Testing the security of government sites
From Oct. 1 through Dec. 23 of last year, I accessed the homes of the National Security Agency, the Defense Intelligence Agency and the president's helicopters with a revoked CAC. I drove on these installations in my SUV, large enough to carry numerous weapons and a lot of ammunition or a bomb, without being questioned or searched. I drove on these military bases on official business, and I was unaware my card shouldn't have worked, but no one else knew that. I could just as easily have been someone with terroristic or murderous intentions.
The Department of Defense began issuing common access cards around 2005 as part of increased security procedures directed by President George W. Bush. The CAC looks like a hybrid driver's license and credit card with the cardholder's photo and information printed above an embedded microchip. The chip and a magnetic strip on the back contain digital information confirming the cardholder's authorization to drive onto military bases and access specific facilities. The chip is also used to access military computer networks. Whenever a cardholder drives on a base or enters a sensitive area, the guard should scan the card with a device that looks like a handheld price reader at retail stores. This scanner confirms the card is valid, clearing the cardholder to proceed. Using such anti-forgery technology in theory heightens security, and because of the authentication this technology provides, valid cardholders may enter military installations without being searched.
The problem with this process is implementation. Despite terrorists vowing to attack America at home and tragically regular mass shootings by the criminally insane, it is incredibly easy to access what one would think are secure facilities. My own experience serves as a case in point. I recently left the active-duty Marine Corps and joined the reserves. Normally when one leaves the service he or she must surrender his or her CAC. While I was working my way through the process to leave active duty, no one ever mentioned anything about turning in my CAC. I asked several administrative personnel if I needed to exchange my CAC due to my transition to the reserves. They either told me no or that they did not know. I even went to the office in Quantico that issues military IDs and asked if I needed a new card. I was again told no.
For the three months after I separated from the military I continued to use my CAC to access Fort Meade (home of the National Security Agency), Joint Base Anacostia-Bolling (home of the Defense Intelligence Agency, the president's personal helicopter fleet and my reserve unit) and the Naval Academy in Annapolis. All of my trips were for legitimate purposes, such as attending reserve training or using the commissary. On occasion I noticed a gate guard would scan my CAC multiple times, give his scanner a quizzical look, and then hand the card back to me, waving me through without a question or even a glance into my vehicle.
In late December I drove to another military personnel office to retrieve updated spouse identification for my wife. The woman who helped me gave me a funny look after she scanned my card and told me she had to seize my CAC. She was uncertain how I even drove on base with the card because it had been canceled when I left active duty.
Unbeknownst to me I had been allowed to drive a couple hundred yards from the president's helicopters on a secure military installation without legitimate credentials. I could have easily been a disgruntled veteran who had been dismissed from service and had a grudge to bear. I could have stolen the CAC and altered the photograph. The electronic data on the card stated that my card was invalid, but that did not stop me from accessing several “secure” installations. Thankfully I was just a legitimate reserve officer who had been given some bad information.