No Dead Zones

Jeffrey Alan Love

A  U.S. military officer in Seoul, South Korea, texts another officer across town on his government-issued iPhone—the same model his Boston-based teenager uses. An hour earlier, the father and son spoke on their twin gadgets using a commercial cellular frequency. Now, the officer is about to share geospatial maps of allied troop coordinates using an insulated Secret military mobile network.

Such communications on consumer smartphones could happen within a year under the Army’s commercial smartphone plan.

Across the globe, from the barracks to the battlefield, service members are testing the reliability and safety of non-BlackBerry devices, such as iPhones, iPads and Android-based products. Their efforts coincide with plans outlined earlier this year by Defense Chief Information Officer Teri Takai to support smartphones on classified and unclassified networks.  

There are kinks in the wires to smooth out. The Army, for instance, does not yet have a way to combine networks carrying Top Secret information with administrative applications, such as streamed distance learning courses and supply order forms, says Mike McCarthy, head of the Army’s smartphone project.

“Right now my office looks like Best Buy because they haven’t converged yet into a single solution. I can’t do classified on the same device that I do unclassified on. So we’re working on those kinds of solutions,” he said during a Webcast presentation hosted by Government Executive Media Group in March.

McCarthy, who spoke with Government Executive in April, doubts the Army ever will reach the point of accessing Top Secret information on commercial handhelds. “But Secret and below is something that I am confident will be realized within months, not years,” he says. 

Another disconnect: Sometimes overseas soldiers literally hang up on each other when commercial Internet service is unavailable or vulnerable. But there will be apps for that. Mobile tools for scrambling texts and calls already are in use at other U.S. military organizations. And the Army might procure air-based cellular stations—even drones mounted with hot spots—as workarounds.

“The answer is not just putting up towers,” McCarthy says. 

An Empty Smartphone

The most secure approach would be a phone that shows no traces of its owner when not in use.

“One of the solutions we’re looking at, truly, is keeping everything off the devices—or as much off of it as we can,” he says. All communications would take place in a secure cloud network anchored to a remote data center. That way, “we don’t have anything stored on the device itself. When you need information, you’re able to reach into a cloud environment and pull that data in so that it is accessible while you need it. When you’re done with it, it goes away,” McCarthy explains. If the device is lost or falls into the wrong hands, there’s nothing to hack.

Separately, several military organizations, including Special Operations forces, are using a set of apps that code voice and texts. The software suite was developed in part by former Navy SEALs at security firm Silent Circle. “When it hits the Internet of [whatever country the user is in], it’s already encrypted. So it doesn’t matter if you’re on Iraqna or you’re on AfSat or you’re in China,” says company co-founder Mike Janke, referring to various foreign Internet service providers.

“Forget just war zones. I’m talking first-world countries that monitor their communications. How do you protect that?” he asks. The security, Janke explains, relies on disposable keys that encrypt communications as soon as they leave the device. When an officer dials or texts, the encryption happens instantly on the handset, so there’s nothing a host-nation service provider or interceptor can grab.

And the technique works on any telecom channel officers might use, on devices ranging from older cell phones to those using 4G. The apps’ encryption protocols create a unique key each time the user makes a call or sends a text. “Then, after the call, the keys are deleted. There’s nothing there. There’s no history of calls,” says Janke, a former SEAL sniper. 

The group of apps for mobile calls and text messages costs nongovernment civilians $20 a month. Defense personnel receive bulk discounts that vary depending on the size of the user base, company officials say. 

A Hybrid Model

Another method of making private calls really private: toggle between two types of phone connections. The local Internet service would be sufficient when commercial infrastructure is available and considered secure. When a host nation’s infrastructure is unsafe, a separate backup line would be used.

Take Afghanistan. The main service providers there are an Afghan government-owned system influenced by opposition forces and a system maintained by a Russian company, McCarthy says. So, the best choice would be to “take us off the commercial frequencies and put us onto frequencies that are controlled by the military,” he explains. These include drone hot spots. Unmanned aerial aircraft are one of many affordable proposals, McCarthy says.

“The solution is not to just lease a phone from Taliban Bell,” he adds.

One more kink: making sure every device and human user complies with these safeguards. How do organizations enforce security policies on devices that, by nature, are not centrally controlled? They work with vendors to develop so-called enterprise mobile management tools.

The Air Force Space Command, for example, has contracted with Good Technology to let employees download smartphone and tablet applications that control personal apps and allow managers to control military data. The company would not disclose the size of the contract. According to federal business databases, the Defense Commissary Agency in 2012 spent $8,009 on 45 Good Technology licenses for a “bring your own device” experiment in which employees used their personal devices.

McCarthy says the Army is considering Good’s products for Android-based phones. 

According to a June 2012 Defense mobile device strategy, counter-hack techniques must work on any mobile brand and any operating system. “This is supposed to be a device-agnostic, OS-agnostic program,” McCarthy says. By the end of 2013, between 20,000 and 25,000 gadgets of various makes and models powered by various software programs should be under evaluation servicewide, he expects.

The Insider Threat

Ultimately, military mobile security comes down to personal hygiene. A Pentagon internal investigator recently chastised the Army CIO and service members for disregarding the rules on thousands of devices.

The service’s CIO “was unaware” of more than 14,000 commercial mobile devices that were in use, Alice Carey, a Pentagon assistant inspector general, wrote in a March report. 

The audit reviewed a number of smartphone initiatives, including a trial that substituted handhelds for pen and paper to coordinate disaster aid. Participants could snap photos of hurricane-ravaged areas, capture the latitude and longitude, and upload the data to a military server. Security lapses occurred during these activities and others because managers did not realize the devices were connected to Army networks and storing sensitive information, according to Carey. 

Meanwhile at West Point, U.S. Military Academy phones were not configured to require passwords for access. Instead, officials left it up to users to add that security layer, so 14 out of 48 mobile devices had no password protection. Also, the Military Academy and U.S. Army Corps of Engineers’ Engineer Research and Development Center failed to devise a way of wiping data drives remotely if lost, stolen or assigned to another employee. 

“The Army CIO did not develop clear and comprehensive policy” for commercial devices, Carey wrote. These errors “left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.”

In a letter responding to the investigation’s findings, Maj. Gen. Stuart Dyer, head of the Army CIO/G-6 cybersecurity directorate, said the organization agreed with the observations and “in many cases, the Army has already begun implementing improvements.” 

McCarthy says the auditors did not talk to him or his program team during the inspection. But, now, his team, the Army CIO, the Pentagon’s National Security Agency cryptographers, and Defense Information Systems Agency support staff are working closely to resolve the concerns highlighted.

A key goal of the smartphone project “is to find the kinds of solutions that will provide that safe and secure environment,” as well as managed access, he says. And one day Best Buy might just carry it. 

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.