Smart card market ready to explode
- By Brian Robinson
- Aug 01, 1999
Depending on whom you ask, smart card technology is either on the verge of tremendous growth in the federal government or has yet to make a significant impression within most agencies.
On the plus side, smart cards already have become a fixture at some military bases, for example, where they control access to buildings and mess-hall privileges. The Navy and the General Services Administration plan to issue smart cards to thousands of their personnel. Numerous pilot projects are ongoing, and at least some of them are expected to produce a sizable demand for smart cards.
Improvements in the basic technology of smart cards - more powerful microprocessors and larger memories - will allow multiple applications to be put onto a single card, as well as provide for much stronger security.
But most observers recognize that many agencies still lack knowledge of smart cards and that federal information technology managers have a lot bigger fish still to fry.
"The major challenge for many people is that they are currently overwhelmed with technology concerns," said John Moore, chairman of the Federal Smart Card Users Group and a computer specialist at the Treasury Department's Financial Management Service. "As soon as the funds free up after the Year 2000 has been dealt with, then we might see more money available [for smart card pilots], and that could drive things forward."
There could well be "an explosion of interest" in smart cards, Moore said. But it is far too early to predict whether that will lead to an explosion in their use.
Even the technology's biggest boosters acknowledge it has not yet arrived, but they insist its appearance has been foreshadowed by the numerous federal pilot projects and recent technological developments.
"It isn't there right now," said Mike Irvine, program manager for the Health Passport Project at Siemens Information and Communications Network. "But I think all of this will cause the smart card market to explode."
Siemens is the prime contractor for the Health Passport Project, a multistate pilot program involving various federal and state agencies that is looking at ways to deliver a variety of public health programs on a single card. Program officials claim that Health Passport is the largest health care smart card program in the country.
A big drawback to gauging government demand is that there is no commercial business for smart cards in the U.S. on which to base comparisons. Although analysts estimate there were more than 1 billion smart cards in circulation last year, the vast majority of them were in Europe. Only about 6 million smart cards - with as many as half of those used in "embedded" applications such as satellite TV receivers - are currently thought to be in use in the United States.
"The business drivers in the U.S. are not the same as overseas," said Donna Farmer, president of the Smart Card Forum, an industry group. "There, it's been for such things as telecommunications, as pre-paid cash and phone cards. Privacy and security are the driving issues in North America."
Given the current lack of a commercial market, the government finds itself leading much of the technology development of smart cards in the United States.
The government's drive for public-key infrastructure (PKI), in particular, is considered a natural fit for smart cards. Unlike instances where the private "user" key employed in PKI is kept in software on a computer, it can alternatively be embedded on a smart card. Software keys could be copied without the knowledge of the user, but the private key on a smart card would never leave the card. And if the card goes missing, the rightful owner presumably would know.
The government has embraced smart cards for other applications, such as secure sign-on to networks; as "transportable" devices to allow people to log on to secure sites no matter which computer they use; and to carry other security elements, such as digital signatures. So it's little wonder smart cards increasingly are viewed - at least in certain parts of government - as one of the principal enablers of secure, distributed computing.
The Navy, for example, is one of the most active agencies in using smart cards. It was set this year to issue more than 100,000 cards to many of its operational groups. It also was designated as the lead agency for the overall Defense Department smart card program in the fiscal 2000 Senate Defense authorization bill and was given $30 million to help it field the technology.
The Navy initially saw smart cards as a way for someone to carry essential personal data, such as medical records, around with him. The service now views smart cards as "multipurpose cyberidentity" cards that can be used as a PKI hardware token, a building pass key or a personnel ID. In general, Navy personnel use them to get to data held on a secure World Wide Web site.
"We are changing from the model of a card-centric world and evolving to a server-centric environment using the smart card as a trusted client," explained Anthony Cieri, program manager for the Navy's smart card program office. "The card would be used as the authenticating device in a PKI environment, to gain access to a portal on the Web. The PKI scheme is in lieu of one where the card itself would be used to carry all of this extra data."
Vendors are beginning to fit their products to the PKI universe. Gemplus S.C.A., one of the biggest manufacturers of smart card systems, recently introduced its GemSafe Enterprise suite of products, specifically designed to support PKI. Secure Computing Corp., whose Sidewinder firewall is widely used in government and particularly in DOD, has come out with the e.ID "multicard," which can authenticate a user's identification through digital certificates or one-time passwords, or it can be used for physical access control to a site using a photo ID and magnetic stripe or bar code.
Datakey Inc., which has been involved in government security for years, is trying to get ahead of the Internet security crowd with Private Access, a turnkey solution that provides a ready-made secure Internet site with the smart card technology needed for authentication.
PKI is an essential part of the future, said Carl Boecher, Datakey's president and chief executive officer. "We can't operate without that. There have been around 100 smart card pilots, and only 14 have gone into production. But with PKI being built out over the next couple of years, we expect explosive growth beginning in 2000."
Meanwhile, GSA is planning to make smart card technology widely available to all government agencies through the Smart Access Common ID Card program, for which it hopes to make an award in the fall. Run by GSA's Office of Electronic Commerce, this contract will cover smart card applications that combine both physical access to buildings as well as "logical" access to IT systems and networks. It also will support the use of biometric technology and digital signatures.
Until recently, smart cards' memory size was limited to either 4K or 8K, and microprocessors were almost always 8-bit chips. That is more than adequate to cope with the on-card cash, phone card and simple ID applications but not for the multi-application, security-dense cards that government users will be looking for in the future.
Bill Holcombe, director of card technology in GSA's Office of Government Policy and chairman of the Federal Smart Card Project Managers Group, said increases in chip performance and memory are necessary for cards capable of handling digital signature, certification and cryptography.
For this, cards with 16K to 32K of memory will be needed. More powerful 16- and 32-bit-processor cards already are in the pipeline.
Another essential development will be the move to fewer operating systems for smart cards. Historically, there have been a large number of proprietary and incompatible operating systems-practically one for each smart card vendor. Consequently, each vendor manufactured its own smart card reader, which meant that a smart card user could not use one reader with another vendor's smart card.
That began to change several years ago, when Sun Microsystems Inc. developed a version of the industry-standard Java language for use with smart cards.
Then Microsoft Corp. last year announced Smart Card for Windows, an 8-bit operating system for which application developers could write programs using C++ or Visual Basic.
Microsoft also said it would build support for smart card readers into its upcoming Windows 2000/NT 5.0 operating system and has begun accreditation testing for various vendors' readers. That should mean that any smart card that supports Smart Card for Windows could be accepted by a Windows-compatible reader. Several PC makers have said they intend to incorporate smart card readers directly into the keyboards of their computers.
Those factors could push the smart card market into overdrive, said Duncan Brown, director of research, North America, for market watcher Ovum Ltd. For example, if Microsoft decides to ship a smart card with each of its Office 2000 packages, that could stimulate the purchase of readers and the use of smart cards.
"I expect the smart card market then would follow the dynamics of the CD-ROM market," Brown said.
Ovum is projecting a total worldwide market for smart cards of 2.7 billion units by 2003, with the largest markets still in pre-payment applications, followed by access control and electronic cash.
But Brown said the caveat is that the window for smart cards to establish themselves as a dominant security access technology is relatively narrow. "If smart card technology is not implemented shortly, say over the next three years, then other technologies will come along that could usurp them," he said. "The technology for [stand-alone] biometrics, for example, is maturing very fast."
That promises little relief for federal smart card proponents. By the time they begin to get comfortable with the idea of smart cards, another technology may already be knocking.
-- Robinson is a free-lance journalist based in Portland, Ore. He can be reached at firstname.lastname@example.org.