GCN Tech Blog

By GCN Staff

Blog archive

BlackBerry secure enough for the President

We recently reported that if President Obama was going to use a smart phone in the White House, it would likely have to be something other than a BlackBerry that met National Security Agency specifications. That most likely meant a SME PED – a Secure Mobile Environment Portable Electronic Device that capable of accessing classified networks.

However, an encryption expert familiar with the security design of BlackBerry smart phones, and the enterprise administration systems that support them, tells GCN that a BlackBerry has all the encryption and security provisions a president would need.

Research in Motion (RIM), which makes the BlackBerry, uses Advanced Encryption Standard 256, the strongest encryption method available, and one that is approved for secret levels of communication by the NSA. Each message sent to a BlackBerry is broken into packets, each with a different encryption key code. Even if someone were to intercept a message, the key codes are so large, it would be virtually impossible to decipher them; and the contents in the packets are a meaningless scramble of data until all the packets are reassembled.

Moreover, there are more than 500 policies that an administrator can control regarding how messages are to be delivered, from or to whom, and what Internet applications can be processed. Administrators can even arrange to delete all the data at rest on a BlackBerry if it hasn’t connected to the network within a set number of hours.

BlackBerry can also support additional layers of encryption, including proprietary protocols such as HAIPE, or high assurance Internet protocol encryptor that NSA requires to access the government’s classified Secure IP Router Network (SIPRnet).

HAIPE is like having a lightweight virtual private network client on your smart phone. It loads the same encryption key on all HAIPE devices that will participate in a multicast session in advance of data transmission, creating a secure gateway that allows parties to exchange data over an untrusted or lower-classification network.

The SME PEDs now available by General Dynamics C4S, and soon to be available from L-3 Communications, have the HAIPE protocol built in, along with the ability to switch easily between classified and unclassified government networks, among other features.

“The built in security of the BlackBerry is equal to the SME PED, but the difference is the type of cipher,” said this encryption expert.

HAIPE devices also have their limitations. For one, HAIPE is a big drain on battery power, as SME PED users are quickly discovering. Users report they routinely have to recharge their devices after only two or three hours.

In many ways, BlackBerry smart phones, among others, offer more security to mobile uses than most laptops.

With a BlackBerry, for example, if the operating software detects a set of instructions that don’t conform to the policies set up for a specific device, the software can immediately instruct the device to cancel the user’s privileges or stop it from working altogether.

White House press officials and spokesmen for RIM, General Dynamics and L-3 all refuse to comment on what kind of smart phone President Obama is carrying now, or who is on the commander in chief’s white list.

But if President Obama was intent on using a BlackBerry, there’s nothing about its security features that would prevent him from using one.

Posted by Wyatt Kash on Jan 31, 2009 at 9:39 AM


Reader Comments

Wed, Feb 4, 2009 David Cooper Australia

The article seems to be missing an important point. The SME-PED is a security evaluated product. It has been designed specifically for this role, and analysed by independent security experts and approved by the NSA for this type of use-case. The product as a whole has been reviewed in its entirety by trained professionals and determined to be secure. RIM may leverage some of the same technologies, but it can't be trusted unless it undergoes the same level of rigour in evaluation and analysis. For example, the RIM may use fabulous encryption, but a back-door on the device might allow an existing installed application to read the emails and upload them over the internet. Security doesn't come down to which encryption algorithm you use. It comes down to system design, analysis and independent proof. Too many times people select convenience over security.

Wed, Feb 4, 2009 Chris Silva Boston, MA

So much speculation on this, and while the BB meets spec for cipher strength, one wonders if the mere testing pedigree of another device such as the Spectra Edge from GD, would be the choice of the NSA. Also curious, was this source bound by some condition of anonymity related to their role in the administration?

Wed, Feb 4, 2009 jonathan quinn newport beach, ca

What are the CEO's and other C-level execs supposed to use? Especially considering the U.S. wiretapping laws manadated by CALEA. Blackberry doesn't have a secure voice or text solution. They secure email and web access. Sectera Edge has secure voice but only if both end users are encrypted and only for use by U.S. Officials with Top Secret clearance. I know of a company, SILENCE, Inc., that has a solution that can secure voice, text, web access and email 100% of the time regardless of the end users encryption or lack of it. They use a client-server solution and comply with CALEA.

Wed, Feb 4, 2009 Jonathan Quinn newport beach, ca

What are the CEO's and other C-level execs supposed to use? Especially considering the U.S. wiretapping laws manadated by CALEA. Blackberry doesn't have a secure voice or text solution. They secure email and web access. Sectera Edge has secure voice but only if both end users are encrypted and only for use by U.S. Officials with Top Secret clearance. I know of a company, SILENCE, Inc., that has a solution that can secure voice, text, web access and email 100% of the time regardless of the end users encryption or lack of it. They use a client-server solution and comply with CALEA.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities