PKI coming to the Army

The Army started implementing a servicewide program this month that will require employees to use public-key infrastructure (PKI) technologies to log on to the military’s unclassified network.

The Army’s Common Access Card (CAC) Cryptographic Logon uses a special identification card and a personal identification number to access the Non-secure IP Router Network (NIPRNET). The service plans to have 10,000 workers at Army headquarters using PKI by March and all employees by this summer, according to a Jan. 25 Army statement.

“One of the greatest vulnerabilities of our networks is posed by weak user names and passwords,” said Lt. Gen. Steven Boutelle, the Army’s chief information officer. CACs use electronic information and digital PKI certificates to verify users’ identities.

Boutelle said spyware or keystroke-tracking software can steal user names, passwords

and PINs, but he said they cannot steal CACs. The Army plans to stop using user names and passwords to access the military’s networks and will eventually require CAC log-on for Army Knowledge Online, the service’s portal, Boutelle said.

Last month, the CIOs at the military’s major commands wanted to require workers to use PKI technologies instead of user names and passwords to log on to the NIPRNET. The Army said the Joint Task Force Global Network Operations, the organization that manages and defends the military’s networks, started accelerating PKI use throughout the Defense Department.

Since 2003, nation-states including China, crime gangs and hackers have increasingly tried to penetrate DOD networks, sometimes successfully. They are motivated to steal U.S. military secrets and slow DOD networks.