Defense CIO sets wireless policy for Pentagon
- By Dawn S. Onley
- Oct 04, 2002
After months of work, the Defense Department CIO last week issued a policy restricting use of wireless devices at the Pentagon.
A policy applying to users throughout the department is next on the agenda, CIO John Stenbit said, adding that he expects it will be ready within a few months.
'The reason we're doing a wireless policy is that there are certain types of wireless devices that attach to a network,' he said. The chief cause for concern, Stenbit said, is the potential for users to detect services on DOD networks for which they do not have access privileges and appropriate security clearances.
In a separate decision, Defense leaders also will keep in place a moratorium prohibiting the installation of new telecommunications networks to support wireless services until the Pentagon finishes assessing the security vulnerabilities of wireless technologies.
Stenbit has asked the National Security Agency to develop a database of wireless technology vulnerabilities for the department to use in its assessment effort.
Effective immediately, the Pentagon Area Common IT Wireless Security Policy prohibits Pentagon employees from connecting a wireless device to a classified network or computer. The rule also bans synchronizing a wireless device with IT devices that have not been approved by the Pentagon.
Further, the policy prohibits wireless devices from:
- Use as a primary means of communication for critical operations
- Use as part of a mission-critical system
- Use in downloading software.
'Given the exploitable vulnerabilities inherent in current wireless products and technologies and the interdependencies of Defense and Pentagon networks, it is essential and expected that all tenants will strictly adhere to this policy,' the policy said.
The policy allows the use of wireless devices, such as cellular telephones and personal digital assistants, for unclassified data and sensitive but unclassified data, if the wireless system has been approved.
'For us, a denial-of-service attack on a computer when we are in the middle of doing something is a big deal,' Stenbit said. 'This is a way to control the security problems that we know occur with wireless devices.'
Defense officials said that although wireless computing devices and infrastructure support systems can increase connectivity, they also increase security vulnerabilities.
The policy will require centralized oversight, configuration management and control of wireless information systems.
Shannon Kellogg, vice president of information security programs and policy at the Information Technology Association of America, said he supports the wireless policy but hopes DOD brass will consider how new technologies can help secure Defense's use of wireless networks.
'We understand that DOD has particular needs in protecting sensitive data, but there are technologies that are available to secure wireless networks,' Kellogg said. 'We think it's important to look at some of the technologies.'
NSA will develop a wireless technology vulnerabilities database that 'will provide an initial assessment of the potential vulnerabilities of specified wireless features and capabilities along with the associated risks and a countermeasures recommendation,' the policy said.