Each of us carries around in our pocket a device now essential to work and yet, when it comes to security clearances, is an ever-present threat. While the cell phone has long been a danger to be handed over before entering secure areas, the smart phone poses a set of problems exponentially more challenging for everyone involved. Those responsible for information security are up against a device that can surreptitiously record audio, allow for historically unprecedented clandestine photography and document reproduction, copy and store files, and, of course, communicate with the outside, “unsecured” world.
Consider even that a clear GPS signal is no longer necessary for accurate geolocation. Indoor positioning software is able to triangulate a smart phone’s location by way of nearby wi-fi signals; the result is “typical indoor accuracies of 3 to 10 meters”—as precise indoors, in other words, as outdoors. A mobile device in a secure area can provide a would-be spy with everything he or she needs to steal from, map out, or destroy a facility. How powerful, in fact, are mobile devices for such purposes? The National Security Agency and Joint Special Operations Command use mobile phones as guidance systems for missile strikes—even when the phones are have their batteries removed.
Smart phone in = Secrets Out
“…in the aftermath of the Edward Snowden data theft, cleared professionals have had their security files reopened for accidentally bringing their phones into secure areas. While this hasn’t necessarily resulted in the revocation of a clearance, just having such lapses in one’s file can be a final nail in the coffin…At any rate, your hip hop ringtone going off where your phone isn’t even supposed to be will not make you popular with your superiors.
The challenge to information security professionals is that even with all the access control measures in the world—biometrics, armed guards, keycards, electronic codes, and deadbolts—once a smart phone gets into your secure compartmentalized information facility (SCIF), your secrets get out. Accordingly, employers are looking for smart information security professionals. Meanwhile, the consequences for bringing an unauthorized mobile device into a sensitive area can be severe. With regard to the consequences: informally, I’ve heard from investigators that in the aftermath of the Edward Snowden data theft, cleared professionals have had their security files reopened for accidentally bringing their phones into secure areas. While this hasn’t necessarily resulted in the revocation of a clearance, just having such lapses in one’s file can be a final nail in the coffin, so to speak, during future investigations. At any rate, your hip hop ringtone going off where your phone isn’t even supposed to be will not make you popular with your superiors.
The irony of course is that government agencies are working hard to facilitate a greater usage of mobile devices. This means there are employment opportunities for would-be security officers and liaisons, with more jobs to come if the recent movement in the mobile sphere is any indication. In 2012, the Digital Services Advisory Group and Federal Chief Information Officers Council issued guidance for federal agencies to implement “Bring Your Own Device” policies, or BYOD. The purpose of the guidance is self-explanatory. Most of us have iPhones, iPads, and the like, and few of us want to lug around two of them—one business and one personal. As a guidance paper explains of BYOD, “By embracing the consumerization of Information Technology (IT), the government can address the personal preferences of its employees, offering them increased mobility and better integration of their personal and work lives. It also enables employees the flexibility to work in a way that optimizes their productivity.” In short, it’s cheaper for the government to let you buy your own phone, and easier for them to make you work longer hours when you’re out of the office. Still, you get to keep your Angry Birds, so there’s a valid tradeoff there.
Meanwhile, in the commercial sector mobile technology is on the move, with a concerted effort to make these devices as secure as your red-labeled landline. Blackberry, especially, has made tremendous strides with this, and has become the first mobile device platform to be deemed by the Defense Department as having “full operational capability.” In short, this means that approved Blackberry devices are government-certified as secure workspaces for such things as email, electronic documents, and custom applications, and are permitted access to government networks.
Next up: Mobile armour
In 2012, the Defense Advanced Research Projects Agency (DARPA) awarded $21.4 million to Invincia, a security contractor founded by a former DARPA engineer, to facilitate the development of what they’re calling “Mobile Armour” (spelled the British way, apparently). The project concerns a security-hardened version of the Android operating system for use by soldiers for “‘outside the wire’ tactical use.” This will entail, in part, special methods of cryptography as well as preventing users from falling prey to spear phishing and “user-initiated” malware infections. The real advantage of the program, now testing in Afghanistan, is its ability to work using off-the-shelf commercial Android devices—no special hardware needed.
The phrase “interconnected world” has reached the level of cliché as it relates to our iPhones and Androids, but when it comes to information security, the phrase should be considered a warning. We don’t want the world “interconnected” with our state secrets. In the years to come, as phones give way to goggles and wearables, keeping the world out will be a lofty challenge indeed for America’s security professionals.