Mobile-computing security a dangerous battle for DOD

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By John Edwards
 

Connecting state and local government leaders

By John Edwards

|

The security of mobile devices used by defense personnel and warfighters is a high-stakes game in which compromised data can put lives on the line.

Security concerns come with the territory for owners of a smart phone, tablet or other mobile device. Yet few people are more focused on mobile security than defense community personnel, who fully understand that missing or compromised data could lead to lost lives, not just lost money.

“Cybersecurity and data protection is one of the current ‘space races,’” said David Machuga, director of identity management and business solutions at Northrop Grumman, which supplies the Defense Department with secure mobile biometric data collection technology. “There are several challenges, but the three largest are how to certify the security, how to protect the information transmitted in a wireless mode and how to protect data at rest,” he said. “For DOD, this is a constant problem, whether dealing with cell phones, handheld bar code scanners used in a warehouse or mobile computers used to validate biometrics.”

Related coverage:

Air Force brass to get secure smart phones 

Rising battlefield smart-phone use causes safety concerns

Steve Lucas, chief engineer at the Space and Terrestrial Communications Directorate (S&TCD) at the Army’s Communications-Electronic Research, Development and Engineering Center, said the directorate’s rule of thumb is to view all commercially produced mobile devices with deep suspicion. “From our perspective, you're taking an untrusted device because you can't ensure where it was manufactured [or] what someone might have implanted on the device,” he said. “If we had more trust in the supply chain — who manufactured the hardware or where the software came from — I think we would feel a lot more comfortable in actually deploying these devices.”

Although many defense communications technology and security experts view commercial mobile devices and wireless networks with a sense of unease, if not outright distrust, many also understand that DOD and service branch decision-makers are facing increasing pressure to adopt commercial mobile technologies. DOD is awash with various types of highly secure terrestrial- and satellite-based mobile computer and communications platforms. But commercial alternatives tend to be more versatile in terms of real-world compatibility and application support, and they're usually cheaper and easier and faster to deploy.

Yet none of those attributes helps tech experts such as Lucas, who are responsible for ensuring that commercial mobile devices will function securely and reliably in situations that approach the tactical extreme and beyond. When faced with systems that have little or no real-world security track record, are built by global companies that are reluctant to divulge technology details, and are under constant attack by highly skilled and dedicated hacker adversaries, the only logical action plan is to create a well-stocked tool chest of security technologies. These tools, ranging from encryption to access controls, can then be applied to individual mobile devices in an appropriate manner with the goal of providing the highest practical level of data security. “You have an untrusted platform to begin with, and you're just trying to layer on traditional security mechanisms,” Lucas said.

Starting with hardware

Hardware security is the first line of defense in the battle to protect mobile device data. DOD strives to ensure that any mobile technology it acquires is both highly reliable and secure. “The department has a challenging mission in a difficult environment that often cannot be met by [commercial off-the-shelf] systems,” Machuga said.

All of the major smart-phone and tablet makers have taken steps during the past few years to improve device security, such as by providing longer device unlock codes — in the case of Apple iOS devices — and extending encryption support to SD cards, as Research in Motion did for its BlackBerry units. Yet many defense technology experts, including Lucas and Dave Mihelcic, chief technology officer of the Defense Information Systems Agency, feel that protection measures remain insufficient for defense needs and therefore must be bolstered with additional safeguards. Ensuring that a specific mobile device is secure enough for defense community use is a responsibility that’s shared by DOD and the various military service branches.

For security guidance, mobile device administrators at any defense organization can consult a Security Technical Implementation Guide (STIG). Specific STIG versions are available for various mobile platforms and applications. “The STIGs basically specify how to configure mobile devices to achieve an appropriate level of security,” Mihelcic said. “The STIGs are collaboratively developed by DISA, national security agencies, as well as representatives of the military services.” 

Decisions on which security technologies and practices are necessary for a particular device depend on how, where and by whom the unit will be used. “A lot of it is based on risk, like a risk assessment of the impact if that information should get divulged,” Lucas said. “So if the information itself is deemed very critical, that's going to elevate all the security requirements that you need to layer onto the particular device.”

Meanwhile, a vendor that hopes to get DOD acceptance for its mobile offering needs to follow steps mandated by the DOD Information Assurance Certification and Accreditation Process (DIACAP). The program was created to assure that information systems, including mobile devices, comply with DOD security requirements. “It’s the DOD’s way of certifying that a product or a service has very good risk management in it and that there are no issues that will happen when you deploy and use the system,” said Hussam Mahgoub, senior vice president of corporate research and development at Diversinet, a company that supplies secure mobile health care technology to the Army.

Diversinet, like many vendors seeking DOD acceptance, relies on an outside organization that specializes in DIACAP certification to ensure that its products aren’t rejected for an overlooked fault or shortcoming. “As a mobile security company with a deep history in that [field], every year, we get third-party organizations that specialize in risk assessment and so on to test our products and ensure that we adhere to the highest security standards, and that the product will not fail in attacks, or threats and all of that,” Mahgoub said.

Adding encryption

Encryption is generally regarded as the strongest tool available to lock down data stored on a mobile device. “Even if the device was lost or stolen, an adversary still can’t get access to that data because it's been encrypted on that device,” Lucas said.

Yet not just any encryption scheme will suffice for mobile devices used by defense personnel. All mobile encryption tools must comply with FIPS 140-2, the government computer security standard used to accredit cryptographic modules. FIPS 140-2 demands a two-factor authentication, which is based on something a user has, such as a fingerprint, and something he or she knows, such as a password. Like DIACAP, FIPS 140-2 certification is a rigorous process that sometimes motivates applicants to seek outside help. Yet certification, though a nuisance, is inescapable. “FIPS 140-2 is an important standard that’s necessary in working with the military,” said Rick Engle, a mobile solutions architect at Microsoft.

Besides protecting data residing on at-rest mobile devices, encryption also plays an important role in securing information moving across wireless networks. Once data leaves a mobile device and heads onto a commercial 3G or 4G network, it’s the network operator’s job to ensure that the information is securely transported to its destination. All major domestic carriers have developed encryption measures designed to safeguard data flowing through their cellular networks, though the results are have often been something less than inspiring.

Overseas, the situation can be even worse. In many countries, carriers lack even a minimal commitment to network security. It’s also been known for service providers to directly collaborate with governments and crime- or terrorism-focused organizations to monitor and intercept wireless data.

Given the known security risks and lack of direct oversight, DOD organizations continue to maintain a cautious stance toward commercial wireless networks, both at home and abroad. “When it comes to the cellular commercial 3G or 4G type of network, I guess guidance on that is still evolving,” Lucas said. “The Army does not currently deploy [on] any of those types of networks.” Yet Lucas held open the possibility that the current stance on 3G/4G networks may eventually change, at least on domestic networks. “We're currently working to do that, but there is no deployed capability currently,” he said.

Wi-Fi networks also pose problems. Anyone can operate a wireless hot spot, ranging from commercial operators and DOD to hacker kids and organized crime syndicates and terrorist groups. Fortunately, security over wireless links can be enhanced by placing encryption technology directly onto the mobile devices. “In terms of securing the confidentiality of the data, we can always make use of NSA-grade encryption,” Mihelcic said. “Then we have gateways to allow those [devices] to connect into DOD networks.” He added that as “more devices are approved for classified data, those gateways will be in place at the various classification levels.”

Data encryption allows mobile devices to take advantage of virtual private network technology, which creates secure connections between two or more locations anywhere in the world via encrypted tunnels through the Internet. “Commercial networks are definitely a part of our architecture,” Lucas said. “We rely on them, but many times what we'll do is tunnel across those types of networks.” S&TCD also takes advantage of other approaches to safeguard networks. “In general, they're authentication and access control mechanisms.” These tools may include complex passwords, biometric recognition technologies, such as fingerprint and iris readers.

The term defense in depth is frequently used at S&TCD to describe its multifaceted security approach, Lucas said. “It's a layering of various security technologies,” he explained. “You don't just throw encryption at the problem all of the time.”

Microsoft’s Engle agreed on the need to secure mobile devices at the access level. “You can have a very good operating system and very strong security for applications, but if your devices are just sitting there wide open and not locked and somebody has access to it, then you're going to have a problem.”

Outrunning the avalanche

Simply dealing with a rapidly growing onslaught of mobile devices, mobile operating systems and wireless network services is one of the biggest challenges facing administrators who work to maintain control over mobile device data. “One of the biggest problems is just the newness of the technology,” Mihelcic said. He noted that emerging products typically have only a minimal security knowledge base and are more likely to contain undiscovered security vulnerabilities than technologies that have been around for several years.

Even security technology vendors are struggling under the pressure of constantly arriving hardware, software and service platforms. “We have what I call a device and OS fragmentation,” Mahgoub said. “It makes it very difficult for companies like us to keep track of everything.”

Mahgoub observed that today’s increasingly cluttered mobile landscape makes the desktop PC scene appear almost tranquil. “Essentially, in the desktop world, you have the Microsoft operating system, and it's being changed maybe only once every two or three years,” he said. In the mobile market, where Windows shares the stage with Apple’s iOS, Google’s Android and other software platforms designed for use on a variety of mobile devices, significant changes can arrive as often as every few weeks.

New and innovative mobile device applications, which pop up even more frequently than hardware and software platforms, also create a constant headache for technology administrators. Because downloading and installing smart-phone and tablet software are as simple as pressing a button, it has become amazingly easy for mobile device users to inadvertently add unsecured apps to their devices. “The more third-party apps that are used on a mobile device, the more chances there are that one of them is going to be malicious or have security vulnerabilities due to its poor design,” said Alexi Lesnykh, business development manager at DeviceLock, a company that develops data security technologies used by the Army Corps of Engineers and others.

Facing the security challenges posed by rapidly evolving operating systems, dodgy apps and other factors, the Army is hoping to gain an upper hand on security vulnerabilities by developing its own Android-based smart phone. The device, dubbed the Joint Battle Command-Platform, is the first unit developed through an Army effort to create an Android-based smart-phone framework and an accompanying suite of applications for tactical operations. The overall government-owned framework, known as Mobile/Handheld Computing Environment, aims to ensure that applications will be secure and interoperable with existing mission command systems, regardless of who developed them. The platform is also designed to allow information to flow seamlessly across all force echelons.

Originally prototyped by Mitre, a nonprofit technology research organization, the framework is being developed at the Army’s Software Engineering Directorate. The Mobile/Handheld CE development kit is scheduled to be released to industry in July. Meanwhile, the Army is working on a set of mission command apps, including mapping, blue force tracking, Tactical Ground Reporting tactical graphics and critical messaging among all mission command systems. The basic app suite will also include an address book and OpenOffice for document viewing.

Policies and training

Just as a gun never accidentally misfires, a data loss can always be traced back to one or more acts of neglect, omission or carelessness committed by the device manufacturer, software developer, network service provider, department administrator or user. In retrospect, many data loss incidents can be viewed as a concerted team effort.

Should a mobile device get lost or stolen or network security falter, DOD is prepared to exert damage control and investigate any security breach. “DOD has in place standard approaches to handle security incidents across the entire spectrum of devices and classification levels,” Mihelcic said. “For every system that we have in the Department of Defense, we have assigned a Computer Network Defense Service Provider whose responsibility it is to handle those incidents.”

Most security experts agree that users operating or transporting devices in an unsafe manner form the weakest link in the data security chain. Lucas said he believes that creating and enforcing a mobile device use policy is the best way to ensure the highest possible level of data security. He noted that there’s no secret to effective user training other than making it comprehensive and providing it in the first place. “They just should be trained, by policy, for what they should and shouldn't do with a particular system when operating it,” he said.

Meanwhile, DOD, DISA, the National Institute of Standards and Technology and various military service branch technology offices continue to work internally and with hardware and software vendors to make mobile devices safer and more reliable. Mihelcic noted that vendors are generally eager to assist the defense community “in terms of understanding and trying to work to address our requirements in their future designs, but the reality is that it is not going to happen overnight.”

NEXT STORY: Cyber challenge: Securing private-sector IT with a minimum of regulation

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.