The importance of police officers´safety while accessing the CJIS on the road
Daily, Thousands of devices request access to the CJIS database under high-security protocols but still get hacked. Every police patrol has a device connected to the CJIS, which increases the risk of a potential data breach and exposes officers to unnecessary pressure and danger when doing their job. So, how can law enforcement officers stay protected while securing their connection to the database that gathers the PII of a nation?
Every day thousands of computers located in every police patrol across the United States access the database of the CJIS to perform background checks, track illegal activity or identify criminals. The Criminal Justice Information Services (CJIS) is a division of the US Federal Bureau of Investigation (FBI) which gives national security, federal law enforcement, and criminal justice agencies centralized access to criminal justice information (CJI) such as fingerprint records and criminal histories.
It is clear that CJIS data is highly sensitive, and the perimeter to protect access to the CJIS is wide and complex. The security tools for each of those connecting must be the highest and most comprehensive possible. Any hacking attacks would potentially compromise millions of individuals and it takes only one compromised device with low-security measures to do the hacking job.
Police officers and law enforcement agents in the streets, for example, depend on their vehicles to carry out their daily duties efficiently and as safely as possible. It goes beyond patrolling but filling in forms, gathering information, accessing their computers, and a long list of actions that have turned today’s police patrols into mobile offices. Police officers access their devices for CJIS background checks dozens of times a day while dealing with suspicious or dangerous individuals. Even the briefest distraction just introducing a user and password puts them and their colleague at unnecessary risk and can turn a situation under control into a life-threatening one. The friction in the login process is only one of the problems. Driving with a suspect in the back seat and performing CJIS background checks without extra protection leaves the database open to external looks that could jeopardize the integrity of the data and end up in a data breach. So what is the level of security applied to endpoints accessing the CJIS and does it match the agent’s real needs?
How the CJIS applies security protocols and authentication methods
The CJIS has developed a set of policies on wireless networking, remote access, data encryption, and multiple authentications for all agents to follow so they can all be CJIS compliant. It is no surprise both for the private and public sector that cyber threats have not stopped growing and hacking techniques keep improving, where phishing, malware, and credentials are the most common attack vectors used to breach government networks. In this context, protecting any sort of pathway to the CJIS is crucial.
Therefore, the CJIS compliance is one of the most holistic and rigorous cybersecurity standards, building up to 230 pages of regulations and requirements in 13 security policy areas.
According to the CJIS Security Policy, in order to be authorized to access the data, the endpoint must have unique identification plus a standard authentication method: a password, token or PIN, biometrics, or another type of multi-factor authentication. The need to keep sensitive law enforcement and justice information secure is continuous and so the CJIS Security Policy is periodically updated to reflect the evolving security landscape. However, in spite of all the security measures and policies, in the last few years cyberattacks on state and local governments keep posing a threat.
How password-based security can be improved within CJIS regulations
Just in 2021 there were more than 100 confirmed attacks against U.S Government which included state and local governments, schools, financial institutions, health care organizations and manufacturers. And according to the New York Times, at least 26 government agencies have been hit by ransomware since the beginning of 2021, with 16 of them suffering extortion attacks.
So, even though the CJIS Compliance document has around 3 pages of instructions on how to configure a password, it is clear that the efforts to keep CJIS security up to the current cyber threats can’t slow down and are not enough.
The points of vulnerability are many, with hundreds of devices remotely connected to the CJIS database. In the case of police force, law enforcement officers operate many times in the streets as well as out of their squad cars and access the CJIS to check personal credentials such as driving licenses or IDs. A few seconds leaving the device unattended are enough to have it compromised. Last year for example, hackers released personal info of twenty-two D.C. police officers in a ransomware attack. How that information was accessed is unclear but weak credentials administration is most usually a cause. There is an important shift in the cybersecurity industry to move towards non password-based access. Passwords are not strong enough, they are easy to breach and most usually hackers access multiple services with the same password. Data sources as important as the CJIS require access and authentication methods that leave behind passwords and provide ultimate security for devices anywhere all the time.
How to boost CJIS authentication mechanisms with touchless continuous authentication
The CJIS compliance regulations are specific but still there is room for improvement. According to it, every device must have a session lock mechanism to prevent inadvertent viewing whenever a device is unattended, and in order to prevent further access after login into a session, the system must lock after 30 minutes of inactivity until the users identify and authenticate themselves again. These are explained as separate requirements and so it seems like there could be two mechanisms to address both needs but the truth is that both actions can be performed under high-security standards with just one solution and more efficiently, thanks to biometric solutions.
Biometrics is an identification and authentication mechanism with the power to overcome passwords, and in combination with them, offer higher protection and hacking-proof authentication access. It is unhackable, not sharable in contrast to passwords and cannot be faked, standing as a deep tool against cyber threats. Still, biometric authentication commonly relies on image-based mechanisms and fingerprints. Hackers are getting smarter just like technology, and the possibility to fake these flat elements is increasing.
So it is time for the government and law enforcement agents and institutions to go one step further and stand ahead of cyber threats and possible data breaches by adding biometric access that is continuous, video.-based and protects authentication and unattended devices simultaneously with just one element that needn’t be remembered, and goes with the user everywhere at all times: touchless continuous authentication.
How can touchless continuous authentication be the ultimate solution?
At Hummingbirds AI we have developed GuacamoleID, a touchless continuous authentication solution for computers that protects users and devices against unauthorized access through video verification. This intelligent application continuously matches the faces in front of the computer with authorized ones; and automatically blocks the screen when unauthorized users are detected. This is a sophisticated facial matching system that helps verify and confirm an individual’s identity using their facial biometric. It’s also GDPR and HIPAA compliance.
This touchless continuous authentication solution verifies a user’s authenticity from the moment they log in, and without the need to lock or close a session because it runs continuously. It means that by not detecting the user at the screen, it will automatically block the device.
This technology targets one of the major risk factors in computer security: unlocked or unattended workstations. It also prevents those who look over your shoulder to be able to read your sensitive information. By using the camera on the device and running video, not just a still image, the protection that this mechanism offers doesný stop after having access. It accompanies the user all the time, nonstop.
So applying this kind of AI technology solves several problems for police force security at once. On the one hand, it guarantees stronger authentication controls, protection against data breaches, credential theft and account takeover. On the other hand, it eliminates the friction to access police devices and gives police officers full autonomy to perform their tasks without detouring their attention.
Privacy protection is a requirement at everything Hummingbirds AI develops, as well as a concern for the CJIS. Therefore, all the processing for GuacamoleID is done on-device, canceling any dependence on the cloud. GuacamoleID delivers real-time continuous authentication, and verification providing faster decision-making, preemptive security, and overall data breach awareness. With tools such as this, law enforcement is safely guaranteed, CJIS access is protected, and the national security gets one step further in protecting the nation.
