DOD Works to Boost Smartphone Security
By Cheryl Pellerin
American Forces Press Service
WASHINGTON, Aug. 29, 2011 As the Defense Department seeks innovation made possible by smartphones and other mobile computing platforms, it’s also working to ensure DOD users of those devices employ them securely, a defense official said.
“Because of the pervasiveness of the [mobile computing] market, everyone has one, everyone wants one, but we often don’t look at how the device works -- we take it home and start loading pictures on it,” Robert E. Young, division chief of outreach and communications for the Defense-wide Information Assurance Program, said during a recent interview with the Pentagon Channel and American Forces Press Service.
“We do want this innovation in the Department of Defense so we don’t want to say no,” he added, “but we want to do it safely and securely.”
Issues that concern the department, Young said, include the huge memory capacities of some of the new smart devices and users’ general lack of knowledge about how smartphones and tablets work and how they could be compromised.
“With all the different operating systems out there,” Young said, “every patch, every update changes each device and the vulnerabilities within [and users] are going to have to weigh that risk.”
Young said the department is evaluating how people are really using the devices -- whether they’re using smartphones to check email or tablets to read memorandums or policies.
“What are you doing with the device? Is the camera disabled, are you taking pictures of people? I take a picture of you, I upload it and now you’re tagged and all of a sudden everyone knows where you are. So it leads to a digital footprint that connects to the device -- anywhere, anytime, any device,” he said.
“In a split-second it’s up and online,” he added. “And once on the net -- always on the net.”
Part of the answer is to educate, and raise mobile technology awareness for military members, DOD’s civilian workforce and their families, Young said.
As part of this effort, he added, the department is taking a cohesive approach to adopting mobile technology.
“We have a Commercial Mobile Device Working Group and we take best practices from [the Defense Advanced Research Projects Agency], the [Intelligence Advanced Research Projects Activity] and from our intelligence community partners” and share information, Young said.
“In the working group we have Army, Navy, Air Force, Coast Guard, FBI, CIA,” he added, “ … so that as a federal government, with a federated response, we can go to the vendors and say, this is what we need.”
The department also is working with DARPA and the Army on pilot programs for using mobile computing devices innovatively while also protecting information.
“Is the data at risk; is it encrypted while it’s being worked on?” he said. “If you lose a device physically what are you going to do?”
DARPA and the Army are also looking at new applications for such devices, Young said.
“The issue is that we have to make sure the apps are safe and secure. We can’t just throw them on and then try to figure out what they do after the fact,” he added.
It’s important for a mobile device manager to have insight into all the devices on the enterprise, Young said.
Such a manager must be “device agnostic,” he added, to be able to keep track of any sort of device made by any commercial producer that’s touching DOD’s information network.
“That’s the challenge,” he said.
Service members and DOD personnel can get security information or have their devices checked by device manufacturers, Young said.
On military installations, he added, information assurance program officers or chief information officers can help.
Information also is available from the federal government, including the National Institute for Standards and Technology, with National Initiative for Cybersecurity Education information available online at http://csrc.nist.gov/nice/ .