 She is responsible for the Department of the Army's information insurance program for the tactical force. So next time that you think about a tank driving down range and shooting targets and stuff, or a helicopter, all the anti-security stuff, she's the one that does that. So if you didn't identify her, you all missed a sure good bet. And she's also skilled in hand-to-hand, so I wouldn't mess with her. Anyway, my name is Phil. I work for the Department of the Army. I'm the operations officer for information insurance for the program for the big army. I'm also the director for the Department of Defense for biometrics. And what I'm here to do today is just kind of talk to you all about biometrics and the reason that the Department of Defense, your Department of Defense is making an investment in that. I would like to stand up here and tell you that we are leading the way. We are not. We are following commercial industry. We're following commercial practices. I don't know if last time anybody went to Disney World, Disneyland, but they've got that implemented at their gates. And as you leave for the day, a little message comes up and says, gee, I hope you had a good time. See you later, Phil. Now they don't get that in the system by accident. It's by the registration process when you come in and pay for your tickets. Let me talk to you a little bit about this. This is the purpose of the presentation today. If you were here last year, you know, I stood up here and talked about all the patriotic things that we should be doing and what hackers are doing to us, my concern about the erosion and infrastructure from the inside. I haven't changed those views. I still think that even many of you tell me that you're hacking to show me how to improve my business, perhaps misguided a little bit. Because when you're hitting the system that we're responsible for, look around and look at each other because you're hitting each other. You know, you're the girl next door, the guy next door, your aunts, your uncles, your cousins, because they're operating in those systems. So we looked at the past three years on what was causing a lot of our penetrations and so forth. I'm going to show you some real-life stats. This is the first time been released on the incidences and intrusions that are going on in at least one department in an Department of Defense. And we found out that a lot of this is caused by poor password management, no password management, redundant passwords across systems. And I appreciate the many speakers who have spoken over the last several days here. But I will tell you that our level of complexity is probably greater than General Motors. And I've seen and I've worked with General Motors, they have a pretty robust system across the entire infrastructure to include multiple contractors and subcontractors and suppliers and so forth. But they were very rigid and they're based on a very straight line philosophy and it's a bottom line. They're also working in environments where you have a lot of commonality in their structures. Unfortunately for the Department of Defense, that cannot happen. That's by law. I cannot even be part of a discussion that says we ought to get nothing but Linux. Or we ought to get nothing but Linux and it ought to be two dots something. By law I can't do that because that would interfere with free and open competition. I must advertise out there to say I need an automation capability that is XYZ. And we go with best practice, best price, etc. And we integrate that. The consequence of that is we end up with systems of systems that are at times not as interoperable as we'd like them to be and certainly at times from a security perspective very contradictory to each other. So we try to find from an information assurance perspective a common thread that we can overlay the entire infrastructure to improve the security of access. So we looked at this. We were given the challenge sometime ago to take a look at a technology under the IA umbrella that would do a couple things for us. One would give us a better reliance on identification and authentication. In other words, if I logged in, something in that process would say without a doubt that's filled. That's not someone else that's captured as password and mimicking or as user ID. That's filled and it can be proven. And then we wanted something that, and you can appreciate this, if you've never served a day in the military you can watch one decent military movie. You can appreciate what our soldiers, sailors and airmen go through on a daily basis deployed at any given time. The last thing I want to give any of those young men and young women is another thing to memorize, another thing to carry, another thing to take a chance at losing. Password, user IDs, tokens, pins fall in that category. They're busy enough as it is. Their butts are on the line. So we want to make their lives easier. Now, that understood also understood in this. Unlike corporate America, when we deploy and we are deployed on your behalf in 70 to 80 countries at any given time, any given time, any given day, any given week of the year. When we deploy for our command of control, that means we're able to reach out, touch Dick and Jane. Make sure they're still there. Make sure they're still safe. Make sure they can still eat, still defend, still communicate. We turn on our systems and we do not turn them off until the end of that mission. A lot of people come through the process. Obviously, we don't ask any of our war fighters to stay up 24 hours a day, seven days a week. We do run shifts out there. So how do you maintain the integrity of your system? Positive, definite identification. So it's not a bad person on that system and still maintain continuity of operation. Those are big challenges. And I appreciate all the things that I've heard about many speakers here. But the truth of the matter is, we're not there yet. This is why we looked at biometrics to try to help us solve all those problems. Now, I will tell you, being a security geek like many of you all in here, I am not going to tell you today that biometrics is a security solution because I'm not convinced that it is. But it's certainly better, certainly better than using your mom's name as a password into a system. There's no question about that. So let me take you through about the 60,000-foot level of what we're trying to do and why. Next slide. These here are a little bit of a war story that we're caused by, hopefully, no one will hear in the audience, but I'm going to go through some of these things because this is the threat that we look at. Of course, there's some up here today all unclassified. I'm not going to talk anything classified at all. I would tell you that if you want to find a belly button that contributed to the attorney general's swing on changing laws for hackers and crackers and freakers and general people who are going to mess up the infrastructure in places they don't want to, it occurred, quite frankly. Take a look at the swastika up there. That was the attorney general's home page. Now, I've been privileged because I've traveled with her and she is absolutely a super, super lady. I've never met a better state of American, I assure you. She is dedicated to the country like no one's business. She took this as a personal attack. Now, if you've not seen this, it's archived and you all know where to go when all the pages get archived. This one here was kind of in the front, any American, because someone here totally rewrote the Constitution. We wrote the 1st, 4th, 5th Amendment and a bunch of other stuff. The system administrator was on duty at that time because this was displayed for about 72 hours long weekend. It didn't survive past Tuesday, ununderstandably correct. My understanding is a new system administrator is a nice guy. On the map up here, we see Texas and India. You guys remember the fall of that in the Tech 9? At the time, 15 years old, got a lot of credit for this hack. I was upset about all the Luke testing going on that part of the world. Well, maybe the rest of the story you don't know. From an international, incident perspective, Tech 9 caused us, the US Army, to look like we had launched an attack on both India and Afghanistan. And how could that be? We're not in that business. We don't attack nations from a computer basis. Well, what happened is one of the servers in San Antonio, Texas, home to the US Army's medical command, had been captured in Tech 9, used that server to launch all those attacks to those particular two countries. From the distant end, they certainly looked like we had the US Army, some of the baddest dentist in the world when it came to cyber attack. By the way, the only thing that server had on there was thousands of dental records for our service people. We work with banks and industry now, a lot closer than we ever have, so we're able to see what's happening in that business as well. Credit card fraud, bill exploitation and so forth. We're very concerned about what goes on there. We don't do a whole lot in that area, but I will tell you the reason that we're into that area, into the commercial world, working with Visa, Master of Charge, AT&T, is because the same equipment they have, we have. The same problems we have, if it's a crap operating system, guess what? We bought it too. If it's got holes, guess what? We got it as well. So we have team with some of the brightest and best minds out there in industry to fix it on a mutual perspective. And that's working well for us. Okay, first time ever. This is what it looks like for one of the services in the Department of Defense. FY, by the way, stands for a year. So you see 97, 98, 99 in the current FY, 2,000 incidences to tolls by color code. Now I may look to you at first shot if you look at the incidences and number intrusions, and by the way, we classify an intrusion as someone who actually got into our system, mucked around, caused some damage. The other thing you all know is we also catch it. So we're getting much, much better at that as well. You may look to you like we're increasing or the threat is getting worse or the attacks are getting worse. Well, I personally believe that's not the case. I believe we're just getting better at detecting. We have layer upon layer of detection capability out there now, and we're doing some significant technology advancements in areas of data reduction and data correlation across multitude of sensors. Who would have ever thought that HP OpenView would be a security sensor? It is. When you marry it up with Tivoli, when you marry it up with CruelSecure, when you marry it up with Accent, and a few other tools that we developed on the side. So we're using all these sensors, bringing them all together, and we're able now to look at indications, not just one box or one state or one part of the world, but collectively. And that's helping us a lot. And quite frankly, we did it with the help of industry and many of you in this room, which I know personally have been instrumental in making that happen. Next chart. Let's talk a little bit about, still in the war story category of things that recently happened. Now most of you, I'm sure, are aware of these things, but you may not be aware of the final outcome when it comes to the identification of cost against some of these events in some of these well-publicized incidences. Yahoo! 45 million web pages hit. Now why would we care? Why would the Department of Defense and the Department of Environment care what's happening in Yahoo? Well, guess what? We're a customer of that like everybody else. And we care about it because we're web-based from a command and control perspective as well. It's not something you just use on the commercial world. We use it for management of our business as well. A gigabit at a time to incoming. What a denial service that was. FBI mobilized, you bet. Okay? On the government side, if you remember President Clinton's PDD 63 where he stood up to critical infrastructure infrastructure protection, FBI automatically becomes involved. 17 offices were mobilized. Yahoo! We lost millions and it also caused a ripple through the continuum of operation on some of our bigger service providers out there. We worry about that. Little mafia boy, a lot of press. Was going to be convicted, wasn't going to be convicted, finally was. Couple years in jail, a little bitty fine. But that was a rude awakening for this particular kind of attack. We worry about these things. Next chart. I love you, virus. I got hit with that on my own box of work. I opened it up. I passed it on. And I wasn't fired. In fact, they gave me biometrics and said make it work. But the impact here, I contend that we are now in the era of super viruses. I really believe that. And if this one here wasn't a wake-up call that said you have made the grade, then I don't know what else. Just combine a lot of really interesting things in a combined package. There have been a lot of copycats, a lot of add-ons since then. But not to the damage and not to the level that this particular attack was. A little dollar for you on this. This is not just Saturday in Lowns here, 10 billion dollars. And that's not exaggerated. We think it's underestimated actually. Extraordinary. Now, counter-hacking programs are something we're always interested in. This is the ultimate counter-hacking program out of China. You hack in that country, they'll line you up and shoot you. I am not saying that's what we are doing in the United States. But we're not the only ones now that are very concerned about hacking. And the sad thing about this case, if you read the details, these files never even enjoyed one single penny. All they did is they moved from one column to the next. Next slide. I mentioned the commonality and some of the justifications for moving out of biometrics. This is based on the weakest link. Now, quite frankly, it's embarrassing to me to have to report to my leadership as to why a system was broken into you. Especially when it's something as easy to fix as a password file. And you may be thinking out there, well, why the hell don't you do that? You live in an organization where you can issue an order and everybody has to obey it or not. Or if they don't, they're in trouble. Well, imagine how many computers you guys work on. I've got the seven separate systems myself as a manager. My rules that I have to comply with the policy in my particular service is that each password must be 8-digit, often numeric, randomly generated. Do not write it down anywhere. I got a pretty good memory. But I've got to tell you it becomes a challenge after the fourth password, especially if I'm not in there on a regular basis. That's about the level of the number of passwords our soldiers and our civilians are expected to memorize. Quite a challenge. So therefore, is it a big reason why people might cheat on that construct or against that policy? Well, if you've ever been in that environment, the answer is obviously no. So one of the biggest leaks that we have, obviously, is passwords. So I'm briefing this to the secretary, the inner secretary, and he looks at me and says, well, duh, replace passwords. I'm going, well, wait a minute. Now, we built an infrastructure based on heavy metal, mainframe kind of stuff. We brought it forward as we went decentralized desktop and we never changed the security access to login architecture. We just brought it forward. We're still treating those smart terminals like dump terminals that we think are connected directly to our frame. So as a real cultural changer has to occur here in a technology chase as well. This, I think, will be one of the greatest challenges in technologies from the information assurance perspective as far as the department is concerned. And I will tell you also, in addition to all my other jobs, I now chair the Federal Committee for Biometrics. So we're not just talking to the Department of the Army anymore, the Department of the Defense. We're talking across the government. Next chart, please. What is biometrics? Well, I'm sure this group here, if any group I've ever spoken to, probably understands it, probably even better than I do. But nonetheless, got to put a little tutorial chart up here to get everybody to see the baseline. Now, the pictures I put around here are the biometrics technologies that I think are the most mature and the technologies that we're currently chasing, chasing in a sense of test evaluation, possible procurement, possible integration, and confined policy. And I'll talk to policy on that as well. From the upper left-hand corner around, I'll just take you for a quick tour. What I personally believe to be the most mature biometrics capability today, whether it be for IT access or for physical access or for what we're trying to do with the National Security Council to put on handguns so kids quit killing kids, we think is related around fingerprints. It's been around for about 25 years, believe it or not. It's not been around and be used as a security device. It's been around and be used as an identification device, predominately by a little organization with the letters F-B-I. The next one down is signature. Everybody signs their name differently. The best foragers in the world cannot replicate this biometric trait. Facial recognition, iris scan, veins, did y'all know your veins and your wrists and your hands are uniquely yours and we can identify that to you and only you, no one else can replicate that. DNA, of course, here in geometry. Now you know this, I didn't mention rectum scan. That'd be a tough thing to back into anyway, wouldn't it? Those are the things we're looking at. Those are the technology, functional areas that we think have the best capability and success or final order to succeed, if you will. Next chart, please. Why will I have talked to that but just to recap the necessity? Multitude of systems. Across the systems of systems environment. Password, ID, user is a prime access mechanism. And here you go on the bottom. You forget them, you lose them, etc., etc. Next chart. Now where do I get my authority? I didn't just wake up one day and say, I'm going to do this. I will tell you that the Congress is very concerned about the security of our systems. They're very concerned about finding the right solutions. And in this year's defense appropriation bill, this is where we got our task to march out. And if you look at the wording in here, I know it's hard to read so I'll just point out a couple things. We were tasked by the Congress, the 106, the one in current session right now, to combine activities of biometric sensors in templates, develop a repository, pursue biometric security technology, and you will see in the context of this, they're looking at it from an information assurance perspective. And that's the way we first started out. In fact, last October, when we started hearing that the Congress was going to ask us to do that, it was IA-centric. In a short period of almost less than a year, we found out that IA is a big customer of biometrics, but it is greater than IA. Next chart, please. This was first supplemented a few months ago and it got definitely three mission statements to do here. One was to go out and manage T&E, stands for Test and Evaluation of COTS biometric software and hardware. And that is, ma'am, I'm marching towards to go out there to industry and interface with the providers of biometrics application and start bringing those things under a laboratory control and test and evaluate these things for, not only for what they're advertised to do, but how they may be best integrated in sustaining in our systems and systems environment and not just in IT. Because if I just do IT, the major French here can't satisfy the information assurance requirements she has in her weapons systems and her tactical deployments as well. So across the spectrum. I was also asked to define requirements and equipment. This is a big one. You know, it's how much of the stuff you need. Where does it need to go? To what level of technology? How quick? How soon? And by the way, can we afford it? And then the thing that I got to thank is very important and it was firmly tasked by the Congress to develop standards. Now that's a biggie because we're going to talk about BioAPI in just a few minutes. But not having standards will kill my organization because I have to be interoperable wherever I am at any given time and any given place. So standards are very important to us. Next slide. As a result of that, you know the next slide. This is what we're building. Now I call it muscle group because it's a nice military term. But basically it's large chunks of what we're trying to do here. And very quickly on muscle group one is a program office, program management office. That's where we need to policy the doctrine, develop the funding, develop the acquisition strategies, test and evaluation, interface with international community on standards and specification characteristics. All that's going to happen up there. That is currently open. This is really new news. We've been in business officially two weeks. I go back next Monday to my office and that will start the third week of this operation. So you get some really cool and firsthand news here. Muscle groups two and three will be located outside the military district of Washington and for you it translates to outside Washington, DC into one of the states in which we will set up a couple of things that are significant. One is going to be a national and international laboratory for biometrics. All biometrics that are going to come into the Department of Defense will go through this laboratory for test and evaluation. That's very important because I will tell you something you already know but I will say it anyway. Software delivered and shrink-wrapped package is not pure. There's all kind of little things in there or there's all kind of opportunities to drop little things in there. My bottom line is to make sure I provide the best product to the warfighter and that's the things that we will do to do that. The third group is built of a repository for this safeguarding and protection of templates in order biometrics can build as well as a recovery site for any other minor database that may have biometrics as an access mechanism. Next chart. You met this fellow here, Assistant Secretary of Defense for C3I. He was on the FED panel. For biometrics, he's the guy I report to. He's the number three guy in the Department of Defense. That was Mr. Secretary Art Money. This is his marching orders or my mission statement to get biometrics going in the Department of Defense. I got a couple of acronyms on there because if I had taken them off you would be questioning that there was really a military briefing. So I left them on there. But I'll tell you what's really important in the first bullet. It says, DEVOLB DODI that stands for Department of Defense Instructional Directors. Those are the things that are our tablets, if you will, of what we shall and shall not do and who shall and shall not do it. Biometrics is going to be driven from the top down. The other really important, very important acronym up there is three letters on the end called JTA. That is the Joint Technical Architecture. Now how important is that and why am I wasting your time explaining three letters to you? The Joint Technical Architecture is an architecture that has been negotiated, accepted and integrated in our design of our command and control systems and many of our weapons systems and target acquisition systems that has been accepted by our NATO partners, coalition partners and allies. That is the thrust of our interoperability. And this is where Biometrics is going to be integrated right in there. The other piece that was very important was the start of market survey for products that are bioAPI. Let me explain to you how we feel about the bioAPI. Number one, we are members of the Biometrics Consortium. That's 600 independent organizations belong to that internationally. That bio consortium owns and operates the bioAPI lower level. If we've got already 600 major entities across the globe who have agreed on a baseline standard, we're certainly going to hop on that bandwagon. When we do the testing evaluation on the products, we're going to find out what else we need to add to it. We adjusted up a government and industry panel, an IPT, to pursue the lower level of the API in the development of this particular technology. That's pretty significant. It's an action that normally does not occur. We normally wait for something to be delivered on the shelf, and then we buy it off the shelf and bring it in. In this case here, we're going to partner with industry and many of the developers to mutually come up with something as beneficial to all. Now, we realize we can't drive the market. 20 years ago, the Department of Defense pretty much drove the IT market. That's not the way it is today. We are a commercial user like everybody else, so we partner with everybody else. The fourth bullet down, legal, privacy, social, cultural, religious issues around biometrics is an issue or a set of issues we've taken very seriously, and why? Well, we still have groups of people, autonomous and recognizable, who feel they're simply taking their picture, and steals their soul. You have to respect that, especially in a global community. There may be some religions. There may be some personal desires that biometrics will not work or is not desired to work. We have to respect that as well. And we've conducted a fairly extensive study on that, and I'll talk about that in a minute. Before we even launched this program, that's the things that we did. That's the fourth, fifth amendment. We look at religious issues, cultural issues, social issues around biometrics. Now, again, my first thought up here, I'd like to tell you we're driving the field in this technology, but we are not. We're a step behind what industry is doing today. And you may or may not be aware of some, but I'll give you some examples. Next time you fight through Charlotte's airport, be advised biometrics is in the airport. It is watching passengers' facial recognition. Next time you go to Chicago, I hear a look outside while you're waiting for your plane. All those trucks moving around out there are being controlled. The trucks and the drivers are being controlled by biometrics. Anybody here from Texas? You have an ATM card? Do you bank at the bank that scans your eyeball because they don't use the card anymore? The major bank in Texas has done away with ATM cards, PIN numbers, and you walk up to the machine, you go smile, and then you poke in the amount of money you want. It does your iris, brings it back, validates it, and hands you the money. California, folks there, the government there is using biometrics to control fraud in financial assistance programs. Same thing in New York. Many of the states are using biometrics, a thumbprint, under driver's licenses. So those things are already going on. Next chart, please. This is probably the only time you ever see what the Department of Defense is looking at and specification or characteristics of a commercial product for biometrics across the functional areas, whether it be printing, voice, body order, anybody know we got now an application that will smell you, you smell right to them, it'll turn on your computer. We're not pursuing a technology, but it is there nonetheless. Remember I said we'd deploy for weeks in the field? The low cost up here, we talk about very, very low cost for each seat in which this application would be put into. My customer base just in the Army is over 1.2 million across the Department of Defense, including civil servants, support contractors, in excess of 5 million. Now as a taxpayer and every one of us is, I hope you appreciate that what we're trying to do here is to reduce the cost on this and reduce the intrusion of penetrations. Little overhead, that, ladies and gentlemen, to us means bandwidth. If I have one single requirement in IT today, it is bandwidth, bandwidth, bandwidth. Why is that? Because right down to the weapon system, to the HUNV, to the shooting platform, to provide our soldiers, our war fighters, a visual picture of where they are, where their buddies are, and where the enemy is. To do that requires a tremendous amount of bandwidth. I'm not going to add anything else to that infrastructure that eats up that bandwidth. I want them to know where the enemy is. I want them to know where they are, and I'm not going to add anything that will degrade that at all. CBT. Yes, that is computer-based training. We use the same terminology across the universe. The other thing that I don't want to do in feeling this new technology is tie up a whole bunch of people in a whole bunch of training when they're not doing their actual missions. So the requirement for this is the training for this new technology at the user level cannot be any more complicated than the instructions to load it into the system. Simple as that. If it requires more than that, it won't meet the task and we won't buy it. MOP4. How many of you know what MOP4 is? Ex-military guys, right? For those of you that don't know, it is a military posturing position in which we get dressed up in to protect ourselves from nuclear, biological, and chemical environments. In a full MOP4 environment, head to toe, we are covered in a plastic suit, boots, gloves, full-facial gas masks on the shoulders, etc. Here is a living environment inside a plastic bubble, if you will. Now imagine this little challenge that's thrown at me, and by the way, Phil, you've got to operate biometrics in that environment. So how do you do that? It's, well, okay, you want to log in, take your glove off, I know a lot of chemicals out here, but take your glove off and put your fingerprint down. Well, the answer is no. So you'll be interested to know that we have pharma technology, biometrics pure, that allows the user to be identified, access to be gained, and functions on that particular system to be executed. It is called iris scan. We've been able to, at least in the laboratory right now, take an iris scan product, read it through a gas mask, and we've got little plastic eye holes, or the aviator's got a full shield, through a pair of glasses, and still be able to affect a positive reaction on the AT system. This is good news. So we're very pleased about that, because we're certainly didn't want anybody to get undressed in a much poor environment for biometrics. Because had that been the case, we simply would have not deployed biometrics in those environments. The next one is brain dead. It's also an operating office environment. So you take it off the shelf, and you rock with it, no big deal. The other two are absolute non-negotiables. COTS means it's got to be commercial. I'm not doing any RDT&E. So I don't have labs and a bunch of engineers developing something from scratch. We will take the COTS, we will put engineers and consultants and other smart folks against it for integration of that COTS into our existing systems. But we will not develop anything from scratch. And a BioAPI is, again, non-negotiable. If you're not BioAPI and you're selling these kind of products, don't come to Washington to talk to me because I simply will not. That's the baseline requirement for the international agreement that we have. Next slide. I didn't see one single architecture chart the whole conference, so I said I'm going to find one last night, and I brought one here. So there it is. These represent our gateways, our DMZs. Mr. Mojo here talked about a DMZ very briefly. This is where we will integrate biometrics. Our DMZs are structured as single points egress, egress into our enclaves. We have to do that. It's the whole part of the reconstruction of the IAEA architecture that we put together in an apartment. Where you see the routers, where you see the firewalls, and by the way, we don't always recommend a firewall at a gateway because there are certain things that we do in a stateful inspection and certain things that we don't. In certain ways that we can construct the two routers that are always found at our gateways to do IP filtering for us in some of these other things. And we do pursue things that are collectively integrated, such as Cisco's router capability with an IDS module on the inside. This is cool stuff to us. We'll put biometrics on these major pieces inside our nodes as well. So not just a user platform. Next slide, please. I thought you would complete a couple of studies before we started bending metal on this project. These are the two stories, or two studies, I should say. Why was the feasibility study? First of all, could you do this? If you could, what would it look like? What would the whole engineering teams look like? The integrators look like. What would the facilities be required to function like? What kind of computing power would you need, etc., etc.? Is it even possible to do and execute those three muscle groups that we've been given tasks to do? And we did that. And we took part of that and we think it is possible. And we've started on it, obviously. The other one is a social legal study done by a bunch of lawyers. Until this particular project, I didn't have a terrible amount of use for lawyers, but I do now. Because if they've done nothing else in this particular technology, they have showed us over and over again that we must protect the civil rights and privacy issues of all people who come across this technology. We've got to do that. I have two lawyers on my staff and I'm there, I'm told because they're here to help me. Or maybe they're watching, I don't know. This is what we're doing to pursue the strategy. Thank you, you might be interested. I've mentioned it once or twice. We're going to test these products and we have a bunch of those coming in. We're going to test these products in existing systems. Again, to validate the vendors' wagging rights on them and also their integration capability. We're going to front load this and we'll tell you from the very beginning to succeed. So we're not going to put any biometric technology that we think is going to be risky into the system because these are live systems so we're watching that very carefully. The National Information Assurance Program, how many of you have heard about that? I will tell you that this program not only encompasses biometrics but any other product, firewalls, guards, IDSs, mapping tools, scanning tools, any product that helps us manage or improve the security of any of our networks or other systems goes through NIA. It doesn't come into the government to get any certification from NIA. That will be on the front end of this as well. Working on commercial standards and developing the approach and strategy on this. Next chart, please. Okay, what is a pilot? I told you that I would come back and explain to you how we can come around and define what we're going to do in our pilots. Well, basically two environments. One is basically get some equipment, put it on the shelf and roll with it. The other is actually putting in a line integrating intensive systems with training, with people. And we do this in an environment in which we can control. We go to a headquarters, for example, and find biometrics integrated and command LAN, if you will. That may be not any further than that. Because again, we've got an awful lot to learn. And that's pretty much the way we do business whenever we bring something in on a constant environment integrated into our backbone. We don't want to break something that's already working. Next chart. This is the process that we go through in deciding what a pilot is, who should get it, how we should run it in the next steps. To finally get a product that we can come out and say, this is good enough for DOD consumers. Now, for those of you who watch the high-end R&D centers in the government, such as DARPA and others, and if you've ever done a workflow on them, you will find that this is a pretty similar model because it is. Although we're getting cuts, although we're showing an approach or a strategy of simple integration, the process here is sustainment at the far end if we approve the product. If the product proves itself to be value-added. So we take it through the entire system, finally down to transition, into us as O&M operating and maintaining, and then it comes into the department. These are big-time issues, folks, because once a decision has been made to transition it from a pilot into full integration, you're making, or we're making, a 10 to 15-year commitment that we will have this into the infrastructure. That's the way most of this stuff works. It is not by accident by the way at the very top. Do you see that legal block? Sorry, I'm going to look at that. On the security block, I have another agency working for me on this as a partner, a three-letter agency that wants the products to go through the NAYAP process, and they get that NAYAP certification seal. I will take the sum number of those products, give it to that agency, and they will tell me whether I should invest any more in pursuing this as a product for duty consumers. And I think you can appreciate that. I can get a good commercial certification in waiting on a product, but if there is a group, an activity, a host nation that can export that product, and I need to know that, and I certainly don't need to put it into our command and control systems. So all these things are embedded in here in the whole thinking process. On the tactical piece, hit it one more time. On the tactical piece in what major friendship here is responsible for these and the technologies we're looking at. The iris scan, and I know it's a hard picture to see, but if you looked at the first block in the middle of the picture on the left, that's what a MOP-4 individual looks like, by the way. That is a lab version of an iris scan, and that is the process that we'll go through to put it right down to the tank. Now, what we particularly like in some of this technology here is things like a tank, and I put a picture of it here. In a tank, these fellas do not get in a full MOP-4 environment once they close the hatch, because the tank itself is a MOP-4 environment. So what we do inside the cupola or inside the turret, is put a biometric sensor that can sense the team. Now why is that important? Well, for the same reason that I want to positively identify and recognize that the user at a desktop is really who it is. I want to do the same thing in weapon systems. Imagine, if you will, a crew of four, which what takes to run an M1, is captured taken out of commission for one reason or another, but the weapon platform a 60-ton tank capable of vast instruction is left in full operational condition. What stops it? What stops a bad guy have taken that tank, pushing the start button, hitting the collectives, turning the turret around, and jamming around an HE-1 down the tube, back on us? The truth of the matter today is nothing does. The truth of the matter in a few years biometrics will. Because if you're not that tank crew, and the biosystem doesn't recognize you as being an authorized driver, shooter, target acquisition, ammo handler, that tank will be 60 tons of dead weight. And that's exactly what we want. Next hurt. Okay, so what? Well, since there's a hacker convention here, or I should say an information assurance conference, this is what we think that at the highest, on the higher levels of this analysis, biometrics will do for us. I do want to put kitty scripters and kitty hackers out of business. You irritate the hell out of me. And you cause more damage than you can ever think about. But I know that you're not my biggest threat. I know from a national security perspective that there are probably better qualified, better trained people, probably better resourced, who would like to have access to some of the same things that we want to hold secure and protected. Target acquisition, intelligence systems, logistics systems, weapons systems, etc. So we're going to remove the easiest way of getting into the system, that's the whole password mechanism. To replace with biometrics. The other thing I really, really, really want to do, because I will tell you that our soldiers, our warfighters have enough things to do is get rid of the password, the things that they have to memorize, the things that they have to carry with them. Shouldn't have to worry about a pen or a password or anything else. Worry about staying alive and worry about executing the mission. That's their primary functions. So we'll take that away. And of course the password ain't there. And the compromise is reduced and life is more better for us in our systems as well. Next try. So if you want to know more, within the constraints of public information, here's a website. Obviously there's a lot of aspects in this program that we will, on your behalf, maintain a closed hole and protect it to ensure that technology doesn't fall in the wrong hands. Or our implementation of it doesn't fall in the wrong hands for exploitation. Anyway, I appreciate the opportunity to come up here today and share some of the latest things with you. And yes, I will take questions. Go ahead. Well, actually it was a comment. They said there's an international biometric conference in September in Washington, D.C. Are we going to be part of that? The answer is absolutely. I'm not going to tell you the method. The answer is yes, we've addressed that. We've got some courses of action. The question was how are we going to address possible exploitation of the biometric template. In this case, really what he's asking is the initial points between the reader and the file or the database that would have the template for correlation. We will recognize that to be an issue, especially if it's it's not in a PDS environment, then we have a number of courses of action that we're exploring today. That's a good question. I'll repeat the question as less words are used. The question was when I mentioned the example of a tank and putting biometric templates in there and then becoming basically a paperweight crew is extracted. His comments were, I believe, what prevents the people who not wearing the tank for putting their own stuff in there. A lot. Let me sit best where I can describe this. In our battlefield visualization capability, all the weapons systems are interconnected. Upon a failure to authenticate or failure to re-recognize a team or a team component, that system can be remotely decommissioned. Turn off the fuel system and do all kinds of other things. So there's still stuff there. Man, you must be a sci-fi fan. I like that. The question was, what prevents the enemy from cutting off fingers and eyeballs? And I will tell you, it brings a lot of chuckles to the audience, but your elected officials on Capitol Hill asked me the same question. And the answer at that time was nothing. That was two years ago. And we refuse to do anything in biometrics two years ago because the state of the technology would at that time allow you to cut off a finger and go back in and poke it in and let you in. The state of technology today does not. It's got to be alive. There's got to be blood flow. So you can't pull on an eyeball and stick it up front or take a finger. And that's why we didn't take biometrics that seriously a couple of years ago. So we don't expect to see a lot of soldiers with missing fingers and eyeballs on the battlefield. Well, I think the question was, or the comment was no one can force me to give up the password, but someone can force me to put a finger, my finger on a sensor. I think that in that environment if you're there and they put a gun up in your nose you'll probably do whatever they tell you. I'm sorry, you're going to have to say the question again. Go ahead. The question was, what are you doing this for? You're still using windows. We've got your name and picture now, sir. Good question. Let me sum up her comment and question. In the end, she says I kind of glanced over the whole issue of ownership of the template, protection of the template, and privacy and so forth. The first thing we do is a social legal study. In that before we got the marching orders to move on we committed very strongly to a couple of principles on here. Number one, you're on the template. We will only use the template upon a written agreement in other conditions that we have mutually agreed upon. Therefore, if you give up your template or your fingerprint for access to a restricted area, that's all I'm going to use for. It doesn't matter to us at this point if they come in and hear us what a federal want. They're not going to get the template. We're doing the same security oversight and protection as currently is enjoyed by the DNA repository. I'm going to take about two more questions and then I've got to get off the stage. I've got to get on this side. Roger, the question was if one member of a tank, using the tank example is killed or out of commission because one member is missing what's the consequence of the remaining team members and the operational of the tank? The operational concept on this is that right now each tank member is physically cross trained to a driver can shoot, a shooter can acquisition, etc. It's the same kind of piece. The TC who got in that tank determines what that tank will do or the acting TC or the backup TC. So you still have that? No, you do not need all four members. Right in the back there. Okay, let's see if I can sum up your question. Do we really think we can do it with passwords in a combat environment with this technology? Yes? Roger? One more, man. With a URL? Okay. Ladies and gentlemen, I'm out of my time and there's other people coming. So thank you very much.