Rising battlefield smart-phone use causes safety concerns

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By John Edwards
 

Connecting state and local government leaders

By John Edwards

|

Defense organizations explore whether commercial handheld devices can provide enough encryption to meet security requirements.

With more defense organizations thinking about using iPhones, BlackBerrys, Droids and other commercial handheld devices for field activities, there’s growing interest in whether such devices can be secure enough to safeguard sensitive information.

Recent advancements in device performance, functionality and encryption support are making handheld devices more appealing to an array of defense organizations that previously might have turned to custom-developed systems, said William Marlow, CEO and chief technology officer of Protected Mobility, a mobile security software developer based in Reston, Va., that’s active in the government sector. “There’s finally a realization that commercially available products can and will serve as the basis of secure communications,” he said.

Marlow said the technology’s attraction is clear as the latest commercial devices tend to be compact, powerful, convenient, infinitely useful and universally available. “Yet the best part of using commercial products is that they are more human-oriented rather than being designed for a specific task,” Marlow said. “This reduces training and, when done right, the device costs are significantly lower.”

Despite their growing appeal, commercial devices have limitations when deployed in defense applications. Although most handheld devices fit comfortably into routine enterprise-level operations, security concerns proliferate when the technology moves into defense settings, said Stephen Lucas, chief engineer of the Space and Terrestrial Communications Directorate at the Army’s Communications-Electronics Research, Development and Engineering Center. That is particularly true when users operate in field environments that are close to the tactical edge.

“There’s a different mindset between the commercial side versus the military side when it comes to layering on security,” Lucas said. “Ultimately, lives can be in jeopardy when information falls into the wrong hands.” And that makes high-level encryption a top priority for defense adopters across all sectors, especially those in tactical environments.

Which is most secure?

Apple, BlackBerry and Android-based products dominate the commercial market, and those devices also tend to attract the most interest from defense users. However, encryption support varies among the three product families.

With Apple iPhones and iPads that operate on iOS 4, adopters can take advantage of hardware device encryption. Apple's e-mail application also supports app-level encryption. However, it’s a minimal amount of encryption support and is insufficient for defense organizations. A proprietary platform is a further detriment.

Marlow said Apple’s hermitic policy limits the ability of third-party encryption providers to design compatible products. “They refuse to allow access to the iOS, which would allow better designed products,” he said. “Currently, there are workarounds, and of course, there are solutions for jail-broken devices.”

Lucas said BlackBerry devices are perhaps the most intruder-resistant commercial handheld products. “When it comes to encryption, the BlackBerry appears to be the most inherently secure,” he said. “It supports full-device encryption, including media cards, keeping your data secure when your phone becomes lost or stolen.” BlackBerrys rely on a two-key Triple Data Encryption Algorithm for creating message keys and master encryption keys.

Lucas said he also likes the fact that all BlackBerrys, unlike Apple or Android-based products, feed data through a central point: the BlackBerry Enterprise Server. “All security controls are enforced from that centralized server,” he said.

Android-based phones and tablets are at the opposite end of the handheld encryption spectrum because they have no native encryption capabilities, though rumors are circulating that the upcoming Android 3.0 operating system, code-named Honeycomb, will incorporate some level of encryption. “The overall security architecture for the Android is immature compared to iPhone and BlackBerry,” Lucas said.

Despite the lack of any built-in encryption, Lucas said most Defense Department organizations are focusing on the Android platform. “This is largely because the Android OS is hardware agnostic, meaning applications developed to run on the Android OS can run on most current and planned hardware platforms,” he said.

With Android popularity steadily rising in the defense community, Lucas said the Army is working to build a security foundation for those and other handheld devices. The Army's Space and Terrestrial Communications Directorate "has invested a lot of resources into understanding third-party security tools, as well as beginning the research and development of a SIM card/lightweight security toolset that would provide all cryptographic features,” he said.

The toolset is being designed to protect a variety of data types. Other attributes include a personal firewall, input/output controls, security policy management, antivirus capabilities, multifactor authentication, tactical DOD public-key infrastructure and Secure/Multipurpose Internet Mail Extensions support, Lucas said.

At the moment, the best encryption support for Android devices comes from third-party add-on products. Whisper Systems‘ RedPhone voice-over-IP application uses an encryption protocol named ZRTP that was designed by Pretty Good Privacy inventor Phillip Zimmerman. The app uses encrypted Short Message Service messages to quickly establish calls across a VOIP connection, all behind the convenient mask of a normal dialing interface or contact list. However, RedPhone and most third-party handheld add-ons lack official validation, which prevents their use by any defense organization.

Getting validated

Tom Karygiannis, a senior researcher at the computer security division of the National Institute of Standards and Technology, said meeting government encryption standards can create a significant obstacle when acquiring commercial technology. “In the past…a government agency could issue a contract for someone to build, at a huge cost, custom hardware and software,” he said. “Now, the way the market is, very capable devices are available at your local retailer.”

However, Karygiannis said, acquiring handheld devices that are suitable for defense personnel isn’t as easy as walking into the nearest Best Buy. “A government agency that wants to send or store sensitive information has to use cryptographic algorithms that have been validated by an independent and accredited lab,” he said.

“The Defense Department mandates use of a NIST FIPS 140-2-validated encryption product to prevent compromise of data security,” said an Air Force Space Command electronics engineer who is familiar with mobile encryption technologies and DOD mandates. FIPS 140-2 is the government computer security standard used to accredit cryptographic modules. FIPS 140-2 requires two-factor authentication, which is based on something you know, such as a password, and something you have, such as a fingerprint.

Meanwhile, with new handheld devices hitting the market on a seemingly daily basis, it’s becoming increasingly difficult for the FIPS validation process to keep up with the constant flow of product introductions. “The rapid pace of introduction and short life cycle of commercial handheld products makes it impractical to obtain FIPS 140-2 certification for every device,” the engineer said. “This impacts the rate of adoption of new devices" by DOD.

Karygiannis agreed. “New [handheld models] come out every three to six months, maybe even more frequently,” he said. “They're introduced in the market quickly, so government agencies need to figure out how to get these devices tested and validated and procured quickly.”

That’s especially tough for organizations that have users on the tactical edge. “It is very difficult to take a commercially developed product and convince the NSA that the product is secure enough for a military environment,” Lucas said. “Currently, the NSA certification process can take 12 to 24 months to acquire certification, and the costs are immense.”

Some relief might eventually come from OpenSSL, an open-source initiative that promises to produce open-source validated encryption modules almost as quickly as new handset models arrive on the market. “If these could be used on the [handheld] devices, then that solves a pretty big problem for the government agencies,” said Karygiannis, who expects the first validated encryption modules to arrive sometime in fiscal 2012.

Performance drag

Validation issues aside, another challenge facing handheld device adopters is the tendency of advanced encryption algorithms and supporting software to create a noticeable performance drag. “In general, encryption does increase the amount of storage necessary for the data,” the Air Force engineer said. “Also, the process of encryption/decryption may cause the user to experience a slight lag time to display the content.”

Karygiannis said rapidly advancing handheld technology is helping to minimize performance concerns. “The hardware capabilities of some of these devices today are much better than what you would have found on a desktop a few years ago,” he said. Karygiannis said displays and Global Positioning System subsystems can be a bigger drain on the battery than the extra computational cycles that encryption might add. “I’d be more worried about the battery life for these types of devices being used in the field than the extra load introduced by encryption,” he said.

Future trends

Like handheld devices, encryption technology is growing more efficient and capable. “Currently, you can get excellent data encryption using AES-256, SHA-256/384, ECC 521 and others,” Marlow said. “Within two years, you should see full Suite B encryption available on these devices,” he said, referring to a set of cryptographic algorithms promoted by the National Security Agency as part of its Cryptographic Modernization Program.

Lucas said progress is being made on multiple fronts. As NSA adopts commercial technologies and DOD further defines encryption requirements, "more and more organizations get involved ... [and] we can expect to see better protection in the years ahead,” he said.

NEXT STORY: DOD aims to make classified networks WikiLeaks-proof

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.