Securing the Presidential BlackBerry
Naysayers aside, President-elect Obama appears determined to take office Tuesday with his BlackBerry -- or at least some PDA -- firmly in hand. Here's how experts say he might pull it off -- and what pitfalls he may be underestimating.
The Presidential Records Act requires retention of the bulk of documents generated by the president for public review at a later date, so any message Obama creates with his BlackBerry would have to be retained and stored, subject to scrutiny in the future. But the larger problem is that the BlackBerry is unlikely to get the nod as the presidential wireless handheld from the National Security Agency (NSA) or other federal entities with a traditional oversight role in top-secret communications security, according to experts.
"The most significant issue here is security," says Randy Sabett, partner at Washington-based law firm Sonnenschein, Nath & Rosenthal LLP. "The number one target of anyone anywhere in the world would be the e-mail communications of the most powerful man in the world, the president of the United States." Sabett, who has worked at the NSA, says that "nation-states, terrorist organizations and criminal gangs" could all be expected to be trying to break into a president's BlackBerry.
There is a version of the BlackBerry that uses AES-256 encryption, which has been approved by the Defense Department for sensitive communications. Research in Motion, maker of the BlackBerry, points to a number of government and third-party security certifications as evidence that its key-management system is secure.
A November 2008 certification by the Fraunhofer Institute for Secure Information technology in Germany, for example, gave a positive evaluation to the BlackBerry's use of cryptographic algorithms and life-cycle management of shared secrets or keys and passwords.
But for top-secret communications, the NSA has a history of turning to select manufacturers for custom-designed equipment. These include the high-security STU-III phones or the more recent Secure Mobile Environment/Portable Electronic Device program under which General Dynamics built the Sectera Edge smartphone and PDA.
This Sectera is compliant with what's called the Secure Communications Interoperability Protocol and the High Assurance Internet Protocol Encryptor Interoperability Specification for secure interoperability with in-line encryption devices used on the government's Secure Internet Router Network (SIPRnet).
L-3 Communications has also built an SME PDE-style PDA called the Guardian, which is undergoing certification.
But use of any PDA smartphone remains problematic for a president.
Smartphones are programmable devices and "local devices are increasingly vulnerable to attacks by injecting hostile software onto the device," says Phil Zimmermann, a fellow at the Stanford Law School's Center for Internet and Society, and creator in 1991 of Pretty Good Privacy (PGP), the public-key encryption and authentication system.
"If that code can gain control of the device, it could take such actions as activate the microphone, record his conversations and then transmit them somewhere," Zimmermann says. "You're being ratted out by the device in your pocket."
Potentially, the device could even "rat out" your location, he adds, because many smartphones provide highly accurate GPS capabilities.
While a simple BlackBerry for the president may not get the thumbs-up from the NSA, Obama should not necessarily consider this the final word, says security expert Bruce Schneier.
"Look, he can decide to paint the White House blue if he wants," Schneier says. "The Internet is the greatest generation gap since rock and roll. . . . The NSA will tell you the risks, but they will never say here's what the benefits are." Obama might be so productive and effective with a BlackBerry or other PDA, it would outweigh the risks.
But Schneier also acknowledges the risk of hacking the presidential PDA is high and in any event, it is not possible to have absolute certainty that e-mail actually came from Obama.
"No encryption program solves that," says Schneier.
Gartner analyst John Pescatore, whose background includes working with the Secret Service, says NSA-approved devices like Sectera would be secure enough for use in a closed system, but the problem is switching to unclassified mode to use the Internet.
"Internet e-mail is totally unacceptable for a president to use," Pescatore says. "There is no strong authentication -- how can anyone prove an e-mail came from the president? There is no integrity -- how can anyone prove the content wasn't changed?"
Use of something like the PGP public-key infrastructure could help the president communicate with others in a larger closed system, says Pescatore, "But that doesn't stop anyone from forwarding an e-mail from him outside that closed loop."
Pescatore says he would also be concerned that any wireless device might act as a radio-frequency beacon to reveal the president's location.
The other challenge -- the legal requirement under the Presidential Records Act that a president store all documents in order to make them available to the public in the future -- is also a factor Obama and his team must consider.
Most legal experts and scholars say there's nothing in the Presidential Records Act to prevent use of e-mail.
"What it does do," says Dickinson College political-science professor Andrew Rudalevige, "is make every presidential e-mail a public record and thus something -- unless classified for other reasons, such as national security -- will be released via the presidential library system."
Records are typically deemed "open" 12 years after the president leaves office, but can be opened by presidential consent, by the Freedom of Information Act or subpoena before then, he adds.
However, current law doesn't require presidential phone calls to be recorded, though they have to be logged.
So, between the Presidential Records Act and the threat of PDA hacking, presidents have some good reasons to avoid e-mail, Rudalevige notes.