Wireless Insecurity

he lure of wireless technology is proving irresistible. It's even making converts of die-hard pen-and-paper enthusiasts. It's easy to learn, inexpensive, convenient, efficient and even kind of fun. With all those factors in its favor, who could resist the urge to communicate critical messages instantly while on the go-in the corridors of the Pentagon, during a high-level meeting, or walking to your car after you exit the building?

Government employees, like the general public, are quickly embracing wireless technology, and the trend shows no signs of slowing. According to Framingham, Mass., market research firm IDC, the market for wireless security technology will grow by more than 50 percent over the next several years.

This trend has government executives both applauding the increases in efficiency that wireless technology brings and scratching their heads over how to ensure that secure information doesn't land in the wrong hands-either inadvertently or deliberately.

It's simple for a hacker to penetrate a wireless government network. "The reality is that the tools someone would need to hack a wireless [local area network] are readily available at any major computer store. And software can be downloaded to easily decrypt Web traffic over the Internet," says Jason Conyard, director of wireless product management at Symantec Corp. of Cupertino, Calif.

"The technology was developed for convenience, not for security. As in so many things, security has been more of an afterthought than part of the planning process, although that's changing," says Sally McDonald, assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection in GSA's Federal Technology Service, which is moving into the Homeland Security Department. "I'd be very cautious about putting the family jewels in a wireless system today, though."

It's precisely those family jewels-the government's most sensitive, critical data-that have officials concerned about the true level of security in agencies' wireless networks and devices.

"There don't seem to be many concerns about wireless security except at the very highest level of need, once you figure in the technology, the encryption, the standards and the security policies in place today," says Rob Rowello, a principal at management consulting firm Pittiglio Rabin Todd & McGrath. Rowello, based in Washington, says the only way to truly satisfy the government's security needs is by customizing already secure encryption capabilities. In most cases, this involves adding algorithms that maximize security. To get to this level of customization, agencies generally buy off-the-shelf security products and enlist a contractor to tailor them to their specific needs.

Take the popular BlackBerry handheld device offered by Research in Motion Ltd.(RIM) of Waterloo, Ontario. Government employees often use the device to access data and e-mail while away from their desks. To make it secure enough for its users, the National Security Agency, which has taken the lead on wireless security standards for the intelligence and defense communities, required that the device incorporate extra-secure encryption technology.

The NSA uses the Secure/ Multipurpose Internet Mail Extensions (S/MIME) standard for wireless handhelds, an e-mail security standard that uses public key cryptography to ensure the highest level of security. S/MIME provides writer-to-reader security, including confidentiality, message integrity and sender authentication. RIM has worked with the NSA to develop a version of this standard acceptable to the intelligence and defense communities.

"We had already done the development for S/MIME, but [NSA] wanted to ensure that we could incorporate their own encryption algorithms into their own version of the product," says Anthony LeBlanc, a group director at RIM. "They have appointed a trusted third party to load this NSA-approved encryption algorithm on what is essentially a vanilla BlackBerry."

The new S/MIME standard is critical to secure interdepartmental communication-something that will be particularly important for the new Department of Homeland Security, notes Tony Rosati, a vice president at Certicom Corp. of Mississauga, Ontario. "If everybody is using S/MIME and you use a common public key infrastructure, you can have cross-departmental communication securely," he says.

But even with agencies' best intentions and vendors' best efforts, there are still concerns. The Defense Department has taken several steps to prevent leaks of classified information from a secure environment over an insecure line. Defense has banned wireless devices in the Pentagon and put a moratorium on wireless local area networks (LANs) until organizations can show how those networks could be locked down-something achieved by encrypting all signals traveling on the network and making sure the right people are connected by implementing some form of strong user authentication. The edict requires an assurance that all data being sent wirelessly has no viruses and no data modification and a method of ensuring that a person can't deny sending or receiving information.

To ensure the highest level of security in all wireless communications, the NSA is developing a common protocol as well as a series of standards and procedures, says Gil Nolte, deputy chief of end-user technologies. The NSA must certify any wireless LAN or wireless handheld device before it can be used by security agencies. The NSA recently certified a secure wireless LAN PC card and wireless access point to protect classified information up to the Secret level, and is working to certify other products.

Given the NSA's stringent requirements and vendors' ability to customize their products, is stringent wireless security possible?

Yes, with many caveats, Nolte says. "You must change your paradigm of what is really possible. In the untethered world of wireless, you can no longer rely on physical barriers to protect access to your communications medium," he says. "However, given awareness of your environment, use of evaluated and trusted secure wireless devices, use of complementary and interoperable secure 'wired' desktop devices, and a network management/security policy that strictly controls wireless access to your network-then yes, I believe that wireless security can be obtained."

In many cases, the efforts are paying off. Army Communications-Electronics Command in Fort Monmouth, N.J., hired Northrop Grumman's information technology sector of Herndon, Va., to rework its method of communication between vehicles. The goal was to allow communication of secure information without having to physically cable units together, says Dean Knuth, national account manager of wireless solutions in the company's IT Defense Mission Systems business unit. Using existing technology and standards, Northrop Grumman was able to deliver a mounted wireless system cleared at the Top Secret level by the FBI. A later phase will allow similar communication between cargo planes.

With the appropriate standards and comprehensive security policies in place, the only remaining issue is the technology itself-something vendors say is ready, willing and able to handle the task at hand.

"There are three tenets to security: You have to protect the packet of information, the pipe it rides on, and the platform it processes with," says Tom Goodman, director of business development at Bluefire Security Technologies of Baltimore and a former government intelligence agent. Many vendors can protect the information, including Certicom and RSA Security Inc. of Bedford, Mass. Similarly, many tools can secure applications and technologies, such as virtual private networks, that help protect the pipe. Companies such as Bluefire provide technology to protect wireless handheld devices.

READY, WILLING AND ABLE

For most communication needs, experts say wireless technology and awareness is sufficient to ensure adequate security, provided that agencies are diligent in enforcing policies and standards.

The National Institute of Standards and Technology, which sets the guidelines for securing unclassified information, has developed a handful of useful standards in the wireless arena. Federal Information Processing Standard (FIPS) 140 is an encryption criterion every product must meet before being used in the federal government. And FIPS 197, which mandates the use of the Advanced Encryption Standard, replaces the aging Data Encryption Standard.

In a November 2002 report entitled "Wireless Network Security," NIST notes that risks in such networks exceed those in wired networks because of weaknesses in wireless protocols. To mitigate those risks, NIST urges agencies to adopt stringent security practices, periodically reassessing them as technologies mature and threats change.

Although civilian agencies are required only to ensure that wireless technologies meet NIST's standards, many go above and beyond, striving to meet the NSA's more stringent requirements.

"Organizations that will be more involved with homeland security seem to be looking to the NSA. And even civilian agencies that in the past have had more relaxed guidelines for wireless security are looking to the NSA and the DoD for guidance," observes RIM's LeBlanc.

Even some state governments, which don't have to follow any federal guidelines, are paying attention. Florida follows federal standards as they apply to the data it uses from the federal government. But as federal requirements have tightened, Florida's requirements often must tighten along with them, notes Kevin Patton, manager of network services for the state's Department of Law Enforcement in Tallahassee.

Patton says wireless technology has become ubiquitous throughout the state's agencies-something that is a blessing as well as a curse. "It's so inexpensive to buy these commodity items and put in wireless access points, often without the knowledge of the department. But if they don't know about it, they can't make sure it's adequately protected," he says.

To solve the problem, state officials have begun assigning information security officers at each agency and training them in wireless security methods. The state now has an Office of Information Security and is creating the Florida Infrastructure Protection Center, which will lend technical support to agencies when their networks are under attack. TruSecure of Herndon, Va., is setting up the office and helping all state agencies analyze their information security needs.

Although Florida's applications don't require the level of security needed in Top Secret federal correspondence, security is a real concern-real enough that many organizations are sitting up and taking notice.

"The solution is part common sense, part technology, part standards and policies, part commitment and part training," Certicom's Rosati says. "And that goes for any government agency that wants to get to the 99.9 percent confidence level."

Rosati believes the policies and technologies already are there, and agencies can achieve that level of confidence very soon. "We'll definitely get there at the DoD level this year," he predicts. "In other agencies, there is still a lot of education that needs to take place."