Crime & Courts Richmond Co. | Columbia Co. | Aiken Co. |

Navy shooting highlights gaps in military access control systems

Experts: Federal system needs better monitoring

Saturday, Sept. 28, 2013 9:11 PM
Last updated Sunday, Sept. 29, 2013 1:59 AM
  • Follow Metro

The smart cards Fort Gordon uses to grant civilian contractors extended gate access is part of a federal security network that national experts said has grown so large it is vulnerable to sociopaths and tech-savvy criminals who steal or copy clearance passes to gain entry into highly secured areas.

Back | Next
Common Access Card front  Defense Department
Defense Department
Common Access Card front

The common-access card Aaron Alexis flashed to bypass guards and metal detectors at the Washington Navy Yard on Sept. 16 to go on a killing spree was developed in 2002 as a cost-effective way to increase physical security at federal buildings as the war on terrorism loomed.

However, the passes, which contain a microchip, barcodes and a magnetic stripe to allow access to controlled spaces, computer systems and network servers, have become so widespread nearly seven million people at more than 700 U.S. facilities have a badge.

While contractors and software technicians agreed many of the security improvements adopted after 9/11 were not created with mentally-ill individuals in mind, they said all the required tools and infrastructure is in place to keep military installations such as Fort Gordon safe from terrorists and spies.

They said it just needs stronger oversight and implementation.

“The opportunity exists to step up security,” said Tom Corder, the president of BridgePoint Systems, the San Francisco-based security solutions firm that helped the Pentagon design and produce the military’s access-control network.

In a phone interview last week, Corder said that the Navy probably has the best physical security program in U.S. government, but it was not being implemented properly.

He said the Defense Department “rarely uses” the encryption technology his firm built into common-access cards to enable users to securely and privately exchange data on an unsecured public network, such as the Internet.

The infrastructure, among other things, verifies a cardholder’s identity and confirms that no unauthorized modification of data has occurred.

“In the Navy Yard incident, it turns out that this was just a person who went bad, but it could have also been someone who found or stole a common-access card, or possibly copied one electronically, which can be done and was initially theorized as what had happened,” Corder said.

Corder said the cryptographic tools that are on the card and in the access-control system could detect any copying or tampering and deny a person access. However he could not say whether the system is being fully implemented at Fort Gordon, or whether the Pentagon plans to retrain the supervisors who managed the system.

Officials at Fort Gordon have confirmed that the Defense Department’s security audit is underway at the Army post.

“With the nationwide installation gate access and clearance review that is taking placing, we are going to wait and see what changes may take place before we continue,” spokesman Buz Yarnell said in response to an information request from The Augusta Chronicle.

According to Fort Gordon’s Web site and Defense Department records, an estimated 30,000 people representing at least 25 contractors and five government agencies have obtained a common-access card “based on tenure” from the government officer who represents its offices.

Requests are submitted to the Army post’s Directorate of Emergency Service, and according to defense rules, the fort’s Physical Security Office must run applicants through a FBI fingerprint check; submit a National Agency Check with Inquiries to the Office of Personnel Management; and confirm that a candidate requires access to multiple facilities and networks on a recurring basis for a period of at least six months.

If all criteria are met, contractors and subcontractors may be awarded common-access cards for up to three years, enabling long-term visitors to enter Fort Gordon at any of its five security gates, “simply by flashing their badges,” said Mark Wright, Defense Department spokesman. “My CAC card alone will get me on pretty much any base I want, unless it is tightly controlled,” Wright said. “I can go to the gas station or to a fast-food restaurant, but if I want to get into a building that contains highly classified information, I’ll be stopped and asked for additional identification.”

Wright said each building on a military post has different levels of security and some he said require certain types of clearance.

“If you are a fairly high-ranking individual or hired for a specific, classified process you must get approved for a security clearance and receive a badge verifying that clearance before you can gain access to a secured area,” he said.

Although Alexis was approved for a security clearance, defense officials say he shot his way into the building where the shooting took place.

Wright said being approved for a security clearance is a “fairly thorough process” that on top of the same background procedures required for common-access cards, includes a review of all police, employer and school records dating back five years.

Yet, despite these safeguards, a person permitted to enter highly-secured areas has passed through the layers of protection at a U.S. base twice in four years and opened fire, destroying the sense of security at the government facilities that embody the most powerful military in the world.

Simon Brody, the communications director for the National Association of Government Contractors, a Washington, D.C.-based trade organization, said the problem lies in oversight, specifically among the government representatives, who issue common-access cards.

“There are not enough contracting officers,” said Brody, adding that a lack of accountability is a “constant theme” in the contracting industry.

Defense Department records show that in the third quarter of fiscal year 2012, it took an average of 34 days to investigate and approve security clearances, the type of pass Alexis had. Experts say the process should take at least three months to complete.

“The entire system needs to be redesigned or we need to at least acknowledge that a lot of our contracting officers and agency officials are just not doing enough to make sure everything is being done properly.”

According to the American Forces Press Service, the Pentagon has recommended a couple changes to its security procedures, such as including all available police documents in background screenings and assigning management responsibilities exclusively to executive officers.

“The systems are not working,” Brody said. “We can overhaul it, call it something new, but what it really comes down to is there are not enough people monitoring it.”

Corder said an overhaul of the common-access-card system, which involves a standard background check for all federal agencies and an application, is unnecessary.

“It just needs to be used to a higher standard,” he said.

Prior to the common-access card, every base had its own system, operated by local, proprietary vendors, Corder said. Now, there is one personal identity badge that’s valid at all government agencies, which Corder said is good for areas such as Augusta, home to four different military branches and the National Security Agency at Fort Gordon, and the Department of Energy’s Savannah River Site in South Carolina.

If an emergency arises or a person is believed to be tampering with the system, the universal system, if used right, could detect and stop a bad guy, especially at military installations, which experts believe are less vulnerable to an attack than other agencies.

“If the system is used properly,” Corder said, “we’d be in a lot better shape than we have ever been.”

Comments (4) Add comment
ADVISORY: Users are solely responsible for opinions they post here and for following agreed-upon rules of civility. Posts and comments do not reflect the views of this site. Posts and comments are automatically checked for inappropriate language, but readers might find some comments offensive or inaccurate. If you believe a comment violates our rules, click the "Flag as offensive" link below the comment.
KSL 09/28/13 - 09:59 pm
NSA seems to have spying on

NSA seems to have spying on ordinary Americans down better, along with the IRS and their tactics.

SB3 09/28/13 - 10:33 pm

Last time I checked, getting through the gate at Fort Gordon took a driver's license and the chance of an inspection was negligible. Has that changed?

fedex227 09/29/13 - 01:06 am
You're right SB3 ...

CAC cards and access to the installation are two entirely different issues. You can enter the installation with a valid form of identification, the CAC card only allows you to access government information systems (but some folks use that as a valid form of ID when entering the base). The only real question is whether Mr. Alexis should have been hired by the contracting firm to begin with.

SB3 09/29/13 - 02:59 am
Apples and oranges then

Alexis used a CAC card just to enter, but once on the Navy yard he was free to go to his killing ground. That doesn't apply to Fort Gordon, does it? The problem here isn't really access at all. Just like Fort Hood, it's not allowing soldiers and responsible gun-carrying civilians to carry on post at all, making them easy high-profile targets.

I don't go on post anymore unless I absolutely have to. Just for that reason. It's also why I wouldn't recommend retirees (or even active-duty) "take advantage" of living in/renting on-post housing. Without major changes, this will keep happening more and more often.

Goose10001 10/07/13 - 06:59 am
Well you're just plain wrong

How about for once if you comment on something you know what you are commenting on is fact. Fact: COMMON ACCESS CARD.... means you can use it to access a military installation. You can use it to enter a military/government building, you can use it to access your military/government computer. Common Access Card. You can even use it at some military installations where they have automatic gates. You simply swipe your CAC card against the reader and the arm goes up and you drive in. Just like the EZ-Pass on I-95. True, you can also use other forms of IDs, but don't say you can't use the CAC card, because about 10K a day would prove you wrong at my base.

Back to Top
Search Augusta jobs