DoD grapples with smartphone, tablet security

DoD grapples with smartphone, tablet security

By Philip Ewing Monday, August 29th, 2011 2:59 pm
Posted in Cyber Security

Last week we were talking about a major new software product that security giant Symantec Corp., hopes DoD, the feds and the private sector will buy to let workers use their own smartphones and other devices for work — securely. It’s still more than a year away, though, and there’s no guarantee it’ll work, or that the government will want to buy it. But service members and civilians are using their own smartphones and tablets now, today, meaning the Defense Department’s top systems officials already have their work cut out.

This is tricky, because commands are finding many new ways to use their consumer-grade devices — like the Marine aviators whose new best friend is the iPad — so DoD officials want to allow that kind of adaptation, but make sure it doesn’t pose a security threat. This is how an official DoD story broke it all down:

“Because of the pervasiveness of the [mobile computing] market, everyone has one, everyone wants one, but we often don’t look at how the device works — we take it home and start loading pictures on it,” Robert E. Young, division chief of outreach and communications for the Defense-wide Information Assurance Program, said during a recent interview with the Pentagon Channel and American Forces Press Service. “We do want this innovation in the Department of Defense so we don’t want to say no,” he added, “but we want to do it safely and securely.”


Issues that concern the department, Young said, include the huge memory capacities of some of the new smart devices and users’ general lack of knowledge about how smart phones and tablets work and how they could be compromised. “With all the different operating systems out there,” Young said, “every patch, every update changes each device and the vulnerabilities within [and users] are going to have to weigh that risk.”

Young said the department is evaluating how people are really using the devices — whether they’re using smart phones to check email or tablets to read memorandums or policies. “What are you doing with the device? Is the camera disabled, are you taking pictures of people? I take a picture of you, I upload it and now you’re tagged and all of a sudden everyone knows where you are. So it leads to a digital footprint that connects to the device — anywhere, anytime, any device,” he said. “In a split-second it’s up and online,” he added. “And once on the net — always on the net.”

The story goes onto explain that, of course, there’s a high-level commission looking at this issue from soup to nuts.

“We have a Commercial Mobile Device Working Group and we take best practices from [the Defense Advanced Research Projects Agency], the [Intelligence Advanced Research Projects Activity] and from our intelligence community partners” and share information, Young said. “In the working group we have Army, Navy, Air Force, Coast Guard, FBI, CIA,” he added, “ … so that as a federal government, with a federated response, we can go to the vendors and say, this is what we need.”

The department also is working with DARPA and the Army on pilot programs for using mobile computing devices innovatively while also protecting information. “Is the data at risk; is it encrypted while it’s being worked on?” he said. “If you lose a device physically what are you going to do?”

Defense officials’ experience with officially issued laptops is some help here, but there are crucial differences. Unlike a government computer, which administrators might be able to lock out remotely if an employee reports its loss, there may be nothing they can do if a worker admits losing an iPad that may have contained sensitive information. Sure, that’s an extreme example — why would your employee be carrying such data on his tablet in the first place? — but there are likelier scenarios, too. Suppose a worker’s Android phone is infected with malware, and she innocently plugs it into her work computer to charge and sync contacts. You can imagine the government IT workers turning green at the thought of thousands of unknown phones running unknown software being plugged into official computers, even when the workers doing it are being scrupulous about handling secure information.

It’s a thorny problem, but DoD has no choice — the mobile device genie is out of the bottle.

Join the Conversation

Thinking_ExUSAF August 29th, 2011 at 4:20 pm

There has always been a ticklish balance between securing the information and getting the information to those that can use it. You see it every day when we try to “trickle down” info from the high side to the shooters. With handhelds pushing the information pipe out to the individual soldiers, it gets even scarier to the high-side folk because of the increased potential for leakage, and more frustrating to the shooters who know that they now COULD have the latest greatest info in their iPhone. Perhaps a major change of paradigm is in order.

Not that I think it would actually fly, but just for discussion sake, .… what if we made the whole “COP” essentially open literature, then everyone, including the targets, know that they are targets right now to the last UTM. No secrets, but certain folk, i.e. the shooters, still get to make their inputs! If the targets are trying very hard to get small, and not knowing where death and destruction may be coming from, they dont have much time for anything else! LOL!

DoDCool-Aid4ALL August 30th, 2011 at 6:28 am

The PADs although a descent products still is not ready for DoD use. They have a flakey way of accessing remote files from a server which is very unsecure. Unless everything you do, don’t require files. Just email. Then is ok, but still not secure. Then until DISA addresses the cloud security issue, these smartphones are not an answer. At least for the short time that is.

Dfens August 30th, 2011 at 10:16 am

I must be getting old. I remember when the US military lead the world in technology. Now they sit in a circle around new technology (developed by actual, honest to God capitalists) in a scene reminiscent of the ape men at the opening of 2001 around the alien obelisk, trying to figure out what to do with it.

Bronco46 August 30th, 2011 at 2:15 pm

iPads are being used in a number of industries; even ones requiring good to great security. I’ve used Mac’s for a long time but I’m not real familiar with what kind of software would be necessary to harden iPads to the level they need. But if a windows computer can be protected, to some degree; then they should be able to get the iPads doing most of what they want. They’re easy to use, they’re available now, and no over priced R&D program would be necessary.
I must be missing something.

DoDEngr September 21st, 2011 at 7:17 am

Mac’s use typical UNIX level security, which means they maxout at IPSEC. IPSEC and the many flavors of NSA level encryptions techniques are a whole different level of conversation. One that can not be discussed on this type of forum. The other question getting a CAC reader integrated into the Pads architecture. I said integrated, not connected by a dongal. That means you are going to have to persuade ($$$) Apple to modify or adapt this technology into their development and design and then production. Apple is doing very very well in the stock market to stop for a speedbump called the DoD.

Case in point: The DoD couldn’t convince industry to jump on the IPv6 bandwagon, how do they expect them to convince this business position?

Now if were talking about a windows tablet, then I would rather use a brick. Andriod owns this turf, and MS is in the rear mirror. But there’s that topic about Googles relationship to China. That may be an interesting debate. Grab some popcorn, buckle in .…. the show is about to start.

Macman1138 December 1st, 2011 at 2:56 am

I agree, IPv6 is the way to go, but field anything with Windows or Android.
Android owning tablet turf? Oh please.…get real.

*required

NOTE: Comments are limited to 2500 characters and spaces.

By commenting on this topic you agree to the terms and conditions of our User Agreement