Does the Pentagon hold the keys to improving mobile device security?
Teri Takai may have something no other federal chief information officer or industry executive has: a budget and a strategy that just might deliver on the promise of a more secure mobile device market.
The warnings coming out of the mobile security world paint an ugly picture of the future. Users shouldn’t trust smartphones with credit card information; lost phones can be easily hacked; the apps loaded by default cannot be trusted; and commercial app stores are overflowing with either poorly written apps that can open up your network to attack, or scam apps written exclusively for the purpose of data theft or financial fraud.
This is the world that awaits Takai, the CIO of the Defense Department. But Takai, who oversees a $40 billion annual IT enterprise — one of the largest IT budgets in the world — is not heading down the path to mobility blindly. She oversees a market that all the major players in the mobile industry want a piece of and, more important, she has a plan.
And if you listen to her describe the moving parts of that plan, you realize quickly the Pentagon could soon become the prime mover behind real change in the mobile device market.
The initial thinking in DOD was the mobile security challenge was really a device problem. In 2012, the department had 50 mobile pilot projects underway and the fear was the devices would open up the Pentagon’s secure networks to security threats.
But that thinking has since changed, Takai said.
“We’ve sort of broken through the device problem,” said Takai, who spoke Thursday at the fourth annual MobileGov Summit, hosted by FedScoop.
Last year, DOD approved the Android-based Samsung Galaxy S4 and the BlackBerry 10. In January, the Defense Information Systems Agency released its approved technical implementation guide for using Apple iOS 7 devices in an unclassified setting, and is currently working on a commercial solution for classified networks.
Likewise, Windows 8 is now working its way through the approval process, which the department plans to streamline by merging the steps previously taken separately by DISA and the National Security Agency.
DOD recently reached initial operating capability status on its mobile device management. DISA is now able to configure the applications, ensure the security and get those devices ready for deployment.
The key, according to Takai, was to establish a standard way to ensure the devices, which are deployed all over the world, could be wiped if they were lost or stolen.
“We feel like we’ve made quite a bit of progress in terms of getting the devices ready and in terms of getting the configurations ready, and being able to say that these devices are going to be secure,” Takai said. The challenge now is dealing with the rush to put mobile devices with secure applications in the hands of service members.
“This moves from ‘do I have a phone that I can talk on’ to ‘do I have a phone that I can do something with,'” Takai said. This is “actually the greater challenge,” she said. “Now, we’re really talking about what are the structural changes that have to happen in the way that we look at our data, in the way that we look at our applications, and the way that we look at security.”
Those structural changes are focusing on three specific challenges, according to Takai.
The first is developing new policies and procedures for identity management. The department currently relies on the Common Access Card, often referred to as the CAC card (pronounced “Cack”), for network authentication.
“We knew from the very beginning that that was going to be very cumbersome when you start to get large numbers of devices deployed,” Takai said. “So we’re looking at moving to derived credentials, where we can derive the credential to the device and the device will not require having to be re-certified every time that it’s utilized.”
The department will also need to change policies to deal with this new method of managing credentials. And industry will need to begin looking at software-based certifications rather than hardware certifications, she said.
The second major challenge DOD is now tackling is the standard configuration of the mobile devices it buys from industry, including what apps it allows to be preloaded on the devices and the security of the apps it allows to be offered through the department’s mobile store.
“The problem for us now is that when we certify a phone and an operating system, we’re not only certifying from a hardware perspective, but now we’re having to certify into the app level,” Takai said. “That now means that it’s going to be even more challenging and more time consuming for us to certify a new phone.”
The department is interested in working with the mobile device manufactures to ship devices without preloaded commercial apps. Meanwhile, DOD has created a vetting process for apps that can be placed in the DOD mobile device store.
“This is very similar to what Apple does and very similar to what the current app stores do,” Takai said. But DOD needs tools that will help it consistently vet applications, and help update and change the apps once they are approved, she said.
“There’s just no way for us to be able to do it in any kind of a manual process,” she continued. “What we’re going to need to do is to have more and more sophisticated tools so that we can continue to vet the applications as they come in and do it very quickly.”
And that’s where it gets very interesting. According to Takai, DOD would like to leverage the federal government’s continuous diagnostics and monitoring process required for all civilian networks and bring it “into the mobile world.”
DOD’s major install base of legacy code represents the third major challenge facing the department as it charts its future mobility course. The department is not about to rewrite its legacy code to be more app friendly. So it must find a migration path for this software base that will allow the department to leverage modern mobile devices more broadly, Takai said.
Tim Larkins, manager of market intelligence for immixGroup Inc., said there are potential downsides for DOD if it tries to push industry too far, too fast.
“If DOD develops a laundry list of needs and tries to force industry to jump through numerous security hoops, it stands to reason that device makers might walk away because the cost of jumping through those hoops may outweigh the benefits,” Larkins said. “But if DOD can boil down their needs to a few non-negotiable points, they might attract more of the mobile device community to the table who will be willing participants.”