iPads, iPhones and other top mobile devices still banned from DOD networks
Stars and Stripes
WASHINGTON — Sergeants particularly love it — an app for iPhones, iPads and Android devices that makes it easy to tally their soldiers’ Army Physical Fitness Test results.
“Does everything I need it to do,” a user who goes by the name SSG PRT wrote in a review posted in the online Apple iTunes store. “I give PT tests every week to [advanced individual training] students, this helps calculate on the fly.”
Since its release last year, the free “US ARMY APFT-Body Fat Calculator” has been downloaded 170,000 times.
There’s just one problem. The wildly popular app is hamstrung because it isn’t allowed to connect to military networks, said the soldier who oversaw the development of it and dozens of other Army apps.
“What if it could get APFT data right off the Army network?” said Lt Col. Gregory Motes, head of the Army’s Mobile Applications Branch, set up in 2010. “That’s the No. 1 obstacle we have to overcome now, being able to connect into military networks to pull down the soldiers’ information when they want it.”
But that can’t happen until the Pentagon information technology managers, grappling with a set of new cybersecurity issues posed by the explosion of mobile computing, open Defense Department networks to the most popular new smartphones and tablets.
Devices that run on Apple Inc.’s iOS and Google’s Android operating system are “not approved to connect to DoD operational networks due to insufficient technical controls for ensuring device configuration integrity,” Pentagon officials told Stars and Stripes in a written response to questions about smartphone policies.
This abundance of caution means iPads, iPhones and the range of Android devices are banned for everything from unclassified email to accessing secure databases.
The restrictions extend from the rank and file to the department’s top leaders. On his first full day in office on Monday, Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey told reporters that leveraging the new technology was key for DOD, and held up the iPad 2 he uses to read secure briefings.
But Dempsey’s iPad, the result of a 2011 program aiming to replace printed daily briefing books, still can’t connect to secure networks for email or other uses, Pentagon spokeswoman April Cunningham said.
“The devices have been physically altered and are being used in standalone mode,” she said in an email, meaning the briefings must be downloaded directly from a secure machine, rather than connecting wirelessly to a Pentagon network.
Likewise, Army vice chief of staff and iPhone enthusiast Gen. Peter Chiarelli, who spurred the ongoing development of an Army smartphone for battlefield use, can use his Apple phone only for personal use. He carries a Blackberry — approved for military email but not full network access — for business, his spokesman said.
The irony does not end there. The bimonthly Marines Magazine is available through a slick, commercially-developed iOS app that features video and other interactive features—none of which is available to Marines using Marine Corps technology.
And the marquee feature on the new iPhone 4s, introduced Tuesday, is an advanced voice-recognition app called SIRI that lets user control the phone verbally. The roots of the SIRI program are in a DOD-funded project, the fruit of which is now effectively off-limits for DOD business.
With the powerful iOS and Android systems dominating the civilian smartphone scene, demand for the devices inside DOD is intense as well. Some defense employees simply ignore the rules and configure their personal iOS and Android devices to access military email, and some units are using the devices in operations without authorization.
At a conference in August, Army cybersecurity specialist Lt. Col. Matthew Dosmann said investigations found the restricted devices being deployed through “improper and unapproved acquisition processes,” and concluded that to many soldiers, “disregard for information security is generally acceptable.”
But commercial iPads this year made their combat debut in ways that avoided security violations. Marine helicopter pilots in Afghanistan and Navy fighter pilots participating in the Libyan war both used maps loaded onto commercial iPads.
“Essentially there is no room to carry all of the maps in the small cockpit of the Cobra,” helicopter pilot Capt. Michael Christman said in a press release. “It can be a real inconvenience to pull them out and reference them during flight.”
Maps and other data can be loaded directly off drives without accessing military networks, Navy spokeswoman Amanda Greenberg said.
“Devices such as iPads are only being used as electronic readers and do not connect to the network,” she said.
But while testing of iOS and Android devices is taking place throughout the DOD, and the Army is developing military-specific secure smartphones, actual operational uses remain few and far between as DOD slowly sorts out security issues.
The DOD information security community was stung by gaping security holes left in the wake of a haphazard move in decades past to connect to the burgeoning, and in retrospect, dangerously open Internet. In the years since, individual hackers and competing nations have crept through the digital cracks to vandalize websites or steal classified data. The move to mobile computing can’t follow the same slipshod path, experts say.
“I’ve just read about a new tablet [developed by Amazon] coming on the market,” said Capt. Steven Simon, director of the U.S. Naval Academy’s Center for Cyber Security Studies. The pace of innovation is exciting, he said, but “every time we come up with a new technological innovation, we have a new set of holes in our network.”
The prevailing caution means the biggest revolution in personal computing since the advent of the Internet may, by and large, be passing the military by. So should the Pentagon fling open the door to smartphone use on military networks?
Probably not yet, said a range of experts from the military and computer security industry.
The Pentagon needs time to thoroughly understand the devices and their flaws, said Charlie Miller, a cybersecurity specialist known as the first person to successfully hijack both an iPhone and an Android phone. Miller notified Apple and Google of the security holes he’d found, but there are surely many others, he said.
“What they use now... they’ve probably had a million people look at it and they know it works,” said Miller, a researcher for the computer security firm Accuvant Labs. “But if the new technology lets you do your job better, there’s a tradeoff where you have to weigh the risk against doing the job better.”
The fact that the devices in question are cellphones and tablets — personal devices used in a wide variety of locations, which are sometimes lost and have a mixture of work and personal data on them — poses difficult new cybersecurity questions that justify taking it slow, said Phyllis Schneck, chief technology officer for the computer security firm McAfee’s public sector business.
“We built the Internet and enjoyed it, but we stepped back 15 years later said, ‘Oops, we forgot to secure this,’” she said. “I think DOD is doing it right this time.”
Even Motes, whose Mobile Applications Branch is directly hampered by the restrictions, said protecting vital military networks easily trumps the ability to use a new electronic gadget a few months earlier.
“I’m not frustrated by these limitations,” he said. “I’m pragmatic about them.”
Motes, a cybersecurity specialist before he was an app producer, said he doesn’t want his group’s work to be a springboard for a skilled adversary to penetrate DOD’s networks and potentially cause havoc.
For now, he’s willing to make useful, if limited apps, like the Army fitness test calculator. But there are bigger things to come when security is sorted out.
“We’re exploring the role of apps in the military lifestyle,” Motes said. “Really what we’re doing is laying the groundwork so we’ll be in position when this matures to take maximum advantage of the technology.”