Monday, June 14, 2010

E-Passport's Supply Chain Still Not Secure

The Center for Public Integrity has a few things to say about the integrity of the United States e-Passport. Fortunately for the State Department, e-Passports are produced by the Government Printing Office (GPO) rather than State.

GPO’s inspector general found the agency lacks security plans and procedures for ensuring that blank e-Passports — and their highly sought technologies — remain safe from terrorists, foreign spies, counterfeiters and other bad actors as they wind through an unwieldy manufacturing process that spans the globe and includes 60 different suppliers.

Despite years of concerns about the risks of stolen e-Passports, GPO “did not have a formal, agency-wide policy and related processes that would ensure security for the e-Passport supply chain,” the inspector general concluded in a March 31 investigative audit obtained by the Center.


-- snip --

The inspector general was particularly concerned that the lack of supply chain security left the United States vulnerable to potential interruptions of the e-Passport supply if even one of its key players was disabled by an attack, political unrest or natural disaster.

He also found that GPO gave misleading assurances in the past to Congress that its manufacturing process was fortified.

For instance, after lawmakers were surprised by a Washington Times report in early 2008 that some suppliers and contractors for the e-Passports were located overseas, the GPO declared in an April 9, 2008 letter to the House Energy and Commerce Committee that the agency had “taken all reasonable steps to assure that the production of and the supply chain for e‐Passports is secure.” Specifically, the agency insisted it had conducted top-of-the-line security audits.

The inspector general found those assurances to be false. “We were unable to find any documented evidence of the formal e‐Passport supply chain audit (security assessment) process noted by the Agency,” the inspector general stated flatly in the March report.

Somerset, the spokesman, said GPO and State Department officials were satisfied at the time of the letter with their security auditing and did not intend to mislead lawmakers.


"Did not intend to mislead." Oh. That makes all the difference.

2 comments:

A Daring Adventure said...

My husband and I are reading through your awesome posts and he's currently whining that there's no way to purchase "Skeptical Bureaucrat" merchandise.

Dude. Talk about awesome tshirt potential! We've unfortunately missed the Father's Day window, goshdarnit, but Christmas is creeping up slowly...

Also: love the US Army birthday post. The alternate Army Motto was particularly appreciated here by my former Infantry guy...

TSB said...

Thanks. I'm mulling that merch idea over. Maybe an ID lanyard, something we have to wear in the office anyway, with a discrete URL and motto.