[ISN] Devices bring new security policies

From: InfoSec News (alerts@private)
Date: Tue Jun 26 2007 - 23:11:37 PDT


http://www.fcw.com/article103074-06-25-07-Print

By Sebastian Sprenger
June 25, 2007

The advent of a new generation of handheld devices certified for 
handling classified and unclassified data is expected to usher in a set 
of new security policies governing when, where and how officials may use 
those systems. Existing security doctrine provides some guidance on the 
proper use of the new devices, but the National Security Agency has 
begun drafting more detailed policies, NSA spokeswoman Andrea Martino 
said.

Two companies, General Dynamics C4 Systems and L-3 Communications, each 
developed a prototype for NSA’s Secure Mobile Environment Portable 
Electronic Device (SME-PED) program. The agency is expected to award 
indefinite-delivery, indefinite-quantity contracts to both vendors later 
this month for the delivery and deployment of SME-PEDs, once they pass 
NSA’s certification process.

The new systems will let officials in the military, the Homeland 
Security Department and other agencies send classified e-mail messages, 
access classified networks or make top-secret phone calls on the go.

The technology is a first in many respects, said Lt. Col. Clinton 
Wallington, director of the Army’s advanced technology office. “It’s 
SIPRnet on the hip,” he said, referring to the Defense Department’s 
Secure IP Router Network for classified information. With the same 
device and the push of a button, users can operate in an insecure mode 
to browse the Web and send unclassified e-mail messages. The device’s 
hybrid status has some observers wondering about security policies that 
SME-PED users will need to follow. “Can I take it home with me? Do I 
have to store it in a safe overnight? Can I pull it out on the Metro?” 
asked one DOD official.

When operated in unclassified mode, the Common Access Card-enabled 
SME-PEDs are considered high-value items, but storing them in a safe is 
not necessary, Martino said. However, using the devices in secure mode 
in public places, such as Metro trains in the metropolitan Washington 
area, is not desirable, she added.

Col. John Blaine, chief of the wireless integration branch at the Air 
Force Communications Agency, said he expects the next update of the 
Defense Information Systems Agency’s security technical implementation 
guidance for wireless devices to answer some of the policy questions 
about SME-PEDs. Blaine pointed out that although many people are still 
in the dark about the specifics of SME-PED security, both vendors’ 
devices must obtain NSA certification before such questions can be 
answered.

“All we can do now is wait,” Blaine said.

Martino declined to say when the devices might be certified because the 
schedule is still in development.

General Dynamics officials said they will ship their product to NSA for 
certification in August, but they will start production after NSA awards 
a contract later this month. L-3’s device most likely will not be 
certified before December, government sources say.

Martino said unit prices for the SME-PEDs are still in negotiation. As 
for monthly wireless costs, the vendors are having discussions with 
carriers to create a one-stop shop for the SME-PED under the General 
Services Administration’s Networx program, she said.

Wallington said the Army plans to give SME-PEDs to officials in 
leadership positions who need secret communications channels at all 
times. “We’re not going to give these to the common soldiers,” he said.

The Air Force could use the systems to quickly relay targeting 
information for time-sensitive strikes, Blaine said.

-=-

Mobile secrecy

A new personal digital assistant developed for the National Security 
Agency will let government officials access classified networks and make 
top-secret calls on the move. Its security features include:

* Access via the Defense Department’s Common Access Card.
* Encryption of stored data.
* Automatic deletion of encryption keys when the system detects break-in 
  attempts.

— Sebastian Sprenger



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 26 2007 - 23:23:02 PDT