Defense Department to restrict employee use of wireless devices
Defense Department employees soon will face restrictions on their use of wireless devices, including wireless network cards and personal digital assistants, when conducting departmental business, top officials said Tuesday.
"We are going to put constraints about what type [of devices] and where they can be used" and take other measures designed to minimize security risks, John Stenbit, an assistant Defense secretary, said at a conference on wireless security sponsored by the Center for Strategic and International Studies.
Widespread concern over the security vulnerabilities of wireless devices drove the Pentagon to formulate the policy, which could be released in weeks, said Stenbit, who is also the department's chief information officer.
Because even conventional cellular phones can record and transmit information, they can be vulnerable in the hands of a sophisticated adversary. The new rules may sanction certain commercial devices but bar others, depending on their security parameters, he said.
He summarized the department's dilemma by saying, "We don't believe that the commercial world will meet our standards, and yet we are dependent upon commercial technology to be able to meet our goals" as a military.
Both Stenbit and Robert Gorrie, deputy director of the Pentagon's Defense-wide Information Assurance Program Office (DIAP), said that concerns about wireless security do not mean that the department would eliminate or ban the use of wireless devices.
"That would be stupid because we can get so much from this technology," Gorrie said. "We need to take prudent action that allows the co-evolution of the technologies and the security policies that go with it." He said a balanced approach would allow the department-rather than an individual service or division-to set usage rules with appropriate security procedures.
"The soldiers and sailors on the leading edge depend on all the other databases" deployed by the military, Gorrie said, and the confidentiality of each of them must be protected.
Other panel members from business and government also lamented the lack of wireless security but agreed that we "don't give up on wireless," said Joseph Wilkes, the director of advanced wireless network architecture at Telecordia Technologies. "The answer is to secure it."
The security problem was amply illustrated when moderator Scott Charney, chief security officer at Microsoft, asked how many of the crowd of about 100 participants used 802.11 wireless networks, a commonly deployed means of high-speed Internet access. Nearly every one used them.
When Charney then asked how many people believed the networks were reasonably secure, only one or two people raised their hands. The reason most continued to use insecure devices ranged from a belief that they send non-sensitive information to the fact that they do not believe the risk of hacking is likely or that they think the convenience of the technology overwhelms its risk.
"This is the problem with the Internet: Everyone wanted to use it" even though initial security measures were limited, Charney said. "Now the same thing is happening with wireless."