At the beginning of his administration, President Obama created a minor controversy by insisting on using a personal mobile device. But much of that debate, such that it was, revolved around presidential records. Little was said, at least publicly, about the profound security implications of the commander in chief sending and receiving important, possibly vital, information through cyberspace.
Appropriately, even less was known about the type of data President Obama accesses, creates, and stores on the device, and the degree to which any such data is stored in “the cloud,” particularly in non-government-controlled cloud storage. What is known, however, is that mobile devices are the most prevalent, and most rapidly expanding, gateways to all types of cloud services.
Recently, thanks to viral video, the world saw Secretary of State Hillary Clinton receive news of Moammar Gaddafi’s death over her mobile device. We do not know whether she received the information via a secure State Department IT architecture, or from open sources from cloud-based news providers. This not only matters from a security standpoint, but could impact the reliability of the information she receives if her mobile device, as it appears, is a primary source of information for the Secretary.
In October, President Obama issued an executive order reportedly restricting the use of mobile devices by federal employees, but the decision was made entirely for budget cutting reasons. It was Forbes Magazine, referencing the order that injected into the discussion that broader adoption of mobile devices by the government “is an open question, since uncertainty regarding security at the operating system level is rife.”
None of this is to say that Presidents, Secretaries of State, or other government officials should not be afforded the convenience and efficiency of mobile devices. It is to say that our government must devote significant resources to countering threats to such devices.”
The concerns are legitimate, and claims that such devices are for only unclassified information are not very comforting. Anyone who has worked in government understands that the line between classified and unclassified may be inadvertently or carelessly crossed and, as former director of two intelligence agencies, I can testify that we would sometimes exert great energy to learn even the “administrative details” of the inner workings of a foreign government.
All cybersecurity issues are complex, and mobile device security is particularly so, but let’s start with the basics: C.I.A. In this case, the acronym refers not to an intelligence agency but to the most basic requirements for any reasonable cybersecurity program: Confidentiality; Integrity; and Availability.
Confidentiality. All of us want our personal and other sensitive information — our “confidential” data — to remain confidential. We want it to be seen only by those we choose. Individuals risk embarrassment, identity theft and other fraud, and potentially worse if the confidentiality of their sensitive data is compromised. When such compromise involves national security or diplomatic information, including the now seemingly ubiquitous category of “controlled unclassified information,” the stakes for all of us can be even higher.
Even if truly sensitive information is protected on the mobile devices of government officials, it is easy to imagine governments around the world, not to mention blogs, tabloids and the merely curious, being highly interested in anything the President or the Secretary of State have to say or are told. Encryption, password protection, and careful control over subjects discussed on mobile devices can help protect your personal information, and are vital techniques for mobile devices used by government officials.
Integrity. Important information, whether yours or your government’s, is only as good as its integrity; data needs to be what it purports to be — accurate, complete and unaltered. Just last month in physical space, the Taliban forged the signature of the general running U.S. combat operations in Afghanistan in an attempt to undermine confidence in the Afghan government. What if communications in the mobile device domain from a President, a Secretary of State, or any of the thousands of other government officials using mobile devices are fabricated or altered? All sorts of mischief — including disinformation covertly sent by our adversaries — could be wrought if mobile device communications cannot be depended upon to be accurate, timely, and delivered exactly as intended.
Consistent application of strong authentication methods, robust auditing capabilities, and careful checking of message content helps protect against intentional, or accidental, compromise of the integrity of messages.
Availability. Mobile devices are addictive. Their convenience and efficiency are particularly valuable for busy people under pressure to make important decisions quickly and accurately. The problem with becoming dependent upon mobile devices, of course, is that any compromise in the availability of data on them can be crippling. While no one has yet quantified the extent to which our leaders use mobile devices to communicate with one another, and with important staff, to the extent that they do our government’s decision-making and operations become more vulnerable.
Whether intentional (denial-of-service attacks) or natural (network overload during natural disasters), the potential for damage to our interests by disruptions in the availability of communications, particularly during a crisis, becomes more acute as our leaders’ dependency on such devices increases. Our senior national leaders have multiple, redundant means of communications, but not every government official using mobile devices is always so well equipped. In any event, to the extent government officials come to rely on mobile devices, appropriate measures must be taken to protect not only the availability of the devices themselves but, at least as important, the networks on which such devices must operate.
Similar security concerns exist for non-mobile communications methods. But these concerns have been known, and addressed, for decades, and hard-wired computers in, for example, the Oval Office, are much easier to protect than thousands of mobile devices, and the networks on which they operate.
Information does not travel to mobile devices over underground or otherwise secure cables; mobile devices are more vulnerable to multiple and evolving attack vectors, including “cloning” such devices, involuntary Bluetooth pairing, and remote microphone activation, and awareness of the threats to such devices remains far weaker than awareness of threats to desktop and laptop computers.
Furthermore, we can assume that vast foreign government and other resources are being specifically directed against the communications of our national leaders. Imagine the capabilities of tech-savvy adversaries, operating from the sovereign spaces of their embassies, in a Washington whose airwaves are filled with the transmissions of hundreds of thousands of mobile devices.
None of this is to say that Presidents, Secretaries of State, or other government officials should not be afforded the convenience and efficiency of mobile devices. It is to say that our government must devote significant resources to countering threats to such devices.
While the basic security requirements may be the same for our leaders as for us as individuals, we all have an interest in making sure the risks and threats to government communications are properly addressed. At this time, we believe that: public cloud — and particularly overseas — data storage and access should be restricted for government officials’ mobile devices; stringent technical and physical security measures must be strictly enforced for such devices; information received on mobile devices should always be carefully checked before action is taken; and a robust campaign to increase risk and threat awareness by officials using such devices should be undertaken, if not already underway.
Bryan Cunningham was a career intelligence officer and federal prosecutor, serving in the Reagan, Clinton, and George W. Bush Administrations, most recently serving as Deputy Legal Adviser to the National Security Council. He is now an information security and data privacy lawyer at Cunningham Partners LLC.
Gen. Michael Hayden is the former director of the National Security Agency (1999-2005) and Central Intelligence Agency (2006 to 2009). He is now a principal at The Chertoff Group, a global security advisory firm, which advises clients on cyber security including cloud computing.
This article was originally published on SafeGov.org.