The Defense Department's decision to drop the TWIC card as a trusted key to its online transportation systems doesn’t throw up roadblocks that would stop TWIC-carrying truckers, but it will raise costs for some companies that employ them.
The Transportation Worker Identification Credential, or TWIC card, considered secure enough to give truckers access to ports and sensitive facilities, apparently is not secure enough for access to DOD computers.
The DOD decision, published in a Dec. 10 Federal Register notice and a Nov. 28 customer advisory, means freight companies that use TWIC to access the U.S. military’s online transportation procurement systems will need to acquire new encrypted “keys” by Jan. 29.
Such keys are used by carrier personnel who access the Electronic Transportation Acquisition system of the U.S. Army’s Surface Deployment and Distribution Command and the U.S. Transportation Command’s Defense Personal Property System, two Web sites critical to transport operators doing business with the DOD.
The ETA Web site, for example, provides carriers with access to the DOD’s billing and global freight management system for freight and ocean cargo.
In 2011, the DOD’s Public Key Infrastructure Office replaced a password-based security protocol for those systems with one that relies on External Certificate Authorities. The ECA PKI certificates are unique keys for individual users. The DOD’s commercial partners could use PKI certificates from one of three commercial companies — Verisign, IdenTrust or Operational Research Consultants — or a TWIC PKI certificate from the Transportation Security Administration.
However, as the DOD tightens online security and access to its systems amid widespread concern about the threat posed by hackers, its PKI office has decided TWIC isn’t up to military spec. “The DOD PKI office has not established a trust relationship with Homeland Security/TSA,” the DOD said in its notice, and the TWIC card “cannot be used to authenticate users for access to DOD systems.”
That means transportation partners currently using TWIC to access the DOD Web sites and online applications and do business with the military will need to purchase external ECA keys from Verisign, IdenTrust or ORC, if they don’t have such a key already. “The removal of the TWIC access will affect (about) 450 accounts,” the DOD’s Julie L. Fowler, ETA program manager for the SDDC, said in an e-mail.
Freight carriers can purchase those ECAs for about $120 to $135, according to data published on the ETA Web site. Certificates are available for various levels of security, various periods and at various prices. For example, an IdenTrust three-year medium-assurance certificate costs $233, while a one-year ECA costs $99.
A TWIC card, which costs between $105 and $130, is valid for five years. While not a staggering sum, the price difference between those commercial ECAs and TWIC amounts to an increase in the basic cost of doing business with the DOD.
The DOD decision raises questions about the security provided by the card and the TWIC program’s future, said Denise Krupp, a former U.S. Maritime Administration chief counsel and senior counsel for the House Homeland Security Committee.
“Is there a problem with the DHS background checks? Is there a problem with the interoperability between the DHS and DOD systems?” Krupp wrote in a commentary published by The Journal of Commerce.
“Why are the TWIC holders themselves having to suffer because the federal government can’t resolve the problem?,” said Krepp, now a consultant and educator at George Washington University and Penn State University. “I’m absolutely floored they’d let this type of thing slip by.”