Program to Aid Registry
of First Responders”>
An unknown number of first responders were lost in the Marriott Hotel concourse when the South Tower collapsed at 9:58:59 a.m. on Sept. 11, 2001. Scores of first responders died in the North Tower when it collapsed at 10:28:25 a.m.
More than 300 first responders were lost in New York on 9/11 because officials couldnt account for who entered and who left the scene.
Not knowing what firefighters, police, hazmat, Red Cross or paramedics are doing, who has what specific skills or where to find them in the midst of a crisis situation plagued the country during the attacks six years ago, and later during Hurricane Katrina in 2005.
To solve such problems with identifying and deploying first responders, Howard Schmidt, former U.S. cyber-security advisor, is spearheading a consortium of smart card vendors, contactless chip manufacturers, data encryption vendors and other security vendors that plans to launch Sept. 11.
The consortium, named Tiers of Trust, is featuring free software and a discounted identity card that will work with card readers that are approved under FIPS 201 (Federal Information Processing Standards Publication 201), a standard that specifies the architecture and technical requirements of a common ID standard for federal employees and contractors as they access government facilities and networks.
The purpose of getting this kind of equipment into the hands of first responders without blowing their budgets is to solve problems with coordinating first responders that include, for example, lack of communications interoperability. The 9/11 Commissions report detailed how devastating such problems were in the terrorist attacks of 2001.
“The task of accounting for and coordinating the units was rendered difficult, if not impossible, by internal communications breakdowns resulting from the limited capabilities of radios in the high-rise environment of the WTC [World Trade Center] and from confusion over which personnel were assigned to which frequency,” the report states.
In Washington on 9/11, first responders rushing to the Pentagon were denied entry because their identities and privileges couldnt be verified. During Hurrican Katrina, hundreds of medical personnel couldnt be deployed because they couldnt prove their credentials and certifications.
Other problems include managing the deployment of first responders and keeping track of where they are. Again, on 9/11: “Understandably lacking experience in responding to events of the magnitude of the World Trade Center attacks, the [New York Fire Department] as an institution proved incapable of coordinating the numbers of units dispatched to different points within the 16-acre complex,” the report says. “As a result, numerous units were congregating in the undamaged Marriott Hotel and at the overall command post on West Street by 9:30, while chiefs in charge of the South Tower still were in desperate need of units.”
Homeland Security Presidential Directive-12, issued in February 2005, and FIPS were developed to address these issues. But, as Schmidt said, while the goals of the legislation are sound, affordability is key.
“While this regulation serves a number of worthwhile goals, the implementations to date have created difficulties with the budgets within these first responder groups, making compliance a lengthy and costly process,” Schmidt said in a statement. “Our goal is to enable first responders to meet the federal requirements at a fraction of the cost, allowing them to spend budgets on much-needed equipment and training.”
Click here to read more about the 9/11 Commission.
Melani Hernoud, CEO and chief security officer of consortium member Secure Network Systems, said in a press conference Sept. 10 announcing the consortium that FIPS-compatible cards cost $68 to $86 on the low end and range up to $150 per card on the high end, once you pack them full of bells and whistles such as contactless chips and PKI certification. A typical FIPS-compatible system, she said, costs around $1.38 million.
Hernoud herself tried to buy software to handle the contact part of the chip and found that it cost about $150,000, she said—far too much for cash-strapped municipalities, particularly when top priority needs include tanks of oxygen or other essential life-saving gear.
“I was astounded,” she said. “For $150,000, a first responder could have gotten a new fire engine, could have saved lives.”
Program to Aid Registry
of First Responders”>
In contrast, the Tiers of Trust cards, named Emergency Management One cards, will cost $10 each for those who register as first responders with the consortium. Consortium member HID Global is also offering a compatible line of FIPS 201-approved access control readers. For its part, Secure Network Systems, of Denver, is giving the contact reader software away.
Tiers of Trust is set up for first responders to be implemented in graduated privileges based on identities. Identification credentials are created with free access to SNS software and then can be implanted on contactless smart cards using the mandatory FIPS 201 fields of the FASC-N (Federal Agency Smart Card Number), CHUID (Card Holder Unique Identifier) and expiration date.
Besides affordability, flexibility is key. HSPD-12 specifies a step approach to credentialing criteria, from least to most secure, to ensure flexibility when dealing with unpredictable disaster scenarios. The Tiers of Trust program addresses this by first tackling the needs of first responders, not all of whom will ever need physical access to federally controlled facilities or networks, for example. This flexible approach also helps to save money.
“Right now, it is cheaper to rebuild everybodys house rather than to give first responders a smart card,” Jon Callas, chief technology officer and CSO of PGP Corp., said in a statement. “Tiers of Trust is changing this.”
Hernoud herself was a first responder in the wake of Hurricane Katrina. On Sept. 2, 2005, her home state of Colorado began to receive hurricane victims. That turned out to be the beta test for the Emergency Management One cards, as SNS issued IDs on demand to hurricane survivors who were showing up with nothing to establish their identities—no drivers licenses, no birth certificates, nothing.
In that instance, the Colorado Bureau of Investigations checked fingerprints before cards were issued. The cards were then used by hurricane survivors to be reunited with family, to ride buses or to open bank accounts, for example.
Were the system and cards to be used at a disaster scene by first responders, this is how it would look, Schmidt said: A command post would be set up by a local organization, typically a police department. When a first responder unit shows up—say, a firefighting or Red Cross unit—the first responders would register with whatever ID they have on them, such as a drivers license.
A FIPS-compliant card would then be quickly issued to the first responders: 55 seconds was the time it took in the Hurricane Katrina scenario. The card would enable access in and out of the command post and would be used to track a first responder—to a particular building, for example, or if the first responder were to be deployed to another location.
Another crucial piece of information on the card would be qualifications. That way, a cardiac nurse wouldnt be inadvertently assigned to picking up trash, for example.
Eligibility in the program is limited to registered first responder organizations in the United States or its territories. That includes fire, law enforcement, hazmat, rescue and public health organizations; and private sector utilities, communications and transportation companies. The highest-ranking official has to sign off on the program—a policy thats meant to discourage turning the program into a skunkworks project without sanction, Schmidt said.
“Notwithstanding the resources [already] put into it, theres still an issue of [limited] resources” available to make the program a reality, he said. Therefore, the first 400 organizations that come forth will be prioritized, he said, given that “its a bandwidth issue.”
First responder organizations can get more information and sign up at www.tiersoftrust.com or www.fips-201.com starting Sept. 11. The sites were not yet live as of Sept. 10.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.