NSA-grade encryption for mobile over untrusted networks
- By Stephanie Kanowitz
- Aug 07, 2015
The only term being thrown around government more than “2016 elections” these days is “cybersecurity,” particularly following a rash of damaging and high-profile data breaches. With that focus on protecting information top of mind in agencies, USMobile officials hope to find a ready market for their commercial app, which lets government workers use their personal smartphones for top-secret communications.
Called Scrambl3, the app creates a secure virtual-private network that connects bring-your-own devices to an agency server to send messages using end-to-end encryption. Irvine, Calif.- based USMobile developed the Scrambl3 technology when team members worked with the National Security Agency to create “Fishbowl,” a secure phone network available only to Defense Department users via the DOD Information Network.
“We’ve implemented Fishbowl in the form of a software-defined network, so all of those typical hardware components that you’d find in a mobile network -- routers, VPNs, gateways, firewalls, proxy servers -- all of those components are expressed or implemented in our system in the form of software,” said Jon Hanour, USMobile’s president and CEO. “We’ve made an affordable version of Fishbowl.”
When the turnkey solution comes to market in October, it will work with Android and Apple iOS devices. It uses the Security-Enhanced Linux operating system and a defense-in-depth approachThe layered approach uses a VPN connection with an encrypted VoIP call travelling within.When an agency deploys Scrambl3 Enterprise, administrators will set up what USMobile calls Black Books, or lists of contacts that each user can communicate with via the VPN.
“A lower-level person wouldn’t necessarily have the director of that particular agency listed,” Hanour said. “Conversely, the director of that particular agency would have [a] contact list populated with people that are at the higher levels of management.”
When a user logs into the app on a smartphone, it creates a VPN that connects to the agency’s server, whether it’s in the cloud or on premises. Currently, Scrambl3 Enterprise software is deployed only on IBM Power Systems Linux servers.
A two-rack server can handle up to 3,000 concurrent calls, Hanour said, a capacity “that would handle comfortably an agency of 50,000 people.”
Once connected, users can see who in their Black Book is also logged in, as indicated by a green dot next to the name, and then select the mode of communication: email, voice call or text. Both senders and recipients would need to have Scrambl3 installed.
“Once you establish this powerful VPN, you can run anything through it,” Hanour said. “Anything that you can put on a server, you can use Scrambl3 to communicate with.”
Calls are highly encrypted until they reach the recipient, where the app decrypts them. That communication happens at a top-secret-grade level as specified by NSA. Despite that encryption/decryption process, Hanour said, latency is unnoticeable.
For additional protection, nothing is recorded – users can’t even leave voicemail – unless an agency specifies otherwise. For instance, Hanour said, some law enforcement regulations require that all communication among officers be recorded.
The law enforcement community is a prime target customer for Scrambl3 because public cell phone networks don’t meet heightened police security standards, and photographic evidence requires a secure uploading process.
To use Scrambl3, agencies don’t need mobile device management systems, but it integrates with any that might exist.
“The advantage of this architecture is that the communication that the mobile device management software would typically have with the device, that communication can now run inside the VPN, so it makes that even more secure,” Hanour said. “It creates value for the mobile device management system as well because you can protect it inside the VPN.”
Licensing fees for Scrambl3 depend on the number of users, but typically start at $5 per user per month. The most it would cost, Hanour said, is about $10 per user per month.
Right now, Scrambl3 for Android is available in beta form in the Google Play Store for testing. Scramble3 for iOS will be available next month.
The beta version does not include all Scrambl3’s features, such as conference calling. When the release version is up and running in October, Scrambl3 will offer the only top-secret-grade conference call capability outside DOD’s network, Hanour said. Users will be able to initiate a conference call by touching a few people’s names and pressing the call button.
Besides law enforcement, Hanour sees potential customers in several types of government operations, including health care, the State Department when conducting diplomatic relations and even individual politicians, who might want to communicate in absolute privacy.
“The whole idea is to create trusted communications over untrusted networks (i.e., the Internet),” Hanour said.
Stephanie Kanowitz is a freelance writer based in northern Virginia.