Pentagon Prohibits Wireless, Cites Security

The Office of the Secretary of Defense has issued a memorandum that prohibits the use of many types of wireless technology in the Pentagon and in much of the U.S. Army, Navy, and Air Force until the military has developed a wireless security strategy, which it expects to do with assistance from the National Security Agency.

John Stenbit, assistant secretary of Defense for Command Control and Communications and the Defense Department's chief information officer, signed the memorandum along with the OSD's acting director of administration and management, Howard Becker. Attached to the memo, which pertains to use of wireless in the military's IT networks, is a document entitled "Pentagon Area Common Information Technology Wireless Security Policy." The document elaborates on the dangers of wireless-to-network security and the steps the Pentagon and its service branches are taking to deal with it. The decision on wireless had been expected for several months.

Wireless Weaknesses

Because wireless technologies, particularly wireless LANs, bring with them new ways to break into networks, the Pentagon has decided to prohibit the connecting of wireless devices to a classified network or computer, the document states.

Use of some types of wireless devices will be allowed for unclassified data only. These devices include cellular telephones and personal digital assistants "in areas where unclassified information is electronically stored, processed, or transmitted." In addition, according to the document, "they would also be allowed in areas where unclassified information is stored" and "when there is a documented operational need."

The Pentagon's wireless security policy document specifically notes that the prohibitions against wireless do not pertain to "land mobile, emergency, and tactical radios and one-way receive-only devices."

Defense Data Guarded

"Given the exploitable vulnerabilities inherent in current wireless products and technologies and the interdependence of Defense and Pentagon networks, it is essential and expected that all tenants will strictly adhere to this policy," Stenbit stated in the September 25 memo. Stenbit noted that the OSD has asked the National Security Agency to "develop a Wireless Technology Vulnerabilities Database" for the Defense Department.

The document released by the Defense Department establishes a policy, definitions, and responsibilities to eliminate vulnerabilities associated with wireless technologies, and anticipates an annual review of the policy.

It reiterates standing notions of security for voice, data, and video; network servers; LANs; and telecommunications--noting that all need to protect against intrusion, disabling, and failure to authenticate users. Two particular goals are to ensure that user authentication of Defense Department information transferred via wireless computing devices takes place and to guarantee that critical Defense Department operations will suffer no adverse impact if wireless computing devices and supporting infrastructure are rendered inoperable.

The document recommends that the military's "network-capable, wireless computing devices" use security mechanisms that include password protection or authentication based on public-key certificates or biometrics, among other technologies. In addition, wireless devices must conform to Defense Department guidelines for intrusion detection, auditing, monitoring, encryption, and virus protection.

The document points to concerns that wireless LANs and other types of wireless technologies may permit remote eavesdropping and unauthorized entry into Pentagon systems if they're not used with the appropriate security.

The Pentagon's wireless security document asks defense agencies to record and gain certification for any wireless information systems they use, and to conduct an audit to detect unauthorized wireless information systems.