Mobile Security: There's Just No Such Thing
The fact is when it comes to security if you're using a wireless device for voice or data you might as well be standing in any international airport and speaking to a colleague over a megaphone. Oh, and you might want to slow down from time to time to let the crowd around you take notes.
Although no one quite put it that way, that is the crux of the opinion of numerous experts I spoke to about using the current crop of wireless devices for voice or data.
The Center for Strategic and International Studies (CSIS) Monday released a congressionally sponsored report entitled "Securing Cyberspace for the 44th President." The report never directly discusses how at risk we are, but if you want to interpret a 64-page report that calls for almost the entire revamping of what we now call cybersecurity for the 21st Century, you would be justified in believing that, at present, there is no real security whatsoever.
[ For deeper analysis of the CSIS report, see "Cybersecurity report offers Obama some far-reaching recommendations" ]
Prior to report's release, I spoke with two members of the CSIS. Tom Kellerman, chairman of the threats working group and vice president of security awareness at Core Security Technologies, and Amit Yoran, chairman and CEO of NetWitness. Both men spoke to me about the inherent weakness of wireless technology.
As it turns out, while not many executives in private industry require the same level of security as the president of the United States, the current state of mobile security should give them pause.
Kellerman and Yoran point out that billions of dollars of private sector IP is at risk on a daily basis, and not from some lone hacker trying to outwit the experts. Rather, the threat comes from foreign countries that view national security as tightly connected to economic well-being. As a result, they often help their own companies hack into U.S. companies to gain competitive advantage.
By the way, I am also told America does, if not the same thing, stuff that comes awfully close. My source says that while the U.S. government may not hand over private-sector IP from other countries to U.S.-based companies, we do tap into it and use it when deemed appropriate.
After hearing all of this, I got to wondering if there are any secure voice and data technologies available. The answer is yes, of course, if you're willing to pay for it.
The NSA and DoD put out a bid request about three and a half years ago for just such a device. General Dynamics was one of the winners, with its Sectéra Edge device. I spoke with Michael Guzelian, director of secure voice and data products at General Dynamics, C4 Systems, about the company's product.
On the data side, Sectéra Edge's security is certified Top Secret by the NSA. On the voice side, it is certified Secret.
All General Dynamics employees on the project were also vetted for Top Secret and Secret security clearance.
Most of the work is done through NSA-grade encryption algorithms for voice and data, which is encrypted both over the air and on the device. Unlike other wireless devices, which unwrap the data for a few nanoseconds, payload on the Sectéra Edge is encrypted while the address is in the clear, says Guzelian.
Voice is also encrypted using the same encryption on government secure phones, the STE standard.
A user makes a phone call and says something like, "We need to have a secure conversation," or, "Let's go secure." Press a button, and the voice is turned to data and scrambled before it comes out the other side.
If you think commercial versions of these devices will never be available, don't count on it. Read the CSIS report, and you'll quickly see that the government is making the security of private industry as important to our national security as its own top secrets.
The report also recommends that all government agencies, not just those dealing with national security, adopt the same levels of cyber protection as the NSA.
I asked Guzelian about this, and sure enough he said that Sectéra Edge is not just being ordered by the CIA but by the Justice Department and the Department of Energy. There are now inquiries from the financial services industry as well.
The device weighs 11 ounces, includes two complete PDAs (say, two Blackberrys or two Palms) built in -- one for normal voice and data and one for a secure transmission.
Sectéra Edge can use commercial cellular bandwidth and is certified on AT&T, T-Mobile, and Sprint cellular networks, with Verizon due in January.
It's not cheap, though, at $3,150 with a one-year warranty.
Not to denigrate what General Dynamics did, but my guess is that cell phone manufacturer Shenzhen Gaoxinqi Technology in China could probably make it at half the price!
This article originally appeared as a blog posting on our sister site, InfoWorld.com.