A senior National Security Agency official today said the agency is racing to embrace an approach to mobile technology that once would have been unthinkable for one of the government’s most secretive agencies, by moving toward 100% end-to-end reliance on commercial communications technology.
NSA Director of Information Assurance Deborah Plunkett told an industry group today in Washington that, “Unless we do this, we will not be able to meet the demand signals from our customers.”
Plunkett was referring to the need for agency officials and analysts to connect to classified and non-classified but sensitive information networks anytime, from anywhere in the world, eventually on a single device. NSA employees, including Plunkett, lack many of the mobile capabilities that she and fellow NSA employees have grown accustomed to outside of work.
NSA is working with wireless carriers, smartphone manufacturers and others to develop a series of “composable solutions,” she said. The concept involves identifying and mitigating security vulnerabilities inherent in delivering and using information to mobile devices via commercial carriers throughout the world under a variety of circumstances.
Those efforts are moving beyond more recent approaches of simply “hardening” devices, as NSA did in modifying an iPad tablet for President Obama to work securely inside the White House. “Let’s put it this way, it’s not under warranty anymore,” she said.
Plunkett said that in the past two weeks, NSA has begun a “deep dive” into exploring how best to use hardware and software encryption methods to secure mobile devices and the data moving to and from them. Plunkett said she could not provide details on the effort.
“Let me just say, if we were starting from scratch, then hardware (encryption) is the best way to go. But the fact of the matter is,” given the rapid evolution of mobile technology developments, “we have identified acceptable mitigations to take, using software serves,” she said. “Stay tuned.”
“The poster child of what NSA will no longer be doing,” said Plunkett, “is the SME-PED,” a rigorously engineered smartphone capable of accessing top secret, secure voice and data networks. The Secure Mobile Environment Portable Electronic Device took millions of dollars to develop and five years to deliver.
“It was a phenomenal idea at the time it was conceived (early last decade) and would have been a phenomenal product when it was delivered, had it not been for the introduction of the iPhone,” she said.
One of the wake-up calls for NSA came about two years, said Plunkett, when a wireless service provider during a visit to NSA made clear that 2G wireless services, on which a number of NSA systems relied, would be going away as carriers began shifting toward more robust 4G and LTE networks. “Quality of service is critically important,” said Plunkett, who noted that the agency in fact began to see pockets of degradation in areas that depended at 2G services.
That meeting kick-started NSA’s move to a more comprehensive mobile strategy, she said, but it also deepened the agency’s resolve to work with commercial providers to stay more closely in step with the rapid evolution of new commercial products and services.
Plunkett, speaking at a forum on mobile security sponsored by the Washington D.C. chapter of the Armed Forces Communications and Electronics Association, also highlighted three primary goals NSA technology and information assurance officials are pursuing at the agency:
- Establish ongoing partnerships and working arrangements with commercial providers – to develop and deliver secure implementations “out of the box” and to prepare for next generation security technologies;
- Establish mobile enterprise capability – including enterprise security policies, interoperable capabilities via gateways, and anywhere, anytime access to unclassified and top secret infrastructure; and
- Publish and update mobile capability packages – with an emphasis on vendor agnostic architectures, minimum required security capabilities and residual risk assessments.
Plunkett, told industry executives that she feels the urgency of moving NSA into the mobile future as quickly as possible. Having finally given in to the urge to buy a personal smartphone earlier this month, even though she can’t use it most of the day working at NSA, she said, ” I want you to know, I’m feeling the pain” of being walled off at work from the mobile capabilities most people take increasingly for granted.