The Complex

How will DoD protect the commercial mobile devices on its networks?

Just like tons of us in the private sector have been doing for years, the Army, along with other Pentagon agencies, is moving toward allowing its staff to bring their own smart phones, tablets, and possibly laptops to work for use on unclassified systems.

"At the end of the day, we're really are going to become hardware agnostic," said the Army's Chief Information Officer, Lt. Gen. Susan Lawrence during a speech at the Association of the U.S. Army' annual conference in Washington last week. "Whatever device you feel most comfortable with to do command and control, to be mobile with, is the device that you'll have and that's the one that we'll work with."

"We're in the RIM [Blackberry] environment, we're in the Apple environment, and we're in the [Google Android] already as we go through this," said the three-star general.

She added that the service is already working with the Defense Information Systems Agency to establish a way to pass sensitive information via commercial devices tablets and smart phones running Google's Android operating system.

Wait a second, you say, doesn't this sound like an opportunity for hackers to break into Defense Department networks by attacking someone‘s smart phone or iPad while their kids use it at home?  What about the growing threat of malware aimed at attacking firmware that is embedded in the devices at manufacture?

"I believe the next wave of hacking will focus on modifying firmware," IT security consultant Robert Bigman told Killer Apps in an email. "As we eventually get better finding root kits" hackers will shift toward "hacks that modify computer and smart phone firmware, even breaking into vendor firmware diagnostics, to control devices via the firmware layer."

This means that "if you can control the firmware, you can control what software gets loaded and runs," wrote Bigman. "The firmware controls the physical device. You can control the firmware from factory and through the life cycle of the device either publicly, via updates, or covertly by spoofing the firmware or even software update process."

Killer Apps asked Lt. Gen. Lawrence about this immediately after her speech. Here's what she had to say.

"What you will agree to do is, if that's the device you want to use, you're going to sign an agreement with me that I get to scan you before you log on," said Lawrence. "I get to scan your device and then, you're also going to let me monitor you so that I can look for an inside threat as well. So if you're on the government network, you're gonna let me scan you first and you're gonna let me monitor you second."

With mobility being both the Army and Defense Department's "number one" computing feature that it is looking for, Army officials are scrambling to make sure that all data is all stored on a secure cloud, where it is more easily monitored, protected (say DoD officials), and accessible from anywhere instead of on vulnerable laptops, tablets, and smart phones.

However, one of the most important issues in the shift toward mobility and cloud computing "is in fact, ensuring that it's you on the network and that we've got your certifications and accreditations so that when you log on, I say yes, that's that person."

Two ways of doing this are authenticating the user via passwords and data tags when they log onto the cloud or via the DoD's move to only allow people to log onto networks using a secure, personalized ID card under its Secure PKI initiative.

Click here to read more about DoD's move to mobile and how it plans to make sure that users are actually who they say they are.

Wikimedia Commons

Comments

Load More Comments