Going mobile in classified military environments: Time to leave old practices, not devices, at the door

Overview

The increased threat from connected adversaries, coupled with advancements in classified mobile capabilities, makes now the right time for C2I agencies to make mobile a priority—designing new mission-enhancing mobile services and mapping their secure path to a more digital, mobile-empowered future. In doing so, old practices—rather than mobile devices—can be left at the door.

Background
Ask a civilian how they imagine their government’s intelligence agencies’ communication systems working and they’ll likely conjure up a James Bond-like world of advanced gizmos that can quickly access everything from classified satellite images to the location of friendly forces in the field.

However, the reality is that most Command, Control and Intelligence (C2I) agency employees literally get asked to leave all mobile devices at the door, to guard against the very real threat of information leakage.

This is the cultural status quo in many C2I agencies, but it is also a growing risk to mission effectiveness, with slow adoption of mobile technologies potentially leaving C2I agencies at an operational disadvantage, lagging behind more connected adversaries.

The question is: Are C2I agencies adequately protecting themselves if leaving the benefits of mobile at the door?

Analysis

Is mobile worth the investment for C2I agencies?
The business case behind greater mobile adoption is strong. Mobile technology has led to a transformation of the workplace, and the mobile-enabled workforce is widely regarded as the future for every organisation. Mobility has proven to provide better and faster decision-making through improved access to key data and analytics. It enables employees to collaborate with ease. Clearly, these are capabilities that have the potential to deliver considerable, crucial gains to C2I agencies.

Consider, for example, a scenario where a commander has an urgent need to approve the prioritisation of intelligence targets in a classified operation. In many private sector organisations, decision support information can be pushed directly to executives’ smartphones or tablets, allowing them to make decisions in a considered, auditable and rapid manner from anywhere with the click of a button on their device. Clearly this would be advantageous for C2I agencies, and advances to technology mean that it is also increasingly feasible.

Making progress
The United States Department of Defense has been a leader in the adoption of command and control mobile in classified environments. Even so, its Defense Information Systems Agency (DISA), tasked with ensuring information superiority in defending the United States, has found progress challenging. DISA’s chief technology officer and chief mobility engineer, Gregory Youst, stated it takes his agency three-and-a-half hours to activate a single, classified mobile phone.

Even so, DISA still believes that developing its mobility capabilities is essential to staying ahead of adversaries. The agency noted that is now seeks to integrate mobility directly into its applications, rather than build separate tools. In essence, it plans to ensure a mobile instance of all the capabilities it currently offers. “We are trying to move away from mobility being the exception or the oddity and moving toward mobility being central to everything we do,” explained DISA’s Chief Information Officer Dave Bennett.

Recommendations

Securing the mobile C2I world
As DISA has shown, achieving required mobile security for a classified environment—without compromising the functionality and usability employees rightly demand—is challenging but not unsurpassable. There are a range of ways to bring government-grade security to the entire software stack on mobile devices—protecting both the data and the device itself.

For example, virtualisation now allows mobile phones to support several operating systems on the same hardware, so that an agency’s IT department can securely manage a single device, rather than worrying about securing multiple devices. Among others, the Australian Government recently defined its evaluation pathway for use of mobile devices, including detailing the progressive steps towards certification in meeting security requirements.

Hardware is also playing its part, with Apple’s latest iOS operating system featuring encryption so secure that no one, not even Apple, has the key to it. A former FBI director recently called it “a virtual fortress from law enforcement.” This will no doubt raise fresh surveillance challenges for C2I agencies, but it also indicates that mobile devices can be adequately secured for their own use.

A word of caution is offered by the NSA’s Troy Lange, who notes that "the device is probably the easiest part." All the other components—network monitoring, enterprise services—are are much harder. The NSA solution involves redundant, independently designed encryption layers. It’s also cloud based, with the device acting as a conduit to classified data, rather than as a storage hub.