|Photo: Cyberspace Security: Credit: U.S. Navy|
FROM: U.S. DEPARTMENT OF DEFENSE
Cyber Pro Discusses Mobile Network Security Challenges
By Amaani Lyle
American Forces Press Service
WASHINGTON, Dec. 5, 2012 - With more than 680,000 mobile devices in use across the Defense Department, they are quickly emerging as a critical component of military communications -- bringing a plethora of new security risks, a defense official told attendees at the Defense Logistics 2012 conference yesterday.
Dr. Robert Young, cybersecurity director in the DOD office of the chief information officer, outlined some of the devices in use and the ongoing importance of vulnerability counter-measures such as back-ups, the cloud, authentication and secure applications.
"We need to be thinking about how we can we do mobile computing with security," Young said. "Your mobile device is going to replace your laptop [and contain] unclassified and classified information ... so we have to start thinking of the [operational security] piece of this."
According to Young, threats and challenges faced by mobile device users include loss of device, data recovery, collection over the air, vulnerability applications, malware and tracking.
Devices and platform variations also create unique challenges in building a secure, impenetrable network -- something that's especially daunting due to limited lead time in the production cycle, he said.
"Sixty days from now, the devices being made in Taiwan, China, Singapore, wherever, will not be supported anymore," Young said. "They'll be the next model and the next model ... so we need to stop looking at the device and ... start looking at the data."
Young also noted that BlackBerry, while effective for encryption, is, as of yet, the only platform used for secure communications, which in and of itself creates vulnerabilities.
"We don't want to have just one operating system," Young said. "And every device is different ... solutions, logistics and acquisitions are not one-size-fits-all."
The ubiquity and affordability of cell phones in the hands of hackers and adversaries creates a considerable threat, Young explained. He cited an example of villagers in Afghanistan who can ride into town, send their data, charge their phones then shut down and leave without a trace.
"There are 48 million people in the world who have mobile phones who don't have electricity at home," Young said. "How are you going to find this individual [or] find the footprint?"
Even iPhones for sale in Afghanistan can pose risks, Young said, adding that the devices could actually trigger an improvised explosive device.
"I could make a designer bomb if I know the [mobile equipment identity number] of your iPhone or iPad," Young said. "I just look for the signal that'll ping out."
Equally dire are the consequences of a compromised database such as mobile device electronic serial numbers, he added.
"Once it pinged and I saw [the MEID], I would know where your soldier, sailor or Marine is deployed," Young said.
As smart phones become even smarter, users will soon see mobile devices do much more than transfer data. Young described the use of iPhones in medical settings, where the devices can now enhance triage efficacy by checking vital signs including pulse and body temperature.
"That's smart use of [technology] -- knowing how not to waste resources and who I'm going to treat," Young said.
Still, the DOD must remain vigilant in mobile device management to buffer hackers that can range in age, location or intent, but are typically obsessive-compulsive about penetrating a system, Young said. He shared a recent experiment about his efforts to identify and understand such activity.
"My tasking was to find a 13-year-old kid and give him an iPhone, [with him] using on-the-web devices and on-the-web [applications] to hack and crack into our [system]," Young said. "He did it."
With "for official use only," secret and top secret platforms cohabitating on mobile devices with the appropriate encryptions, physical and virtual security must remain a priority, Young asserted.
Currently no personal or "BYOD" devices are approved for use with for official use only data, but major pilot programs using iOS, Android and BlackBerry are in the works, Young said.