The Complex

Pentagon IG: The Army has thousands of unsecure smartphones

The Defense Department's Inspector General called out the U.S. Army for the fact that thousands of those smartphones that troops buy off-the-shelves to use on the job aren't properly secured.

"The Army Chief Information Officer (CIO) did not implement an effective cybersecurity program for" commercially purchased smartphones and tablets, reads a new announcement from the DOD IG. "Specifically, the Army CIO did not appropriately track [off-the-shelf devices] and was unaware of more than 14,000 [such devices] used throughout the Army."

(The IG investigated the Army's use of phones and tablets running Google's Android, Apple's iOS, and Microsoft's Windows Mobile operating systems in 2012. It didn't look BlackBerrys since it did a 2009 investigation into their security.)

Troops are already using commercial smartphones and tablets to do things like file flight plans. As the utility and availability of such devices grows, so will the amount, and type of data stored on them. If spies can break into these devices, they can likely glean plenty of useful information. As the report notes, the CIO "inappropriately concluded that [these devices] were not connecting to Army networks and storing sensitive information. As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data." 

The IG goes on to say that the Army failed to: sanitize these devices; failed to install apps on the phones that would protect stored information; allowed troops to store sensitive data on the devices; didn't implement the ability to remotely wipe data off of stolen or lost devices; and failed to make users sign agreements governing the security of their devices or to make them take training on how to keep their smartphones secure.

What's interesting is that the Army's CIO, Lt. Gen. Susan Lawrence, told yours truly last October that the service would be taking some of these very steps to protect the data on commercially purchased smartphones and tablets. Remember, the military -- following the lead of plenty of private sector businesses -- is starting to embrace the bring-your-own-device (BYOD) trend. It ultimately wants troops to be able to use one device for both personal and official use, barring all but the most classified data

Here's what Lawrence said when Killer Apps asked how the Army would protect its information:

"At the end of the day, we're really are going to become hardware agnostic. Whatever device you feel most comfortable with to do command and control, to be mobile with, is the device that you'll have and that's the one that we'll work with."

"We're in the RIM [Blackberry] environment, we're in the Apple environment, and we're in the [Google Android] already as we go through this."

"What you will agree to do is, if that's the device you want to use, you're going to sign an agreement with me that I get to scan you before you log on. I get to scan your device and then, you're also going to let me monitor you so that I can look for an inside threat as well. So if you're on the government network, you're gonna let me scan you first and you're gonna let me monitor you second."

DOD officials including Lawrence have said that enabling secure mobile computing is a top, if not the top, computing priority within the department. To enable this, Pentagon officials are hustling to field something called the Joint Information Environment, a massive cloud- based network that, over the next decade, will replace the dozens of networks that the DOD currently maintains. Officials say this will make it easier to defend and monitor data and make it easier to access from anywhere.

As Killer Apps quoted Lawrence as saying last October, one of the most important issues in the shift toward mobility and cloud computing "is in fact, ensuring that it's you on the network and that we've got your certifications and accreditations so that when you log on, I say yes, that's that person," said Lawrence.

How do you make sure users are who they say they are? Click here to read about how DARPA wants to monitor everything, from users' typing patterns and sentence structure to the way they hold their phone, to ensure that the person using a computer, smartphone, or tablet is the person who is authorized to use that device.

The Army tells the IG that, as soon as this month, it will start buying software allowing it to "wipe or remove a device from the [Army's networks] as well as monitor applications used, web sites visited, and data viewed, saved, or modified on the mobile devices." This satisfied one of the IG's recommendations that the service develop the ability to make sure mobile device users are secure.

The IG also says the Army "should develop clear and comprehensive policy to include requirements for reporting and tracking all" such devices. "In addition, the Army CIO should extend existing" practices aimed at protecting sensitive information to all off-the-shelf smartphones and tablets.

The Army however, provided what the IG called "nonresponsive" answers to those suggestions.  Specifically, the Army says it already has a reporting program for mobile devices that may carry sensitive data. The IG says this reporting program for registering mobile devices isn't good enough: thousands of unregistered and unauthorized devices were found to be in use.

In response to the IG's recommendation that it do more to protect the data on its devices, the Army said that the DOD is already working on a plan to secure the information on "every managed mobile device" via its Commercial Mobile Implementation plan.  Again, the IG called this answer to its recommendation "nonresponsive," since off-the-shelf mobile devices aren't designated "as information systems, users [of such devices] would not apply the appropriate information assurance controls to protect the devices and the data" on them. Furthermore, because there is no clear timeline to manage the security of these devices, "there's an increased risk that Army networks could be vulnerable to data leakage."

U.S. Army

National Security

What do North Korea's air defenses look like?

With the U.S. flying B-2 stealth bombers, F-22 Raptor stealth fighters, and B-52 bombers over the Korean Peninsula, we thought we'd give you a quick run-down on the air defenses these jets could face if the Korean War ever went into Round Two.

Sure, North Korea is said to have one of the densest air defense networks on Earth. But it's largely made up of 1950s-, ‘60s-, and ‘70s-vintage Soviet-designed missiles and radars -- the type of weapons that the U.S. military has been working on defeating for decades via a combination of radar jamming, anti-radar missiles, and stealth technology. In fact, the B-2 and F-22 were designed in the 1980s and 1990s specifically to evade such defenses, and the ancient B-52s could simply fire AGM-86 cruise missiles at North Korea from well beyond the range of the country's air defenses.

Let's take a look at the missiles in the North's air defense system that have claimed U.S. fighters in conflicts around the globe since 1990. (Keep in mind that hundreds of these missiles have been fired at U.S. forces in the last 23 years with only a handful of losses.) All of these systems are of Soviet origin -- some were actually built in the USSR and others were license-made in North Korea. (Note, for this post we're not even looking at the radars, antiaicraft guns and some of the older shoulder-fired missiles the North Koreans have)

SA-2 Guideline: The SA-2 is famous for downing Gary Powers' U-2 spy plane over Russia in 1960, and it would go on to claim dozens of U.S. planes during the Vietnam War. North Korea may (may is the key word there) have up to 1,950 of these missiles. Although old, Iraqi SA-2s did manage to take out a U.S. Navy F-14A+ and an F-15E Strike Eagle during the 1991 Gulf War. The SA-2 was adopted by militaries around the globe during the Cold War and has a range of 28 miles and a maximum altitude of 28,000 feet. Even with upgrades, these missiles won't be too effective against American planes.

SA-6 Gainful: There are unconfirmed reports that the North has an unknown number of these missiles. The SA-6 is sometimes nicknamed "the three fingers of death" because it has three missiles laid out next to each other on the launcher. The SA-6 is also a 1960s-vintage design (in service since the 1970s) that can be defeated relatively easily with modern jamming and missiles that lock onto the radar beams emitted by many surface-to-air missile batteries. Still, an SA-6 shot down a U.S. Air Force F-16 over Iraq in 1991 and another F-16 over Bosnia in 1996. However, some accounts claim that, during the Kosovo air war of 1999, Yugoslav forces fired 477 SA-6s without a single kill.

SA-3 Goa: This is another Soviet-designed missile from the 1960s that has taken down a handful of modern U.S. fighters. The North is said to have up to 32 batteries of these missiles with at least six sites -- equipped with concrete bunkers to protect the missiles and their radar -- protecting Pyongyang (as of 2010, anyway). An SA-3 shot down a U.S. F-16 over Iraq in 1991. During the Kosovo war, a Yugoslav army SA-3 famously scored history's only kill against a stealth jet when its crew got lucky and spotted a U.S. Air Force F-117 Night Hawk stealth fighter while the jet's bomb-bay doors were open, briefly ruining the jet's stealthy shape. (It didn't help that the F-117s had flown the same routes on their attack runs so many times that the defenders could predict where they would be.)  Later that year, another Yugoslav SA-3 shot down a U.S. F-16 over Serbia.

SA-13 Gopher: This is a mobile, low-altitude, heat-seeking missile system designed in the 1970s to protect Soviet ground forces from close-air support runs by Western jets. SA-13s shot down two U.S. Air Force A-10 Warthogs during the 1991 Gulf War. (Again, there are only unconfirmed reports the North has these.) Keep in mind that the A-10 flies low and slow while hunting ground targets, making it exactly the type of plane the SA-13 is meant to counter. (The SA-13 reportedly hit a total of 27 coalition jets during the Gulf War, downing 14, but besides the A-10s those jets were older, Vietnam War-vintage planes.)

SA-16 Gimlets: The North Koreans reportedly have hundreds of these 1980s-vintage, shoulder-fired, heat-seeking missiles, which like the SA-3s are meant to protect ground troops from low-level attacks. Iraqi forces downed three A-10 Warthogs during the Gulf War using Gimlets. (The SA-16 has evolved into the SA-24 Grinch, one of the most feared shoulder-fired surface-to-air missiles.)

Finally, here are a few systems North Korea has -- or may have -- that haven't downed U.S. jets but that are still worth noting.

The SA-4 Ganef: This is a fierce-looking, mobile system from the 1960s meant to shoot down high-flying bombers. The SA-4 has a range of about 34 miles and can reportedly reach altitudes of around 80,000-feet. Still, it's been retired by most operators and is only in use by a few former Soviet republics and possibly North Korea.

SA-5 Gammon: The North may have up to 40 batteries of this old design meant to shoot down high-flying bombers at long ranges. The SA-5 was introduced in the mid-1960s and is largely a fixed system, meaning it's difficult to hide from U.S. fighters equipped with anti-radar missiles -- though the North supposedly has them hidden in concrete bunkers. Their fixed status also means that they can simply be avoided by strike aircraft. One of the strengths of the SA-5 is that the system can be plugged into a variety of radars, improving its ability to find targets. It should be noted however, that both Syria and Libya employ or employed such missiles. They didn't do much to help Muammar al-Qaddafi against the NATO air campaign of 2011, and they didn't prevent Israel from destroying a Syrian nuclear facility in 2007 (though the latter operation reportedly used a cyber strike to blind Syrian radars to the presence of Israeli jets).

SA-17 Gadfly: This system is nicknamed "four fingers of death" since, you guessed it, it's got four missiles laid out next to each other on the launcher. The North Koreans may have hundreds of these missiles (though this is unconfirmed and some dispute whether they have any), which were developed by the Soviets in the 1970s and largely fielded in the 1980s. The SA-17 reportedly has a range of about 19 miles and an altitude of 46,000 feet. Both the missile launcher and its radar system are mobile, meaning they can try to hide from enemy bombers. The SA-17 system is used by lots of countries with fairly robust air defenses, such as China, India, and Iran (which reportedly developed a knock-off version). Georgia was able to down several Russian jets, including a TU-22M strategic bomber/reconnaissance jet, with SA-17s during the 2008 war there. Meanwhile, Israeli warplanes took out a convoy of Syrian SA-17s that were supposedly being shipped to Hezbollah in January.

Wikimedia Commons