Army makes strides in smart-phone security

The U.S. military is increasingly looking to equip its personnel with smart phones that resemble civilian designs. Although that plan could significantly improve productivity and efficiency, it comes with considerable security problems.

The Army is at the forefront of the march toward wider smart-phone use. With support from its top ranking officers and officials, the Army plans to begin issuing smart phones to personnel early this year, and the service is taking steps to secure those digital tools.

To provide adequate security for the smart phones, the Army is turning to the same methods it uses for protecting computers and other mobile devices, said Army Lt. Col. Keith Newsome, lead for mobile electronic device activity at the Army CIO’s cyber directorate. All smart phones must go through a certification and accreditation process to meet Defense Department and Army security, statutory and regulatory requirements. The devices must also receive a Certificate of Networthiness from the Army Enterprise Designated Approval Authority before they can safely connect to the service’s networks, Newsome said.

A critical communications security requirement for the service's smart phones is the ability to use Common Access Cards via the DOD public key infrastructure so users can digitally sign and encrypt e-mail messages. Newsome said using the CAC PKI provides the nonrepudiation and secure communications that DOD networks require. Handheld device cryptography also must be certified under Federal Information Processing Standards 140-2 and protect data at rest and in transit.

All Army wireless devices must meet the policy guidance in DOD Directive 81000.02 and use CAC PKI capabilities as outlined in DOD Instruction 8520.2, "Public Key Infrastructure and Public Key Enabling." Newsome said Army leaders must ensure that smart phones and their supporting infrastructure are configured in accordance with the appropriate DOD Security Technical Implementation Guide.

The service released the DOD Unified Capabilities Approved Products List Oct. 1, 2010. Newsome said the purpose of the UC APL is to maintain one consolidated list of products for all DOD components that have completed interoperability and information assurance certification. The UC APL helps the Army choose approved smart phones for its networks, he said. The UC certification process will use multiple DOD laboratories to test smart-phone candidates. The testing will also use existing DOD component smart-phone evaluations to get more timely delivery of emerging handheld technologies to warfighters, Newsome said.

However, Newsome cautioned that one of the difficulties involved in issuing smart phones across the Army will be modifying the devices for military use. A major hurdle will be integrating CAC PKI readers onto the devices. Some devices run on closed operating systems while others use open systems, and both types present problems in separate, vendor-specific areas. He added that upgrades to commercial operating systems create problems with DOD’s accreditation process. In addition, commercially available smart phones are rarely rugged enough for off-garrison military use.

The military is working on developing rugged handhelds for soldiers in the field, said Jon Olstik, a senior analyst at the Enterprise Strategy Group. However, DOD’s immediate priority is to provide troops with access to commercially available products, though not at the expense of security, he said.

Olstik said the Defense Information Systems Agency's Go Mobile program, which is part of the Army's efforts and affects all military services, is taking a comprehensive approach to security. “There’s security built in, and that means secure authentication, secure tunneling, VPN, encryption of the device. They’ve taken a lot of that into account.”

Although the Army is working on developing secure smart phones, there are a number of other considerations, said a defense communications industry official who requested anonymity because of the sensitivity of the subject. For example, the official said, one problem is that many commercial smart phones are made in countries such as China, which could open the possibility of back doors being built into the phones and allowing an adversary to access military networks. The official added that if there is any communication standard that will be completely understood by a potential adversary such as China, it would be a cellular phone. 

Although in-garrison and on-base applications for civilian-based smart phones seem to make sense, their use in a tactical combat environment off-base is another matter. There are a variety of costs and pitfalls associated with commercial equipment used in theater, the industry official said. The first is the real cost of such a device. The official noted that besides device screens, which can be fragile, commercial data connectors for smart phones could break easily when soldiers sit or roll onto their devices in combat. One reason that military radios are so bulky is because of the anchoring for the large military grade connectors built into them, the official explained.

Hardware modifications for meeting military requirements for temperature extremes, water and shock also drive up the cost of tactical electronics. Although the Army wants a device that is disposable, such as a civilian cell phone, the official noted that the cost of civilian handheld devices is subsidized to a degree through their ubiquitous infrastructure, which is taken for granted in the civilian world.

However, when putting a civilian device in a tactical world, the Army must consider the backhaul, installation of cellular stations in forward facilities and costs of defending what would be an enticing target to enemy forces, the official said. The use of a smart phone-type device — at least one based on a civilian design — in a tactical combat environment is more expensive in the long run than using a tactical radio, the official said.

Another limitation is network survivability. Unlike tactical radios, if an enemy destroys a cellular base station, the commercial devices in its coverage area can't communicate with one another. The official noted that this is why the military has developed waveforms such as the Soldier Radio Waveform, which lets the radios route through one another to create an independent network.

Jamming is also a problem. The official noted that counter-improvised explosive device systems try to jam cell phone-initiated command detonations. Jamming efforts create the potential for a self-defeating solution, one that had bedeviled other types of tactical communications in theater, the official warned. But if the goal is to use smart phones in garrison or on base, there are no major obstacles to setting up such a system. The official noted that there is little argument against the utility of handheld devices in those circumstances.

The Army has BlackBerry and Windows Mobile smart phones accredited and approved for use. Newsome said the service is aggressively evaluating and testing a variety of smart phones, including iPhone and Android-based devices. He noted that the DOD UC APL accreditation process takes six to nine months for each smart-phone type. The Army’s goal is to use multiple accredited devices throughout the service as soon as possible. By the end of the first quarter of 2011, a CAC-enabled temporary solution will be available for most of these devices, he said. In the meantime, the Army is partnering with other DOD organizations to develop a long-term, enterprisewide solution, Newsome said.