A government identity card program for maritime workers could be the source of security vulnerabilities, finds a Government Accountability Office report released publically May 10.

The report, a redacted version of a report made available to Congress this month, reveals that GAO testers were able to obtain legitimate Transportation Worker Identification Credentials from the Transportation Security Administration, despite having shown TSA agents fraudulent identity documents.

During a May 10 hearing of the Senate Commerce, Science & Transportation Committee, Sen. Frank Lautenberg (D-N.J.) said that GAO testers were able to use their TWIC to drive a vehicle with a simulated explosive into a secure port area.

The Homeland Security Department created the TWIC program in 2002; their usage by maritime workers who have unescorted access to secure port areas became mandatory in 2009. So far, the TWIC program has cost $420 million, the GAO report says. DHS officials say the program could cost as much as $3.2 billion over a decade, although that figure doesn't include the cost of TWIC card readers (currently, the primary means of TWIC verification is a visual check by Coast Guard officials).

GAO testers were able to get TWIC cards in part because only about half of all applicants undergo a background check more thorough than a simple presentation of documents to a TSA agent. Attempts to authenticate those documents are limited, the report says, because some of the security features of those documents such a holograms or color shifting ink can't be captured electronically

The report also criticizes the program for not providing assurance that a worker, once issued a TWIC, is eligible to keep it. Although TSA routinely runs credential holder names' against federal warrant databases, it doesn't run routine fingerprint database checks. Doing so would be cost prohibitive, TSA officials said. DHS officials also told GAO auditors that all government credential programs are vulnerable to document fraud and that there is no governmentwide infrastructure to positively verify an individual's identity.

But, the GAO says the weakness nonetheless exists.

"Issuing TWICs to individuals without positively identifying them and subsequently assuring their eligibility could, counter to the program's intent, create a security vulnerability," the report states.

For more:
- download the report, GAO-11-657 (.pdf)
- go to the Senate Commerce, Science & Transportation Committee hearing webpage (prepared testimonies and webcast available)

Related Articles:
White House releases plan for an Internet 'identity ecosystem' 
State Real ID deadline postponed until Jan. 2013