Customs and Border Protection plans to pilot technology that would automate the National Vetting Center’s process for verifying whether someone is a U.S. citizen.
The Department of Homeland Security Office of Intelligence & Analysis is assisting with the pilot, in the late planning stage, of an automation that will be available in a year, according to Chief Information Security Officer Eric Sanders.
President Trump established the NVC in 2018 to streamline information sharing between the intelligence community (IC), agencies and law enforcement when determining the threat posed by people crossing U.S. borders. That calculus changes when dealing with a U.S. citizen.
“We want to make sure that we are protecting privacy, to the extent we’re supposed to, when it comes to U.S. persons,” Sanders said, during an ATARC panel discussion Tuesday.
I&A is one of nine DHS components with an intelligence mission and the only one where it’s the sole mission, providing information to the IC and state, local, tribal and territorial governments. The office helped CBP create the NVC with a focus on automating vetting, which sped up the process for Afghani refugees.
While facial recognition isn’t part of NVC’s process to Sanders’ knowledge, automation, especially using microservices, helps agencies share intelligence better and faster.
“Whereas before they had to work manually with the FBI and [the National Counterterrorism Center] to adjudicate somebody wanting to come into the country, we’re now able to automate that across the IC to make sure that we’re getting a holistic understanding of the person or persons that are trying to enter the country,” Sanders said.
Sanders also wants to automate the assessment and authorization of new security capabilities, particularly low-risk ones, freeing up employees to focus on bigger problems.
“Whether you’re talking about the [National Security Memorandum] or the [Cybersecurity] Executive Order and zero trust, you’re not going to get there without automation,” he said.
Role-based access controls aren’t enough in zero-trust environments. Attributes need to be assigned to people and things to make access decisions in real time with large volumes of data coming in quickly, Sanders said.
I&A’s priority is automating data sharing between domains so it can continue to trust people across environments over time, as threat actors’ tactic get more sophisticated. That requires monitoring even low-level environments threat actors access first, before moving into high-level ones, Sanders said.
The task is easier to do in some environments than others, with I&A considering the use of tokens or other, cost-effective solutions in line with the IC’s future state.
“A lot of these classified systems are inside buildings where multi-factor is harder to do,” Sanders said. “I can’t use my cellphone for multi-factor authentication in a secure environment.”