Encryption takes on a whole new meaning with smart phones

Army and Marines have to reconcile various classifications for encrypted data

The handheld revolution ushering in the integration of smaller radios and smart phones into tactical communication suites also is illuminating distinctions in military classification priorities among the services.

Reconciling the differences in how the Army and Marine Corps classify information generated and consumed on a tactical level will require new military doctrine among the services, with solutions likely found in hardware and software, according to an industry source.

Classification Challenge

At the center of the debate surrounding how best to handle tactical information is the strata of how military information is categorized, ranging from unclassified, to confidential, secret and top secret. Two distinctive encryptions provide gatekeeping. Type-2 encryption is employed on devices to protect sensitive but unclassified information, while Type-1 encryption is used to protect information classified as secret and above.


Related coverage:

Setting a new standard: Marines want a few good multi-platform mobile devices

Smart phones pose emerging security threat


“The use of encryption is predicated on the type of data and the use,” said Rick Walsh, chief of technology and business processes with the Army’s CIO. “It’s up to the service component -- whether it’s the Marine Corps, the Army or the Air Force or the Navy -- to define what their level of classification of the data is.”

Although there is no discrepancy in how the services handle data after it’s classified at the same level, there are variations in how data is classified. “What we may do differently is…we may see something as ‘secret,’ whereas they may see something as ‘top secret,’ ” Walsh said.

“When information needs to be exchanged, we exchange information at the appropriate level. So if the Marine Corps says it is ‘top secret,’ we will exchange information with them at the ‘top secret’ level. You take the higher classification,” Walsh added.

Reconciling the classification – more specifically, the prescribed encryption – becomes a problem as military communications evolve towards device-agnostic cellular technology such as smart phones.

The Army is working to establish the architecture for such devices, according to Walsh. “But it’s not there yet,” he cautioned. “All the security rules have not been set, but our goal is put the architecture and security in place where you can bring your own phone to work,” Walsh said.

Keeping Secrets

That security component for these devices will likely come in the form of sophisticated and complex technology that distinguishes Type-1 and Type-2 encryption, according to a senior industry executive who did not wish to be named due to the sensitivity of the subject.

“A Type-2 device certainly provides an appropriate level of protection for sensitive-but-unclassified information, but is less expensive to design and to certify and to build. A Type-1 device, which has much more stringent security requirements, is more expensive to design, to certify and then to incorporate into products,” the executive said.

One strategy would be to secure communications through hardware, such as a chip. “The problem with that is that it would significantly increase the cost of the phone and would probably limit its availability. While it may be the necessary route, it is the least attractive,” the industry official said.

However, the more attractive solution is to develop software communications security features that could be incorporated into smart phones and integrated into its architecture, he said.

The first wave of software security would likely be aimed at Type-2 information, with the goal of eventually protecting secret-and-below, he said. “That will probably be the sweet spot in the market, to provide a smart phone that has incorporated in it a software-enabled communications security algorithm that can protect secret-and-below information. That, I would argue, would satisfy the majority of the needs in the ground component.”

The software-based security would likely be based on commercial standards, such as those implemented in the banking industry, and would be defined with input from the National Security Agency (NSA), he explained. There are many commercial standards under development and endorsed by the government that have applications for the sensitive-but-unclassified and secret-and-below classifications. After an agreement is made on the algorithm that is based on industry standards, then a communications company could implement it on its devices and seek National Security Agency certification in order to handle secret-and-below information, he added.

“The DOD has some unique requirements, but they can be satisfied by tweaking these commercial standards so they can be put on these smart phones and operate pretty freely on the tactical network,” he said.

“You literally could have any device that is appropriately certified connected to the network, using tactical cellular or directly tied to a radio, then provide connectivity into the cloud and then providing and drawing classified information,” the industry executive said. A software-based security solution will make the products more affordable, making it easier to develop, manage and improve software in comparison to replacing and updating hardware, such as chips, he added.

Doctrine Dilemma

However, before industry can move forward with a solution, the Army and the Marine Corps need to come to an agreement about how to best define information generated and consumed on the tactical level, the industry source said.

Both services declined to comment on ongoing discussions for this article.

Lack of consensus stands to affect interoperability in the field, the industry official said. “If the Marine Corps considers all of its information secret and below, and the Army considers only some information secret and below, then you have the issues in sharing information between the Marine Corps and the Army on the ground domain,” he said. “It certainly forces them to put architectures in place to make sure that information that is flowing up from the Army and information that is flowing up from the Marine Corps can come together at the appropriate level and can be shown in some kind of a portal, some kind of a software package, to the commander so that the commander understands situational awareness that he or she has on a particular operation,” he said.

From a doctrine standpoint, “the Army has decided you can protect that information at the sensitive-but-unclassified level. The Marine Corps feels it should be secret and below. They’re going to need to come together and figure out how they’re going to deal with that, either through doctrine or technology. To date, they’ve done it through technology,” he said.

“The services are going to have to dictate how the information is handled,” he added. “From an industry perspective, there is no right answer. We will react and provide the appropriate capabilities that the services desire.”

Reader Comments

Fri, Jun 29, 2012 Marine_officer

This article really missed the boat...the original classification authority for forces operating in a combatant commander's theater is the COCOM himself, not the services. The services have their classification guides, but they don't matter when forces are operating for a COCOM. All the data generated from the operation is also owned by the COCOM, who can establish the declassification dates or apply the appropriate exemption.

Wed, Apr 11, 2012

A long time ago in a galaxy far, far away, I recall working on a project called the secure mobile unit.

Mon, Apr 9, 2012

Here we go again, another writer writing about encryption technology and simply doesn't understand the basics of NSA crypto, what different crypto algorithms suites are used, and where and when they are used... Maybe someday you will actually hire someone who really gets this stuff to write your articles... No office to Ms. Johnson, but don't write about a subject matter you are not an expert in...

Mon, Apr 9, 2012 Mike Washington, DC

In the article you state, “Type-2 encryption is employed on devices to protect sensitive but unclassified information, while Type-1 encryption is used to protect information classified as secret and above.” This statement does not address information classified as “Confidential,” the lowest level of security classification. While I am not an expert in encryption, my experience is that Confidential information is also encrypted using Type-1 devices.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above