Security a Priority in DOD Move to Mobile Devices
By Cheryl Pellerin
American Forces Press Service
WASHINGTON, June 7, 2013 The Defense Department wants to provide secure access to information from any device, anywhere and anytime, but the priority is security, the department’s principal deputy chief information officer said here yesterday.
At a defense systems seminar, Robert Carey spoke about mobile device security and architecture before an audience of military, government and industry experts.
“It’s an exciting time for the mobile space, and I will tell you as we march into it and into choices and … into smart phone utilization in the DOD, it is not without the requisite security,” Carey said.
“Many an industry and federal agency that are leaping into it a little faster than the security apparatus is willing to catch up with, but we are not,” he added. “We are trying to leap in it with the security apparatus attached.”
Today, DOD has more than 600,000 commercial mobile devices in operational and pilot use, including about 470,000 BlackBerry phones, 41,000 Apple operating system devices and 8,700 Android devices.
Last June, the department released a mobile device strategy that identified information technology goals and objectives for making the use of mobile devices possible from the hallways of the Pentagon to battlefields and secured spaces worldwide.
The strategy focused on improving wireless infrastructure and mobile devices and applications. The steps it proposes are designed to keep these areas reliable, secure and flexible enough to keep up with the pace of technology.
Then in February the department released a Commercial Mobile Device Implementation Plan with goals and objectives for allowing the secure use of mobile devices.
A key objective is to establish a departmentwide mobile enterprise plan that permits the use of smartphones and tablets from different vendors and to develop an enterprise mobile device management capability and app store to support about 100,000 devices from multiple vendors.
Carey said the Defense Information Systems Agency “is leading the charge for DOD to centrally provide and provision an infrastructure that we can then all use.”
DISA is rolling out unclassified and classified devices in phases that began this year and continue until fiscal 2014.
A slide from Carey’s presentation indicated that in March DISA rolled out 500 devices at the Secret classification, and in April, 1,500 unclassified devices.
The next phase begins in September, when DISA will roll out 5,000 unclassified devices and 1,500 devices at the Top Secret classification. In fiscal 2014 it will roll out up to 100,000 unclassified devices and have enterprise capability for devices at classified levels.
“We’re doing both [unclassified and classified] simultaneously right now and we’ll expand both as the demand signal requires,” Carey said.
“But we’re moving out on the unclassified with [vendor] choices with the secure architecture up at DISA, engaging Internet service providers, creating mobile device management solutions that meet security requirements of the Federal CIO Council, and other things,” he added. “So we’re out on-point with the federal government, doing work that keeps the unclassified devices secure.”
On the federal mobility effort, the department is working with the National Institute of Standards and Technology, the Department of Homeland Security, the Department of Justice and the Federal CIO Council “to ensure that the standards we use for an unclassified phone are the same. That’s really important,” he noted.
Carey said DISA also is working to define the way forward on public key infrastructure, or PKI authentication solutions for mobility. A PKI is a system that’s required to provide public-key encryption and digital signature services.
“Our identities have to be lashed to these devices, tactical or not, so that as we engage data and the network it is with approved identity credentials and our PKI that we’ve all been given when we get our common access cards,” he said.
Carey said engaging the network with user ID and password is old school computer security.
“You have to get into PKI and cryptography in this day and age,” he said.
Of the several high bars to commercial mobile security, the largest is PKI authentication, he said.
“If I can’t authenticate your identity through this device to the network -- game over,” Carey added.
The reason is that all DOD websites today are required to be PKI-enabled anyway, he said.
“And if you’re going to conduct a transaction you have to have this flow through the phone,” Carey said. “There are a couple different ways to do it, but nevertheless it’s got to be done.”