DOD Works to Boost Smart Phone Security

WASHINGTON, Aug. 29, 2011 — As the Defense Depart­ment seeks inno­va­tion made pos­si­ble by smart phones and oth­er mobile com­put­ing plat­forms, it’s also work­ing to ensure DOD users of those devices employ them secure­ly, a defense offi­cial said.

“Because of the per­va­sive­ness of the [mobile com­put­ing] mar­ket, every­one has one, every­one wants one, but we often don’t look at how the device works — we take it home and start load­ing pic­tures on it,” Robert E. Young, divi­sion chief of out­reach and com­mu­ni­ca­tions for the Defense-wide Infor­ma­tion Assur­ance Pro­gram, said dur­ing a recent inter­view with the Pen­ta­gon Chan­nel and Amer­i­can Forces Press Ser­vice.

“We do want this inno­va­tion in the Depart­ment of Defense so we don’t want to say no,” he added, “but we want to do it safe­ly and secure­ly.”

Issues that con­cern the depart­ment, Young said, include the huge mem­o­ry capac­i­ties of some of the new smart devices and users’ gen­er­al lack of knowl­edge about how smart phones and tablets work and how they could be com­pro­mised.

“With all the dif­fer­ent oper­at­ing sys­tems out there,” Young said, “every patch, every update changes each device and the vul­ner­a­bil­i­ties with­in [and users] are going to have to weigh that risk.”

Young said the depart­ment is eval­u­at­ing how peo­ple are real­ly using the devices — whether they’re using smart phones to check email or tablets to read mem­o­ran­dums or poli­cies.

“What are you doing with the device? Is the cam­era dis­abled, are you tak­ing pic­tures of peo­ple? I take a pic­ture of you, I upload it and now you’re tagged and all of a sud­den every­one knows where you are. So it leads to a dig­i­tal foot­print that con­nects to the device — any­where, any­time, any device,” he said.

“In a split-sec­ond it’s up and online,” he added. “And once on the net — always on the net.”

Part of the answer is to edu­cate, and raise mobile tech­nol­o­gy aware­ness for mil­i­tary mem­bers, DOD’s civil­ian work­force and their fam­i­lies, Young said.

As part of this effort, he added, the depart­ment is tak­ing a cohe­sive approach to adopt­ing mobile tech­nol­o­gy.

“We have a Com­mer­cial Mobile Device Work­ing Group and we take best prac­tices from [the Defense Advanced Research Projects Agency], the [Intel­li­gence Advanced Research Projects Activ­i­ty] and from our intel­li­gence com­mu­ni­ty part­ners” and share infor­ma­tion, Young said.

“In the work­ing group we have Army, Navy, Air Force, Coast Guard, FBI, CIA,” he added, ” … so that as a fed­er­al gov­ern­ment, with a fed­er­at­ed response, we can go to the ven­dors and say, this is what we need.”

The depart­ment also is work­ing with DARPA and the Army on pilot pro­grams for using mobile com­put­ing devices inno­v­a­tive­ly while also pro­tect­ing infor­ma­tion.

“Is the data at risk; is it encrypt­ed while it’s being worked on?” he said. “If you lose a device phys­i­cal­ly what are you going to do?”

DARPA and the Army are also look­ing at new appli­ca­tions for such devices, Young said.

“The issue is that we have to make sure the apps are safe and secure. We can’t just throw them on and then try to fig­ure out what they do after the fact,” he added.

It’s impor­tant for a mobile device man­ag­er to have insight into all the devices on the enter­prise, Young said.

Such a man­ag­er must be “device agnos­tic,” he added, to be able to keep track of any sort of device made by any com­mer­cial pro­duc­er that’s touch­ing DOD’s infor­ma­tion net­work.

“That’s the chal­lenge,” he said.

Ser­vice mem­bers and DOD per­son­nel can get secu­ri­ty infor­ma­tion or have their devices checked by device man­u­fac­tur­ers, Young said.

On mil­i­tary instal­la­tions, he added, infor­ma­tion assur­ance pro­gram offi­cers or chief infor­ma­tion offi­cers can help.

Infor­ma­tion also is avail­able from the fed­er­al gov­ern­ment, includ­ing the Nation­al Insti­tute for Stan­dards and Tech­nol­o­gy, with Nation­al Ini­tia­tive for Cyber­se­cu­ri­ty Edu­ca­tion infor­ma­tion avail­able online at http://csrc.nist.gov/nice/.

Source:
U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)