Obama Can't Have a BlackBerry. Should Your CEO?
The press has been all over President-Elect Barack Obama's addiction to his BlackBerry and the possibility that he might have to give it up for reasons of national security. But no one in the media seems to be asking the most logical follow-up question: Is the cybertechnology that can compromise the future chief executive's BlackBerry also a threat to mobile devices being used every day by thousands of senior executives in corporate America?
One security expert, Ron Cochoran, president of RER Technology, answers that question quite succinctly: "If the president can't use it for security reasons, then there's obviously something wrong with the security system."
The prohibition against BlackBerrys in the White House actually started with President George W. Bush's administration. "We made a judgment call prior to September 11, 2001, that people in the White House could not use a BlackBerry," recalls Joe Hagin, who served as deputy chief of staff for operations for seven years and is now the CEO of Jet Support Services, a jet-leasing company.
Ironically, the Bush White House suspended that policy for some staffers after the terrorist attacks of Sept. 11, 2001. "On September 11, we had tremendous communications challenges, while people on the Hill [Congress] had communications [through their mobile devices]. I made the decision that we couldn't operate without them. We bought 200, then 400, and finally about 600. They are common around the executive branch, and more than just BlackBerrys."
But users of the White House mobile devices are restricted in what they can do, to reduce the chance of cyberespionage: GPS is disabled, no one is permitted to transmit classified data over an unsecured device, and mobile devices cannot be used overseas where the local networks are often vulnerable, Hagin says. As Hagin knows firsthand, there are many highly sophisticated cyberespionage tools available on the cheap and sold online that could compromise a government or a corporation.
Economic and national security at stake
While the consensus of opinion of the security experts InfoWorld consulted is that no system is 100 percent secure, they also agree that wireless technology is inherently less secure than a wired desktop behind a firewall. But even desktop-based communications systems may have more risks in their information being snooped once the e-mails, IMs, and so on leave your network.
So, what's at stake when your execs are using wireless devices such as smartphones and laptops, or working at home or at a coffee shop on their laptops? As it turns out, far more than a CEO's contact list and calendar. On the line, say the experts, are billions of dollars in proprietary intellectual property and the maintenance of a continuous flow of capital, the lifeblood of business. Not to mention the fact that as private industry supplies more and more services to the government, at risk is the infrastructure that directly affects our national security.
American business is already under cyberattack, say two security experts who served on a congressionally sponsored study being conducted by the Center for Strategic and International Studies (CSIS) to give recommendations to the next president regarding U.S. cybersecurity.
The Threats Working Group, part of the Commission on Cyber Security for the 44th Presidency, issued its final report this week, with some startling insights into the depth and breadth of that threat.
Tom Kellerman, chairman of the Threats Working Group and vice president of security awareness at Core Security Technologies, says the U.S. government has identified more than 100 countries that use military-level cybercapabilities to help their companies gain a competitive advantage. "Many of these countries endow [their] national corporations with cyberespionage capabilities so as to steal intellectual property for the sake of economic advantage," he says.
The plain and simple fact is that technology is completely interwoven into how government and corporations operate, says Amit Yoran, another member of the Threats Working Group and a former director of the National Cyber Security Division of Homeland Security. That technology -- communications technology, in this case -- is thus a key vector into discovering, and perhaps even manipulating, the information behind key industries. Protecting those industries' competitiveness is a key part of a country's national interest, he adds.
The communications revolution that lets people work almost anywhere and share information across public and private networks has helped many businesses be more agile as barriers to knowledge work are removed. But this "de-perimeterization of business" also means there are no borders that can be defended, says Phillip Dunkelberger, president and CEO of PGP, a point-to-point encryption vendor.
Private enterprise needs to meet the de-perimeterization security challenge with security systems as sophisticated as what cyberthieves use because cyberattacks can now do tremendous damage -- including taking down utility companies and banks and rendering them unable to distribute electricity or move money.
The Threats Working Group's Yoran says we need to think of our computer network as an aquatic environment. If you don't protect the entire aquatic ecosystem, you don't stand a chance of protecting the integrity of your own data inside it, he says.
Mobile is the least secure medium
Although the de-perimeterization risk affects all methods of electronic communications, mobile communications is most at risk, Dunkelberger says, due to their very architecture.
One reason for mobile's higher risk has to do with the stability of the desktop environment versus the ever-changing designs of mobile devices, says John Pescatore, a senior security analyst with Gartner and a former member of the Secret Service. The hardware for the PC hasn't really changed much in 20 years, so security experts have had the time they needed to develop systems that are highly secure. At many businesses, the only platform that security administrators have to worry about is a Windows-based PC, and having just one platform to focus on makes it much easier to manage potential threats, he notes. By comparison, the vast majority of mobile devices have unique, proprietary hardware platforms and their own set of operating systems.
In the mobile world, "the BlackBerry and the iPhone are the closest examples we have to a controlled platform," Pescatore notes. That control is good, he adds: "RIM and Apple build both the hardware and software, making them the most secure handheld platforms."
Pescatore says the RIM BlackBerry is the safest device to use for e-mail, as long as you also deploy strict policies with encryption of mail over the air. He also said while the iPhone isn't yet as secure as the BlackBerry, it could be made just as secure if Apple chooses to make it so.
But even with the BlackBerry's and iPhone's advantages, several security experts aren't sanguine about the use of handhelds to carry sensitive data.
Encryption, or lack of it, is perhaps one of the main reasons mobile devices have what PGP's Dunkelberger calls a "higher threat ratio" than desktops. Most information sent in an IM, for example, is in the clear, unless point-to-point encryption is used.
Dan Hoffman, CTO of security vendor SMobile Systems, says that if he is given access to a mobile device, perhaps left behind in a hotel room or at a meeting, he can pull data off that device in about 34 seconds and at the same time install Trojan malware.
One such hacker tool, called CSI (Cell Seizure Instigator), automatically downloads everything on the device. It is legal and can be purchased on the Internet for about $200.
Another mobile spy tool out of Bangkok, called FlexiSpy, can do a lot more than monitor cheating spouses, which is what it is marketed for. Once installed on a mobile device, FlexiSpy can intercept every e-mail and SMS message, track where a person is, and -- most dramatic of all -- listen to conversations without the user ever being able to detect that the microphone is turned on, says Hoffman.
Imagine the president at a cabinet meeting or an executive at a board meeting putting his mobile device down on the conference table and not being aware that every word is being heard, at least as long as the perpetrator doesn't say something like "Can you speak up?"
The security experts InfoWorld consulted say that many senior execs -- not just President-Elect Obama -- should be very cautious about when they use their BlackBerrys, at least until better wireless and device security is available. Perhaps they should just give them up, suggests Core Security's Kellerman: "Is it that important to use your 'CrackBerrys' when you know you can't maintain the ultimate control of that device?"
"Mobility is a double-edged sword that most executives don't want to acknowledge. There is a culture of deniability," adds Yoran.
Risks beyond mobile: Crossing national boundaries or using the cloud
Dunkelberger says you should accept that fact that if you are sending data across national boundaries -- such as designing products in one country and building it in another -- governments and competitors can read the proprietary data you may be sending back and forth unless you are using point-to-point encryption. This is true for desktop and wired communication -- not just for wireless or mobile devices.
The increasingly popular cloud-computing option is also risky, Dunkelberger says. The technology is a boon to de-perimeterized executives who want to access corporate applications outside the firewall, but that means sensitive data also lives outside the firewall, beyond your control. If your company uses SaaS (software as a service) or other cloud-type offering, you should ask the service provider how it secures its applications when federated across 50 different systems, Dunkelberger advises. "Do not put [intellectual property] on a SaaS service," he warns.
Traditional Web security products and services filter URLs and can inspect malicious files on downloadable objects. However, now more often Web sites are streaming AJAX-based and other Web applications that launch without user interaction. Most security software checks the file only after it has been downloaded; such software does not protect against malicious code running in the cloud.
"Security professionals should look at security in the cloud and specifically Web security in the cloud, which is critical to being able to protect users on the Web when they leave the office perimeter and access the Web in hotels, airports, at home, or in the office on laptop and mobile device," says Paul Judge, CTO at Purewire, a Web SaaS company.
The more hops that data travels, the greater the risk of it being intercepted, say most security experts. And you may be surprised how many hops data travels. You can use a Unix utility called TraceRoute to track the route taken by packets across an IP network. In one quick test, going from one computer to CNN.com took 12 hops -- each a potential entry point to cyberthieves.
According to Core Security's Kellerman, there are a huge number of hacking programs available for electronic espionage. "It is a regular arms bizarre. It's like the Dark Ages with mercenaries for hire," he says.
Both organized crime gangs and sovereign nations have made a business of stealing intellectual property, such as trade secrets, by conducting cyberespionage. Such espionage is worth hundreds of billions of dollars in business, and unsurprisingly major criminal syndicates from the Chinese Triad to the Russian mafia are heavily involved in hacking, says Kellerman. Even the Brazilian drug underworld is getting involved because, as it turns out, it is easier and safer to hack a system and sell the information than it is to grow, process, and distribute cocaine. And cyberespionage is more profitable as well.
The result, Kellerman says: "We are hemorrhaging data."
The answer -- in addition to rethinking what information you make available through unsecure devices and networks in the first place -- is to get real about which of your security systems are actually working as it should. It's not just about having a firewall or a virus scanner, he says, but vetting, assessing, assuring, and testing to demonstrate that they are functioning. "In other words, make sure that your dogs bark."