By Aliya Sternstein
May 28, 2013
A U.S. military officer in Seoul, South Korea, texts another officer across town on his government-issued iPhone—the same model his Boston-based teenager uses. An hour earlier, the father and son spoke on their twin gadgets using a commercial cellular frequency. Now, the officer is about to share geospatial maps of allied troop coordinates using an insulated Secret military mobile network.
Such communications on consumer smartphones could happen within a year under the Army’s commercial smartphone plan.
Across the globe, from the barracks to the battlefield, service members are testing the reliability and safety of non-BlackBerry devices, such as iPhones, iPads and Android-based products. Their efforts coincide with plans outlined earlier this year by Defense Chief Information Officer Teri Takai to support smartphones on classified and unclassified networks.
There are kinks in the wires to smooth out. The Army, for instance, does not yet have a way to combine networks carrying Top Secret information with administrative applications, such as streamed distance learning courses and supply order forms, says Mike McCarthy, head of the Army’s smartphone project.
“Right now my office looks like Best Buy because they haven’t converged yet into a single solution. I can’t do classified on the same device that I do unclassified on. So we’re working on those kinds of solutions,” he said during a Webcast presentation hosted by Government Executive Media Group in March.
McCarthy, who spoke with Government Executive in April, doubts the Army ever will reach the point of accessing Top Secret information on commercial handhelds. “But Secret and below is something that I am confident will be realized within months, not years,” he says.
Another disconnect: Sometimes overseas soldiers literally hang up on each other when commercial Internet service is unavailable or vulnerable. But there will be apps for that. Mobile tools for scrambling texts and calls already are in use at other U.S. military organizations. And the Army might procure air-based cellular stations—even drones mounted with hot spots—as workarounds.
“The answer is not just putting up towers,” McCarthy says.
An Empty Smartphone
The most secure approach would be a phone that shows no traces of its owner when not in use.
“One of the solutions we’re looking at, truly, is keeping everything off the devices—or as much off of it as we can,” he says. All communications would take place in a secure cloud network anchored to a remote data center. That way, “we don’t have anything stored on the device itself. When you need information, you’re able to reach into a cloud environment and pull that data in so that it is accessible while you need it. When you’re done with it, it goes away,” McCarthy explains. If the device is lost or falls into the wrong hands, there’s nothing to hack.
Separately, several military organizations, including Special Operations forces, are using a set of apps that code voice and texts. The software suite was developed in part by former Navy SEALs at security firm Silent Circle. “When it hits the Internet of [whatever country the user is in], it’s already encrypted. So it doesn’t matter if you’re on Iraqna or you’re on AfSat or you’re in China,” says company co-founder Mike Janke, referring to various foreign Internet service providers.
“Forget just war zones. I’m talking first-world countries that monitor their communications. How do you protect that?” he asks. The security, Janke explains, relies on disposable keys that encrypt communications as soon as they leave the device. When an officer dials or texts, the encryption happens instantly on the handset, so there’s nothing a host-nation service provider or interceptor can grab.
And the technique works on any telecom channel officers might use, on devices ranging from older cell phones to those using 4G. The apps’ encryption protocols create a unique key each time the user makes a call or sends a text. “Then, after the call, the keys are deleted. There’s nothing there. There’s no history of calls,” says Janke, a former SEAL sniper.
The group of apps for mobile calls and text messages costs nongovernment civilians $20 a month. Defense personnel receive bulk discounts that vary depending on the size of the user base, company officials say.
A Hybrid Model
Another method of making private calls really private: toggle between two types of phone connections. The local Internet service would be sufficient when commercial infrastructure is available and considered secure. When a host nation’s infrastructure is unsafe, a separate backup line would be used.
Take Afghanistan. The main service providers there are an Afghan government-owned system influenced by opposition forces and a system maintained by a Russian company, McCarthy says. So, the best choice would be to “take us off the commercial frequencies and put us onto frequencies that are controlled by the military,” he explains. These include drone hot spots. Unmanned aerial aircraft are one of many affordable proposals, McCarthy says.
“The solution is not to just lease a phone from Taliban Bell,” he adds.
One more kink: making sure every device and human user complies with these safeguards. How do organizations enforce security policies on devices that, by nature, are not centrally controlled? They work with vendors to develop so-called enterprise mobile management tools.
The Air Force Space Command, for example, has contracted with Good Technology to let employees download smartphone and tablet applications that control personal apps and allow managers to control military data. The company would not disclose the size of the contract. According to federal business databases, the Defense Commissary Agency in 2012 spent $8,009 on 45 Good Technology licenses for a “bring your own device” experiment in which employees used their personal devices.
McCarthy says the Army is considering Good’s products for Android-based phones.
According to a June 2012 Defense mobile device strategy, counter-hack techniques must work on any mobile brand and any operating system. “This is supposed to be a device-agnostic, OS-agnostic program,” McCarthy says. By the end of 2013, between 20,000 and 25,000 gadgets of various makes and models powered by various software programs should be under evaluation servicewide, he expects.
The Insider Threat
Ultimately, military mobile security comes down to personal hygiene. A Pentagon internal investigator recently chastised the Army CIO and service members for disregarding the rules on thousands of devices.
The service’s CIO “was unaware” of more than 14,000 commercial mobile devices that were in use, Alice Carey, a Pentagon assistant inspector general, wrote in a March report.
The audit reviewed a number of smartphone initiatives, including a trial that substituted handhelds for pen and paper to coordinate disaster aid. Participants could snap photos of hurricane-ravaged areas, capture the latitude and longitude, and upload the data to a military server. Security lapses occurred during these activities and others because managers did not realize the devices were connected to Army networks and storing sensitive information, according to Carey.
Meanwhile at West Point, U.S. Military Academy phones were not configured to require passwords for access. Instead, officials left it up to users to add that security layer, so 14 out of 48 mobile devices had no password protection. Also, the Military Academy and U.S. Army Corps of Engineers’ Engineer Research and Development Center failed to devise a way of wiping data drives remotely if lost, stolen or assigned to another employee.
“The Army CIO did not develop clear and comprehensive policy” for commercial devices, Carey wrote. These errors “left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.”
In a letter responding to the investigation’s findings, Maj. Gen. Stuart Dyer, head of the Army CIO/G-6 cybersecurity directorate, said the organization agreed with the observations and “in many cases, the Army has already begun implementing improvements.”
McCarthy says the auditors did not talk to him or his program team during the inspection. But, now, his team, the Army CIO, the Pentagon’s National Security Agency cryptographers, and Defense Information Systems Agency support staff are working closely to resolve the concerns highlighted.
A key goal of the smartphone project “is to find the kinds of solutions that will provide that safe and secure environment,” as well as managed access, he says. And one day Best Buy might just carry it.
By Aliya Sternstein
May 28, 2013