for deciding what activities would bar someone from receiving TWIC clearance, and the appeals route when such refusals take place.
Response to the TWIC Test
Intriguingly, some of the toughest criticism regarding TWIC has come from DHS Inspector General Richard L. Skinner. In a July 2006 DHS report titled “DHS Must Address Significant Security Vulnerabilities Prior to TWIC Implementation,” the inspector general warns that “due to the number and significance of the weaknesses identified (during trials conducted in 2005), TWIC prototype systems are vulnerable to various internal and external security threats. The security-related issues identified may threaten the confidentiality, integrity, and availability of sensitive TWIC data.”
Because the inspector general’s report made public by DHS has been “redacted” (censored), it is difficult to detail Skinner’s specific concerns. However, among those which escaped the censor’s pen were concerns that, “The Plan of Action and Milestones (POA&M) for TWIC is incomplete. Not all vulnerabilities have been included in the POA&M, nor have resources to address the vulnerabilities that are documented in the POA&M been determined.”
Also, “The Privacy Impact Assessment, dated November 5, 2004, is outdated and does not accurately reflect how the prototype was implemented or tested or what policies need to be in effect prior to implementation,” the inspector general’s report stated. “Systems contingency plans have not been approved or tested. System and database administrators have not received specialized security awareness training.”
DHS isn’t the only TWIC critic. The AAPA has also raised many concerns about TWIC in its current form; among these issues are the reliability and cost of implementing TWIC and whether or not it will work with existing port card readers. AAPA is also worried about the impact on TWIC on temporary “casual” workers, such as those hired to drive cars off cargo ships, according to AAPA President Kurt J. Nagle. “The escort rules as described in the proposed rule are impractical as applied to these types of workers and would result in added expense and inefficient terminal services.”
Progress to Date
Since this report was issued, the TSA has read and concurred with the inspector general’s five recommendations, and formulated responses that the Office of Inspector General’s report says are acceptable.
Still, much remains to be done before TWIC cards can be issued across America. “Overall, the biggest challenge is the sheer scope of this project,” TSA’s Kayser said. “In the final rule, we will address concerns about how to issue the cards, the crimes that will disqualify someone, and the cost of the overall program.” At press time, TSA was still in the RFP process, qualifying potential vendors/integrators to implement TWIC nationwide.
As for when TWIC cards will become the standard for port worker identification? Due to the needs for proper rule-making and procurement processes, “I can’t give you a prediction” DHS Secretary Chertoff said during the April 25 news conference. “We will begin this year, and we anticipate getting it done sometime next year.”
For more information about TWIC, visit www.tsa.gov.
James Careless is a freelance writer who specializes in first responder communications issues. He can be reached at firstname.lastname@example.org.