Securing smartphones and tablets is a lot easier said than done for most agencies. Federal security experts still are trying to find the right balance between mobile access and security of data and applications.
The Defense Department, however, may have the answer for many of these challenges.
Richard Hale, DoD’s deputy chief information officer for cybersecurity, said the military may have broken through the long-time roadblock to meet users’ needs for mobile devices and DoD’s requirements for cybersecurity.
He said this new approach will continue to depend on the Common Access Card (CAC), but just in a different way.
“We are going to put that [public key infrastructure] credential onto the mobile device directly. We will not have a separate CAC card reader or something like that,” Hale said Thursday after he moderated a panel at the AFCEA Washington, D.C. chapter’s Cybersecurity Summit in Washington. “We have three pilots that have shown this can be done in a secure way. There are some security issues still in the business of getting those credentials onto the devices that we are still working through. So we don’t yet have a formal program to put an issuance infrastructure in place. But I believe in the next couple of months we’ll make a decision that we have a particular path to credential issuance and then we will put a program up and start doing it. I’ll make a bold prediction before the end of the calendar year we will be issuing derived credentials on a production way on mobile devices.”
Hale said DoD is looking at all the big mobile vendors, including Apple IOS, Android, Microsoft and BlackBerry.
“We will probably roll those out in phases given there are differences in the technologies so we will have to do engineering for each,” he said. “The Defense Information Systems Agency and the National Security Agency are working together with industry to come up with methods of moving these credentials or putting new credentials derived from the CAC card credentials onto these mobile devices securely. Again, each technology uses a different approach so there is integration engineering happening.”
DoD has been working on this issue for the better part of 18 months and it may be close to two years before they come to a final decision on the approach to use derived credentials.
The Pentagon launched a first set of pilots back in November 2013.
But what’s different now is Hale’s certainty that the derived credential, which means the phone holds a piece of software to authenticate the user to the network, is good enough for widespread use across DoD.
Hale said DoD has looked at seven or eight different approaches to mobile security, and the use of the derived credential seems to be the best one.
This isn’t the first time DoD tried to figure out how to integrate its CAC card with mobile devices.
But time and again, the technology and process stymied DoD over the years.
“Having a separate sled with the mobile device was always a problem in the sense that when I would use them the battery would be dead when I needed it, or I’d have trouble pairing them, or I just wouldn’t have it at the point when I needed it. So people struggled with that,” Hale said. “We did not have a good way to put the private key in this cryptographic credential into the mobile device and protect that private key strongly. We believe that the technology vendors have been working this problem and they have stronger ways to protect that private key than they’ve ever had, and we believe the strength is there now for general use of this derived credential approach.”
At the same time DoD was piloting this concept, the National Institute of Standards and Technology also worked on standards and approaches to using derived credentials.
NIST in December released version one of the Special Publication 800-157 detailing the technical guidelines for the implementation of standards-based, secure, reliable, interoperable PKI-based identity credentials to a valid smart identity card under Homeland Security Presidential Directive-12.
Other agencies also are testing the derived credential approach. The Homeland Security Department is running a small-scale pilot for employees to access email through their mobile device.
But if DoD can accept the use of derived credentials, it opens the door for other agencies too.
Roger Clark, the acting chief information security officer at the Commerce Department, said mobility remains one of his biggest challenges.
“With a lot of international travel and stuff that is required to support the executives and other missions of the department that is another thing we are trying to fight that battle on how do we provide that secure mission assurance when our executives travel overseas,” he said.
For Defense and civilian agencies, the mission and program dependence and desire for mobile devices also is helping them overcome many security concerns.
Hale said there is strong demand for mobile capabilities from all parts of the military.
“This is mission driven,” he said. “We in the security business have been trying to work with industry to get the security to the point where we think we can depend on the security of these devices for important DoD missions. So we think we are there.”
The fact that DoD CIO is close to accepting the technology and associated risk is a good thing for the services.
The Navy Department, for instance, recognizes the mobile imperative and is taking the plunge this summer, starting with Apple IOS and then Android later on.
Command and control
John Zangardi, the deputy assistant secretary of the Navy for command, control, computers, intelligence, information operations and space, said the plan is to deploy about 28,000 devices by the end of the year.
“Increasing mobility in the department is a major concern for us. N2/N6 [Intelligence, Cyber Warfare, Command and Control, Electronic Warfare, Battle Management, Oceanography and Meteorology capabilities] on the Navy side stood up a mobility integrated product team [IPT], which the Marine Corps is participating in. We are trying to find ways of bringing increased mobility to all of the users on our network,” he said. “There are a lot of ideas on the table. Some of them cost money. Some of them involve procedures. We have to sort through them so we’re not inflicting inordinate cost to achieve something or we are not increasing our security risk.”
Zangardi said he visited Naval bases in Guam and Japan in February, senior leaders pushed for more access to systems and data through mobile devices.
“They view their smart device as a command and control device, and it’s very important for them to have that capability in their hands, gives them a broad range of options yet retains security,” he said.
Zangardi said the new mobile devices, for now, will touch only the NGEN network in the continental United States.
“We’re beginning the initial buildup of the infrastructure. Some of that is in place at the major sites,” he said. “The Washington Navy Yard; Norfolk, Virginia; San Diego; Bremerton, Washington; Pearl Harbor, Hawaii and Jacksonville, Florida, are the major sites where we are going to put in the infrastructure.”
At the National Security Agency, Sally Holcomb, the deputy CIO, said mobile or not, the challenge is around protecting data while ensuring mission agility.
She said the big challenge for the NSA is data management and data governance. NSA is hopeful that the Intelligence Community IT Enterprise (ICITE) cloud could help answer some of those questions because data can be secured at the object layer — otherwise known as attaching roles and responsibilities to the data.
Holcomb said NSA is struggling with the concept of encrypting data or using data rights management software but still making the information discoverable to analysts and collectors.