The Defense Department has already gotten good results in tests designed to get Apple’s iOS mobile devices up to DoD’s security standards, and Android-based smartphones and tablets might not be far behind.
A Defense Information Systems Agency (DISA) team that works on mobile device security sent the draft version of its security plan for Android devices to Pentagon higher-ups last month. Once it’s approved, they’ll be able to begin real-world pilot testing on Android devices, as they’ve already started doing on iPhones and iPads, said Lt. Col. Anmy Torres, director of DISA’s Secure Go Mobile program.
For now, the only mobile devices approved for use on DoD networks are RIM’s Blackberry products and some Windows Mobile smartphones. In any case, Torres said, a user has to authenticate him or herself with a swipe of their common access card (CAC) in order to access DoD networks and digitally sign emails.
“For us, that’s critical,” Torres said at an industry gathering hosted by AFCEA Bethesda. “If I bring a device to DoD security a device that can’t use CAC, that’s a nonstarter. We’ve been demonstrating that we can use CACs to digitally sign, encrypt and decrypt (data). We’ve also been able to demonstrate that when a device is lost or stolen, I can remotely wipe your device-either just the application in question or wipe the whole thing.”
And the need to be able to wipe devices is, for now, one thing that’s keeping DoD from moving toward personally-owned devices on Defense networks.
“If we let people use their own personal devices, and you have a one-of-a-kind photograph in there and we need to wipe your phone, you may have an issue with us,” she said. “We don’t want that.”
But Torres said the prospect of government-furnished Android and iOS devices is moving forward. She said DISA and the military services have already started testing iPhones and iPads using secure mobile messaging software developed by Good Technology, Inc., as well as other tools. The security technical implementation guides (STIGs) her team submits up the chain of command have to demonstrate that a device’s operating system and hardware can accommodate the Pentagon’s standards for data security.
“You need to be able to identify whether a phone has been jailbroken or rooted, and if you lose it, what you do. Cameras are cool, but in our case, they’re not so cool in some DoD spaces. You need to be able to disable cameras, Bluetooth, Wi-Fi, and a number of other things,” she said.
Some users, though, have reported frustration at having to swipe their CAC cards through a separate, wirelessly-connected device in order to authenticate themselves on DoD networks.
At least one branch of DoD, the Army, is beginning to look at alternatives.
“I need something else,” said Maj. Gen. Steven Smith, who heads the Army CIO’s cyber directorate. “It’s a little onerous, because with most devices you have a separate CAC sled, and most of our folks don’t really like that.”
Smith, speaking at AFCEA DC’s cyber symposium, said the Army is preparing to send out a request for information to industry to explore what the next big thing might be when it comes to secure personal identification.
“I don’t personally know what it out to be,” he said. “There’s certainly a lot in the field of biometrics, but we’ve got to be able to store that data, we’ve got to be able to retrieve that data. So what’s it going to be? Something with my eyes or my fingertips? We’ve seen [biometrics] work well in small enclaves, or in the higher security networks. But when you’re talking about 1.2 million users who may all have some kind of mobile device, that’s going to significantly change the way we buy at the desktop and the way we operate. Because whatever we do in theater, we need to be able to do at home station. You train like you fight.”
And Smith said the Army is planning, along with the National Security Agency’s Information Assurance Directorate, a pilot project involving cloud computing tailored to mobile devices. He they want to explore whether cloud could offer a way forward as the Army looks to standardize its systems and networks.
“In a sense we could go to a thin client or even a zero client, whether that’s mobile or at the desktop,” he said. “There’s some pretty significant risks there, but also some pretty significant opportunities. It gets us out of a lot of the certification and accreditation problems, and it screams of standards. In the cloud, we may be able to have a really good common operating environment, so that our soldiers won’t really know the difference, but they’re within the standards. How we would be able to see those, defend those and maintain those offers some really interesting opportunities that we’re pursuing very heavily.”