Secure smart phones outpace policy

The Defense Department and civilian leadership in the field now have a mobile option for classified e-mail and voice communications. However, technology has outpaced policy, and DOD leaders have not yet formulated a policy for where and when a secure smart phone can be used.

The National Security Agency kicked off the Secure Mobile Environment Portable Electronic Device (SME PED) program in 2005, which the Defense Information Systems Agency now runs. The program's goal was to provide DOD and national leadership with the capabilities of a smart phone in a device that could provide secure voice and e-mail.

For smart phone security, “SME PED was a big step forward,” said Mike Zirkle, a senior associate at Booz Allen Hamilton. “The ability to get both the classified and unclassified sides on the same phone, the [NSA] Type 1 crypto, the Common Access Card authentication — from a technology perspective, we're there. But policy hasn't caught up yet.”

Two devices have been developed under the SME PED program: the Guardian by L-3 Communications Systems and the Sectéra Edge by General Dynamics C4 Systems. Both provide NSA Level 1 encryption and can place secure cellular calls via Global System for Mobile Communications or Code Division Multiple Access cellular networks. The phones also can connect wirelessly to DOD's Nonclassified IP Router Network and Secret IP Router Network (SIPRNet).

In addition, General Dynamics’ device can switch between classified and unclassified domains with the click of a button, which keeps the domains separate on the device. It uses detachable wireless modules to switch among CDMA cellular, GSM cellular and 802.11 b/g wireless networking. Users can only make secure calls via the cellular modules, said Tom Liggett, business area manager for information assurance at General Dynamics C4 Systems.

“The killer app is the push e-mail application,” Liggett said. The Sectéra's e-mail application, provided by Apriva, uses push technology, in which e-mail is automatically sent to a device and synced with a desktop computer, he explained. “It's very similar to the functionality of the [Research In Motion] BlackBerry.”

Devices such as the BlackBerry and Motorola phones equipped with Good Technology's Good Mobile Messaging Secure/Multipurpose Internet Mail Extensions (S/MIME) can provide push e-mail to users of unclassified DOD e-mail systems. Versions of those phones configured for DOD customers offer integration with CAC readers for authentication and comply with other DOD security requirements. However, they don't offer the kind of protection required for devices that connect to SIPRNet.

“In a world where mobile devices are lost like Bic pens, people are going to lose these,” said Dave Marcus, director of security research and communications at McAfee. “Ultimately, there has to be a way for the phone to become a brick or make the data on it inaccessible.”

The SME PED devices include that level of security. “The device itself is basically a Windows CE-based wireless PDA,” Liggett said. “Obviously, there's data on the device — there's a push application for e-mail, and you can store documents and files on it. So it needs data protection. I believe this is the first mobile device that has [NSA] Type 1 [encryption] data-at-rest protection. So there's no chance of compromising the data if it's lost.”

Although the technology is ready, the SME PED smart phones are still under evaluation by organizations in DOD. “The part that needs to be addressed in doctrine is where can I take that top-secret call or read that secret e-mail,” Zirkle said. “The risks are whether [the phone is] in proximity and I can hear the conversation, or if I've got a parabolic mike and I can listen, or if I can see that e-mail message over your shoulder. Today, if you want to talk on a top-secret call, you need to be in [a Sensitive Compartmented Information Facility]. But what are the rules for the SCIF? You can't have a wireless device in one. Those are the pieces that have yet to be worked out.”

DISA requires organizations that need to access the SME PED service to add a SME PED server to their local SIPRNet enclave, which requires additional accreditation. According to DISA's SME PED Web site, “once the enclave DAA has approved inclusion of SME PED into the accreditation boundary, an updated accreditation package should be submitted to the DISA Classified Connection Approval Office.”