DoD POISED TO ISSUE POLICY RESTRICTING WIRELESS USE
Based on security concerns involving new network-based communications, Pentagon is poised to introduce policy that would restrict how personnel use wireless devices including BlackBerry handhelds, pagers and cellphones, Defense Dept. Chief Information Officer John Stenbit said Tues. “It’s about to come out,” he told reporters after wireless security conference held by Center for Strategic & International Studies and ITAA: “We are going to put some constraints on what types of devices could be used, where they could be used. We have to try to balance the desire of the employees for the freedom to choose whatever they want to do with the security considerations that we perceive.” He said policy would be released “soon,” most likely in matter of weeks or months. He placed new restrictions in context of DoD security issues as military systems moved from closed, end- to-end broadcast communications to more network-based operations. In network environments, weakest link can become vulnerability of entire network, he said. Also at conference, Richard Clarke, special adviser to President Bush for cyberspace, expressed concern about security of wireless LANs, saying industry itself was partly to blame for not doing more to bolster public awareness about potential loopholes. “Today there are widespread, insecure usages,” he said: “It doesn’t have to be that way.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Industry needs to work faster to come up with standards that can achieve higher level of security, Clarke said. “It seems to me a certain irresponsibility to sell a product that can be so easily misused by customers in a way that jeopardizes their confidential and proprietary and sensitive information,” he said: “Almost any product you can think of we wouldn’t sell like that, but we do today sell wireless local area networks and wireless connections without properly warning the people who are buying them that if they don’t have good security… they are putting at risk proprietary and confidential information.” In panel discussions, private sector and govt. officials outlined potential security loopholes in 802.11 wireless LAN systems, with several noting there were ways to protect information that was used on those networks. Problem, many agreed, often is one of consumer awareness, particularly of need to shield confidential information from unauthorized users that could break into systems with relative ease.
“It is clearly a problem,” Clarke said of security issues involving many wireless LANs. He cited recent Chicago Sun-Times story in which reporters, armed with laptops, cruised Chicago’s Loop and were able to get behind network firewalls of law firms, commodity traders, federal district judge and health care system. “What does it mean to have HIPAA [Health Insurance Portability and Accountability Act] and privacy rights, what does it mean to have firewalls and spending on IT security,” Clarke asked, “if you can for $100 buy a PCMCIA card and get in behind the firewalls?”
Clarke laid blame partly on himself for not spreading word more to raise awareness on wireless LAN security issue, as well as on companies for not doing more to secure their own wireless networks. “It’s not a matter of asking people to do the impossible -- it should be easier, encryption should be better,” Clarke said. “It shouldn’t be the case that if I listen to your transmission for 20 minutes that I can decrypt your code. That is the case today for most people who are using encryption on wireless.” Companies that choose to use wireless LANs should regularly monitor them to see if they can get into their own system, he said. Clarke called for standards that could be widely applied to achieve higher level of security “than is generally achievable in the systems today.” He said: “That is a somewhat harsh message but it is the truth.”
Stenbit, who is asst. defense secy. for command, control, communications and intelligence, said that at minimum, he would like to see some type of certification system that would at least apprise users what security abilities of system are. Problem with network-based systems is that problem at weakest link in network is not “only a problem at that outlier, now it could cause trouble for all of the rest of the network, that’s the concern,” Stenbit told reporters following off-the-record remarks during conference. Asked about his concern that encryption capability for wireless devices is lagging behind that for specialized military applications, Stenbit said “we tend to focus on parameters that could be of competitive interest to the commercial world in a way that we would be able to understand.” Among capabilities that would be useful from commercial world would be some type of sensor system so that it would be apparent if someone is carrying wireless device, Stenbit said after his speech. He acknowledged enforcement of pending wireless restrictions poses interesting questions for Pentagon because of this lack of detectability.
One concept that Stenbit touted was idea of independent, underwriters lab for wireless devices. DoD and rest of U.S. govt. has made commitments to buy only software with security features that are certified by process run by National Institute of Standards & Technology, with involvement of National Security Agency. Point is to have 3rd party certify that whatever software bills itself as doing it does. Similar system would be helpful for wireless devices, Stenbit told reporters.
Continued proliferation of wireless Internet devices will put those networks at greater risk for kinds of security threats that have beset wireline networks, McAfee Security Network Assoc. Pres. Arthur Matin said. “We are right at the edge of where that is likely to start happening more,” he said, describing what he cautioned were some poor protections to existing mobile Internet networks. Citing increased computing power of mobile devices, he said that allows them to run PC-like software, which in turn allows hackers to more easily spread “malicious threats.” Common software languages for wireless software development, such as Java, can open similar window for would-be hackers, he said. He and other panelists said a likely solution would be security updates that were built into the core of wireless infrastructure, including 2.5G networks. Awareness of developers in that sector doesn’t have same urgency as it would if there were bad virus or other catastrophic network breach, he said. “We need to get ahead of this curve,” Matin said. “The threat is clearly there.”