Army sets tone for government's mobile enterprise with Android
The Defense Department is taking the point in the federal government’s campaign to deploy mobile devices. But in its role as trail blazer, DOD must also wrestle with a number of issues key to a successful rollout of approved smart phones and tablets.
Among those issues are security, authentication and the logistics of managing many devices with varying degrees of access across the DOD enterprise.
Recent developments make government officials confident that high levels of security can be achieved for devices running on the Android operating system, but verifying who is using a particular piece of equipment remains a challenge. The department is looking at a range of identity verification techniques, from biometrics to physical and software user certificates to ensure that person sending that text or phone call is who they say they are.
DISA certifies Android mobile system for some DOD smart phones
Despite trepidations about security, all of DOD’s service agencies are going forward with mobile programs, with the Army as the lead organization. One of the biggest motivators behind the move to handheld devices is money, said Greg Youst, mobility lead for interdisciplinary systems at the Defense Information Systems Agency’s Office of the Chief Technology Officer.
DISA is providing the strategic-level planning and strategy to coordinate the services enterprise mobility efforts.
“The services are really pushing [mobility] because they want to be able reduce their costs,” said Youst at an enterprise mobility conference in December 2011. “They want to be able to hand a soldier a tablet or a smart phone and take the PC and a wide percentage of the phones off the desk to try to save on cost.” He added that this is a necessary approach as the services look at more than $1 trillion in potential budget cuts.
One effort underway is working with DISA, the National Security Agency (NSA) and the National Institute of Technology and Standards (NIST) to help develop and define some key notions for large-scale mobile device deployments in the military.
Mobility-as-a-service is an approach led by the Navy’s Space and Naval Warfare laboratory. SPAWAR’s program is trying to determine how to provide warfighters with access to unclassified information from their handheld devices, said Bill Edwards, integrated project team lead at SPAWAR’s Atlantic System Center, in Charleston, South Carolina.
Mobility-as-a-service is a subset of software-as-a-service, platform-as-a-service and information assurance-as-a-service, Edwards said at the December conference. All of these services work within a structured cloud-based model. Much of this capability has already been proven by President Obama’s BlackBerry, which has been modified to allow him to securely access data from the device, Edwards explained.
Encryption is not a problem, as capabilities such as Suite B, Advanced Encryption Standard and the public-key authentication infrastructure are being embraced by DOD, said Edwards. The main obstacle to deploying mobility-as-a-service is authentication. “The key here is with soft certifications versus hard certifications — do you want to use a CAC [Common Access Card] slide on your mobile device? I sure don’t,” he said.
Security for mobility-as-a-service is provided in layers using multiple information technology protocols such as FIPS and a variety of encryption types. SPAWAR is working with DISA to develop the policies and techniques to solve these issues. “What we’re bringing to the table as a solution will allow users to authenticate to an unclassified network in their own manner, with their own devices,” Edwards said.
One important issue is defining hard and soft certifications. Hard certifications are typically used with laptop computers and desktops with a built-in chip. Soft certifications are software-defined user identities. But their exact properties and what they will do are still undefined, said Tao Rocha, who works on tactical wireless networks for SPAWAR. “We need to do a little more homework in that space to say what exactly you are talking about when you say “soft cert.” he said.
Despite the need to pin down what exactly constitutes a soft certification, SPAWAR is pressing ahead with its efforts, working with DISA and NIST to help establish a firm definition for its certificates. The goal is to use hard certifications for devices accessing classified networks with the use of cryptographic modules, Edwards said. He added that it is unnecessarily complicated to use a hard certification to authenticate and access an unclassified network.
SPAWAR’s mobility-as-a-service effort is working with two protocols to provide security: HTTPS and TCP. The service uses a wireless transport layer security tunnel at the session layer — what Edwards refers to as a mobile virtual private network. He is confident that this layered security approach will meet authentication concerns among the various DOD groups working on mobility as a service.
The Navy is also working with Good Technology to make Apple iOS compliant with DOD standards.
“It’s not about devices, it’s about the platform,” Edwards said. By managing devices via the platform and with the right governance and policy, SPAWAR’s goal is to push soft certificates across the network to a user’s device without the need for a CAC card slider in a hard certification mode. This process is similar to what Good Technology is working on with its secure/multipurpose Internet mail extension messaging server, he explained.
SPAWAR is moving its mobility effort ahead with a combination of rapid prototyping, and when it is fully defined, a soft certificate approach using commercial devices backed up by research activities shared with groups such as NIST and DISA, ha said.
Another recent development has been the creation of a hardened kernel for the Android mobile operating system, which opens a whole range of mobile options for both civilian and military agencies. Created by a team of researchers from NIST, George Mason University and Google, the kernel provides a secure software base that will allow developers to add increasingly more sophisticated layers of encryption onto the operating system.
Security and information assurance is critical for military applications, and the kernel would allow soldiers to connect their smart phones to tactical and mission command and control systems.
“There’s great work being done with that [area] and it’s really moving along quite well,” said Michael McCarthy, operations director of the Army’s Brigade Modernization Command’s Mission Command Complex and head of the CSDA. Much of this work is being pushed by the DOD’s and the Army’s mobile efforts.
The secure Android kernel was evaluated by NSA and issued a Federal Information Processing Standard (FIPS) 140-2 certification in Dec. 2011. In the first quarter of 2012, the team plans to move its development work up to the next level, which would allow devices to connect into military networks at the secret level, an effort McCarthy said he expects to be completed by April 2012.
Achieving FIPS 140-2 status is important because it will allow the kernel to go in for Suite B encryption certification, which would allow the modified Android operating system to plug into classified-level networks. “That is a potential game changer,” McCarthy said.
A key driver for project is the need to access information stored within military mission command systems such as the Force XXI Battle Command Brigade and Below (FBCB2) and the Advanced Field Artillery Tactical Data System (AFATDS), he said. FBCB2 is the Army and Marine Corp’s mobile command and control system and AFATDS is the DOD’s primary tool for battlefield fire support.
This would be a two-way process, with devices being able to pull information from these systems, but also pushing information onto the networks. “That’s where a smart phone gives a soldier a tremendous advantage,” McCarthy said.
After FIPS certification is achieved, the program will pursue its Suite B certification. However, the NSA cannot conduct the second certification before the FIPS process is complete, expected sometime in the first quarter of 2012. “Unfortunately it’s not something you can run in parallel,” said McCarthy.
At the end of the process, the Android operating system will have Suite B certification, which allows the CSDA to begin connecting its devices into the government’s classified networks. “It then gives us the ability to move outside of the test realm and get into the operational environment,” McCarthy said.
The Army’s strategy is to not lock itself into a single device, but instead to create a system where soldiers’ data can be poured into new mobile devices as needed. That’s only prudent, say Army executives, as even if the service decided to field a new device next week, the speed of mobile technology development is such that new devices and software must be reviewed and evaluated continuously.