National Vetting Center pilots citizenship verification automation

Written by Dave Nyczepir

Customs and Border Protection plans to pilot technology that would automate the National Vetting Center’s process to verify if someone is a US citizen.

The Department of Homeland Security’s Intelligence and Analytics Office is participating in the late-planning pilot of an automation that will be available within a year, according to Director of Information Security Eric Sanders.

President Trump created the NVC in 2018 to streamline information sharing between the Intelligence Community (IC), agencies and law enforcement when determining the threat posed by people crossing US borders. This calculation changes when it comes to a US citizen.

“We want to make sure that we’re protecting privacy, to the extent that we’re supposed to, when it comes to American people,” Sanders said during an ATARC roundtable on Tuesday.

I&A is one of nine components of DHS with an intelligence mission and the only one where it is the only mission, providing information to IC and state, local, tribal and territorial governments. The office helped CBP create the NVC with a focus on automating verification, which sped up the process for Afghan refugees.

Although facial recognition isn’t part of the NVC process to Sanders’ knowledge, automation, especially using microservices, helps agencies share intelligence better and faster.

“Whereas before they had to work manually with the FBI and [the National Counterterrorism Center] to judge someone who wants to enter the country, we are now able to automate this across the IC to ensure that we get a holistic understanding of the person or persons attempting to enter the country,” Sanders said.

Sanders also wants to automate the assessment and authorization of new security features, especially low-risk ones, freeing employees to focus on more important issues.

“Whether you’re talking about [National Security Memorandum] or the [Cybersecurity] Executive order and zero trust, you won’t get there without automation,” he said.

Role-based access controls are not enough in zero-trust environments. Attributes must be assigned to people and objects to make real-time access decisions with large volumes of data coming in quickly, Sanders said.

I&A’s priority is to automate data sharing across domains so that people in all environments can continue to be trusted over time as threat actor tactics become more sophisticated. This requires monitoring even low-level environments that threat actors are accessing first, before moving on to high-level environments, Sanders said.

The task is easier to perform in some environments than in others, with the I&A considering the use of tokens or other cost-effective solutions depending on the future state of the IC.

“A lot of these classified systems are inside buildings where it’s more difficult to do multiple factors,” Sanders said. “I cannot use my mobile phone for multi-factor authentication in a secure environment.”

-In this story-

ATARC, automation, Cybersecurity Executive Order, Department of Homeland Security (DHS), FBI, Intelligence Community (IC), National Vetting Center (NVC), Office of Intelligence & Analysis (I&A), privacy, tokenization, US Customs and Border Protection (CBP), zero confidence