National Security Agency Plans Smartphone Adoption
NSA is piloting secure smartphones now and plans broader adoption of commercially available devices that can access classified networks.
Slideshow: 14 Most Popular Government Mobile Apps
(click image for larger view and for slideshow)
Today, strict security requirements mean most employees at the National Security Agency have to leave their mobile devices in their cars in the parking lot rather than bringing them in to work. Someday soon, however, that will change, as the agency is working on a plan to introduce secure, commercially available mobile devices and approve an architecture that will enable other agencies to use mobile devices with classified data.
NSA, which manages security requirements government-wide for so-called National Security Systems that access classified and sensitive data, has put together an initial series of security requirements for mobile devices and is currently running pilots with customized commercially available devices to collect data on performance and usability, particularly around concerns like latency that are accentuated by NSA's encryption demands. Within the next few months, NSA will begin its outreach with the tech industry to discuss how technology companies can help the military and intelligence communities meet their needs.
Consumer demand for mobile devices--a demand that government agencies and private sector companies alike are facing--is in many ways the key catalyst for this push toward mobility. "People desire to use their consumer devices to access their corporate networks," Troy Lange, NSA's mobility mission manager, said in an interview. "This is about bringing efficiencies and capabilities that people are used to in their everyday lives and extending that to our national security mission."
Eventually, at the NSA, at least, this would entail enabling mobile access to classified systems and other national security systems, developing mobile enterprise apps and an app store for NSA employees to use, and providing one device for both classified and unclassified networks that can, for example, tell when users enter a secure or classified environment and adjusts security controls appropriately.
However, information security barriers remain, both for access to national security systems in general and for NSA. Due to the highly classified nature of much of its work, NSA has some of the strictest requirements in government, including whole buildings that are labeled as Sensitive Compartmentalized Information Facilities, which have additional requirements. Those strict security rules have thus far meant that the small number of mobile devices currently floating around at NSA and in other classified environments have been built mostly from the ground up exclusively for government.
Among those devices are the General Dynamics Sectera Edge and L3 Guardian devices, which are classified as Secure Mobile Environment-Portable Electronic Devices, or SME-PEDs. Both are 3G Windows Mobile-based devices that let users receive classified phone calls and email and Web-browse on classified secret. L3 Guardian devices cost $3,150, while GSM-compatible Sectera Edge devices list at $3,145 for a device with a one year warranty. A Sectera Edge accessory kit that includes a carrying case, charger, headphones, microSD cards, and spare battery costs $845 extra. Support can up the cost even more.
That's not a cost-effective proposition, and the one-off development isn't a strategy that can keep pace with the rapid development cycles in today's mobile world. NSA's aim is to move to commercially available technology and to help enable industry to meet its needs. Lange said that some of the devices now in circulation at NSA might remind people of "old cellphones."
"Unfortunately, consumer devices are not built with security as their primary market differentiator," Lange said. "So the question is how to secure them so that they can access our IT infrastructure."
One piece of the puzzle might be SE Android, a secure version of the Android operating system developed by NSA's trusted systems research organization and released as open source in January. SE Android, the fruit of one of several mobile security research efforts at NSA (other work includes research on virtualization and micro-kernels), provides stronger ways to isolate apps from one another and the system itself, to force devices to share data and files in a more secure manner, and to separate data and application processing.
The current commercial version of Android relies on discretionary access controls, which give the owner of the data, whether human or machine, complete discretion over how data is accessed on the device and whether controls can be overridden. Android SE relies on mandatory access controls, which centralize and lock down those policies.
According to NSA, these security upgrades help prevent malicious apps from commandeering or wiping a device, or from running hidden processes in the background that surreptitiously access data on the device.
NSA's goal with SE Android is ultimately the same as the rest of its mobile strategy: to enable the NSA to rely on commercial technologies. According to Stephen Smalley, an NSA researcher who helped develop both SE Android and the earlier SE Linux (which has since been integrated into the open-source Linux operating system itself), NSA hopes SE Android will ultimately be adopted by device manufacturers, be leveraged by other mobile operating system developers as a model for secure mobility, and become integrated into the Android open-source project.
Another project that NSA could draw on is the Defense Advanced Research Projects Agency's Transformative Apps project. Under the umbrella of that project, DARPA is working with organizations like the National Institute of Standards and Technologies and George Mason University to create a secure Android platform.
George Mason and NIST are helping to harden the Android kernel by, for example, stripping it of features and functionality that military and intelligence agencies won't need. Researchers also have worked on encryption, and have run 200,000 mobile apps through application testing software that identifies app functionality and then enables users or administrators to turn different pieces of that functionality off as needed. For example, a flashlight app might have no need to access the network.
Pilot tests are well underway on commercially available devices, and pieces of the project will, like SE Android, soon be open sourced. "The project is more mature than people know," says Angelos Stavrou, a George Mason University professor working on the DARPA project. "It's not something that’s designed in a lab to stay in the lab. It works on devices now, and people are actually using it."
In fact, devices built as part of that program are already out on the battlefield. The 3rd Brigade of the 10th Mountain Division has deployed about several hundred devices in Afghanistan, and other Army units are reportedly requesting devices as well.
"All this work will allow us to get out of the business of having to build our own devices," said Lange. "We're not looking at a government-specific build of the Android operating system, but we want to take advantage of something like this as a component of an overall, industry-provided solution. We want to be able to provide mobile devices, but we want to avoid modifications as much as we can."
Overall, the NSA's mobile security strategy is one of "defense in depth," Lange said. "We understand that any single piece may have vulnerabilities, but you build in redundancy to increase security."
For example, data in transit will require multiple layers of encryption, including an encrypted VPN channel and another independent layer of encryption for voice and data traffic such as VoIP. The encryption will need to meet NSA's Suite B encryption standards, which have been available for several years.
Cloud computing and thin-client technology will also play a role in ensuring mobile security for the agency. "A thin client cloud architecture where you offload as much data as you can from the endpoint ensures that when your device is lost, you don't lose your data," Lange explained.
As part of the strategy, the government may also continue to maintain control over certain elements that are often handed off to mobile service providers. For example, the NSA would likely have control of over-the-air updates, the subscriber database for all NSA users, and issuing of SIM cards.
The package of requirements NSA will begin putting together in a few months is something that other agencies that use classified and other national security IT systems could use as well. Lange says he's been working closely with the rest of the intelligence community and the Department of Defense, which are also increasingly looking toward mobile devices. The Army and the Defense Information Systems Agency, for example, have been taking numerous steps toward the embrace of mobile devices, including pilot projects in the Army and the creation of a mobile device management program office at DISA.
Ultimately, NSA's strategy isn't going to result in putting smartphones into the hands of all the employees within America's national security apparatus tomorrow, or even anytime soon. Lange concedes that it's still a multi-year, long-term strategy. However, the fact that NSA and others are getting a move on is what matters. As smart mobility becomes more and more ubiquitous in both the consumer and business worlds, the industry will not wait, and neither should America's military and intelligence community.
Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.