RSA and the MPD
I was in Starbucks the other day and the man behind me was a DC Metropolitan Police Officer. As we waited, he and I had a pleasant conversation (I learned, for example, that he likes two pumps of creme brulee in his coffee). One thing, however, struck me quite forcefully as we were waiting:
I was looking at the officer and, of course, as has become the common place these days, he was festooned with a host of tools all over his torso. He work a bullet proof vest; his gun was on his hip; a radio on his back with a microphone at his shoulder.
Published by The Lawfare Institute
in Cooperation With
I was in Starbucks the other day and the man behind me was a DC Metropolitan Police Officer. As we waited, he and I had a pleasant conversation (I learned, for example, that he likes two pumps of creme brulee in his coffee). One thing, however, struck me quite forcefully as we were waiting:
I was looking at the officer and, of course, as has become the common place these days, he was festooned with a host of tools all over his torso. He work a bullet proof vest; his gun was on his hip; a radio on his back with a microphone at his shoulder. His belt had handcuffs, mace and a night stick. You can imagine him in your mind, I think. And all of it in standard police-issue black.
All of it, that is, except for one thing -- an RSA token in gray attached to his vest. RSA tokens are those two-factor identification tokens that are most common in banking. A random number generation algorithm broadcasts a 6-digit number to the token that changes every minute or two. When you go, for example, to log in to your bank, you need your user name and password (the first factor) but then you also need to enter the 6-digit number on your token which gets compared to the number that the RSA system also gives to the central server. In theory, even if your password is hacked, the fact that you have an ever-changing code number means that those without authorization can't get into the bank -- unless, of course, they steal your token too. [Or, as may have happened in 2011, hack into the system to crack the random number generation system itself.]
I was curious why the MPD (and in particular, a beat officer on the street) might have an RSA token as standard issue. So I asked him -- and the answer was pretty obvious once he told me. MPD patrol cars carry increasingly sophisticated computer systems with access back to servers and databases maintained by the police. Those databases are, naturally, very sensitive. They have personal information about citizens and confidential information about police activities.
And so, even the cop on the street needs two-factor authentication to access the MPD's servers. He uses the RSA key along with his password to look up license plates or check for warrants etc. As I said, it makes perfect sense -- but it struck me as a pretty good symbol of our times. The MPD officer with an RSA token reflects both the pervasiveness of cyber systems in even the most day-to-day operations and also the criticality of cybersecurity for those systems.
I offered to buy him his coffee -- but he wouldn't let me. :-)
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.