Recently I was talking to a friend who happens to work in IT, and more specifically, emergency response for a state government. We were talking about the always-exciting topic of credentialing and the First Responder Authentication Credential. He said something I found interesting when I asked when his state was going to start issuing FRACs. "I suppose we'll get to it soon enough. For now, it's a great idea for states that have a lot of extra money to throw at something that isn't a very big problem."
I think that's how a great number of state and local jurisdictions view the FRAC: a neat tool, but costly and not completely necessary just yet. We heard on last week's Digital Identity Working Group call that we are already seeing the FRAC-related expenses decrease, though they still have a ways to drop if we are ever going to see the day when every first responder is carrying a strong digital credential.
Geoff Kohl wrote about the FRAC in his blog earlier this month. He tells a good story about an incident that took place back in 2002. You might find it interesting. (Yes, I am submitting a blog entry that is almost entirely comprised of someone else's blog entry.)
Almost a decade ago, a tugboat captain pushing a barge on the Arkansas River lost control of his vessel and struck the bridge support for Interstate 40 near the town of Webbers Falls, Oklahoma. The bridge collapsed into the river and over a dozen people died. What happened next was an amazing lesson in incident command and control.
A guy named William James Clark showed up wearing an Army uniform and impersonating a U.S. Army Captain took command of part of the emergency scene, including recovery of items and personal effects of the victims from the river. He also, according to the case of United States of America v. William James Clark, went further with his claim of command. Here's a run-down of what else this impersonator did:
"After a briefcase belonging to an actual Army captain was recovered from the river, Defendant took possession of it and contacted the officer's widow on multiple occasions. On May 28, 2002, he obtained the use of several motel rooms in Van Buren, Arkansas, by representing that he was an Army captain and assuring motel management that other government officials would pay the tab, which eventually totaled $900. That same day he obtained $464.26 worth of provisions from an Army surplus store in neighboring Fort Smith, Arkansas, by telling store employees that he was an Army captain who needed the supplies for the rescue effort. The following day he appeared in uniform and "borrowed" a 1997 pickup truck from a dealership in Searcy, Arkansas, telling the owner that he needed it to transport supplies to the rescue workers in Oklahoma. He failed to return the truck as promised."
In the end, Clark was found to be a prior felon, not a Captain in the Army, and was captured in Canada. But five years later he was at it again, calling the Russian Embassy, claiming he was a military official and advising them of a plot to kill Vladimir Putin (the plot was his own mad invention). The reason I bring Mr. Clark up is because we still don't have a definite policy for identifying first responders and response personnel at disaster scenes.
There's a DHS effort in the National Capitol Region to define these credentials, and the Electronic Security Association has worked with states like Mississippi and Louisiana on the concept of getting security professionals access into disaster situations if there's an emergency need to fix something (e.g., a bank that needs its security system repaired after a heavy hurricane), but what is amazing is that over 10 years after 9/11, we still don't have a definite plan on incident command identity and access management. And what's notable is that most of the plans that I've seen use simple paper credentials, which could be easily duplicated by an oddball like the aforementioned William James Clark. The concept of the First Responder Authentication Credential (FRAC) is of a FIPS 201 type of technology-based credential to solve this problem (applause to DHS for at least starting to address this need), but it's still not ready for the nation. L-1 Identity Solutions wants to go a different route and put a first responder marker on driver's licenses. That's a pretty good idea, but the problem is that driver's licenses are state documents, and some disasters reach outside the scope of a single state (take Hurricane Katrina as an example), so there may be difficulty validating the persons holding those licenses, and what their level of access should be.
I'm not supposing that I know what the perfect solution would be (a FIPS-201 type of card sounds promising), but I do know that we need to address this as a nation. And for our corporate security leaders, have you thought about how you validate command and control if you have a situation at your plants, office building or other corporate property? Because someone like William James Clark might want to try to take control of the situation if you don't!