The National Security Agency, America’s high-tech spy agency which also plays a key role in approving hardware and softwarefor use by the Department of Defense, wants to be able to outfit military personnel with commercial smart phones and tablets — but based on a NSA security design.
The forces in the Department of Defense, including the U.S. Army and Air Force, today are piloting several different commercially available smart phones and tablets which the NSA is working to harden and secure, said Debora Plunkett, director of the NSA’s information assurance directorate, speaking at the Gartner Security and Risk Management Summit 2011 here today. “It’s not our intention to rely on any one platform,” she said. The goal is to have perhaps four main devices, plus a couple of infrastructure support services, and let U.S. forces pick the one they like best, she said.
Finding a way to bring commercially available smartphones and tablets into the classified security environment is “our No. 1 challenge today,” Plunkett said.
Right now, commercial smart phones and tablets are seen as carrying considerable risks from a national-security perspective, but the NSA is working to figure out how to add its own security to compensate for the risks.
“We are not saying there are no vulnerabilities in COTS [commercial off-the-shelf] products,” Plunkett said. “The intention is to be able to layer the commercial products and alleviate and obviate the vulnerabilities.”
For the NSA, it’s all adding up to an evolving concept of “‘good enough’ security,” Plunkett said, based on the idea that there are situations where information is highly “perishable” and retained only in minutes as compared with days or years, and that it’s worthwhile taking the risk to use COTS products that themselves may be regarded as more perishable as well.
Certainly, though, for many of the more traditional NSA strategists who advocated the agency build network equipment and security products itself as was the practice in the past, “it’s almost blasphemy,” she added. Going to commercial products takes “a lot of control out of your hands.”
NSA firmed up its mobility strategy last August, Plunkett said, and there are now several pilot tests in the armed forces of many of the leading smartphones and tablets. The goal is to find ones that can be approved, with specialized NSA security controls, for analysis and network use all around the world.
In its future secure mobile capability, now referred to as the “Mobile Virtual Network Operator,” the NSA wants to be able to establish a way that sensitive content can be provided to the military and intelligence in a way that roughly emulates what Amazon does with Kindle, Plunkett said.
The NSA plans to have specific types of integrity checks, among other security measures, for authorized mobile users in the future. In addition, the fundamental idea of relying on the cloud for storage is part of the current strategy. “We use the cloud for storage,” she said, with the idea that content is sparingly held on a device, so if it’s lost, you simply “move on” to another device.
But the NSA still regards the current smart phone and tablet market as not terribly advanced in terms of security. Not surprisingly, the NSA is coming up with its own ways to manageapplications and provision them securely.
The market reality is that smart phones and tablets are coming onto the market at a frenetic pace, much faster than the NSA typically takes to test and approve products, which used to be slightly more than two a two-year cycle and has now been cut to a third of that for some types of security classifications, she said. So the NSA is struggling with the terrific pace of new entries of smart phone and tablets. (Also see: “NSA product accreditations lag behind IT security advances“)
One risk is that many of the smart phones and tablets are from manufacturing sites in countries outside the U.S., and that is seen as raising risk due to interests from some countries to try to spy on or otherwise diminish national security of the U.S.
“Vulnerabilities could be in products unintentionally or intentionally,” Plunkett said, alluding to the risk of supply-chain safety or lack of it. “It’s a global economy, and we rely more on products and components that come from around the world.”