Apple, Samsung Devices Seen Raising Pentagon’s Cyber RiskChris Strohm and Kathleen Miller
The Pentagon risks exposing itself to hackers by opening its communications networks to Apple Inc. and Samsung Electronics Co. smartphones and tablets, according to cybersecurity officials.
The two companies want to crack a market long dominated by Waterloo, Ontario-based BlackBerry, which provides about 470,000 of the U.S. military’s more than 600,000 mobile devices. While those numbers are a fraction of BlackBerry’s 76 million subscribers worldwide, the company has promoted the Defense Department’s security endorsement to commercial and government customers.
The Pentagon’s plan would eventually give employees the flexibility of connecting devices such as Samsung Galaxy S4 smartphones and Apple iPads to unclassified networks. It also would create more vulnerabilities to cybersecurity breaches, said Pat McGarry, principal systems engineer at Ixia, a network security company based in Calabasas, California.
“It is a debacle, a disaster waiting to happen,” McGarry said in a phone interview. There is no technology that would make Apple and Samsung smartphones and tablets immune to new malicious software known as malware, he said.
The military on May 2 approved use of Suwon, South Korea-based Samsung’s devices running a secure version of Google Inc.’s Android operating system. At the same time, it cleared Pentagon offices to buy BlackBerry PlayBook tablets and new BlackBerry 10 smartphones.
Apple, based in Cupertino, California, may win approval as early as this week to sell its iPhones and iPads to the Pentagon.
Samsung, Apple and the newly approved BlackBerry devices “pose an acceptable risk for unclassified communications” when used with a mobile-device management system, said Mark Orndorff, a program executive officer at the Defense Information Systems Agency. Testing will continue to ensure the products are secure, he said.
The Defense Department won’t allow new smartphones and tablets to connect to its networks until a secure device-management system is in place, Orndorff said in an e-mail. It plans to award a contract to build and operate the system by the end of June, he said.
Samsung’s Android and Apple’s iOS operating systems have vulnerabilities that will remain even with a device-management system, McGarry said. They have different architectures than BlackBerry and offer more attack vectors for hackers, including the use of 3G, 4G, Wi-Fi and Bluetooth networks, he said.
BlackBerry “was architected from day one to allow for end-to-end secure communications,” McGarry said.
Samsung “is aggressively pursuing the necessary features and security enhancements to meet the stringent requirements of doing business with the U.S. military,” Ashley Wimberly, a company spokeswoman, said in an e-mail.
The electronics company worked with the U.S. National Security Agency to create Knox, a secure version of Google’s Android operating system with multiple layers of software and hardware protection.
The system lets employers keep corporate and military applications and data in a secure place on a smartphone or tablet, and remotely erase them if necessary, according to Samsung.
BlackBerry has more than 1 million U.S. government customers and the market has remained “remarkably stable,” Scott Totzke, senior vice president for BlackBerry security, said in an interview.
The company has long emphasized the security of its products.
“Privacy is built into everything we do, and we’ve been doing it longer and better than anyone in the industry,” Chief Operating Officer Kristian Tear said in a speech yesterday at a conference in Orlando, Florida. “Security has been baked into BlackBerry from the ground up.”
Apple declined to comment, deferring questions to the defense agency, said Trudy Miller, a company spokeswoman.
Giri Sreenivas, a vice president at Rapid7 LLC, a Boston-based cybersecurity company, said the process of updating Apple and Samsung mobile systems with security fixes may pose issues for the military.
Samsung and Apple push out security patches and depend on users to install the fixes, Sreenivas said in a phone interview. BlackBerry controls its own network to deliver security patches to devices, which are automatically installed, he said.
That difference is significant because it may be more difficult for the military to ensure that all its Samsung Knox and Apple devices are protected with the latest security fixes, Sreenivas said. Samsung and Apple users in the military who haven’t properly updated their devices would probably be blocked from accessing networks, he said.
There isn’t a good way to tell if the two companies’ devices have been compromised with malicious code, especially through downloaded applications, said Richard Bejtlich, chief security officer for Mandiant Corp., a computer security firm based in Alexandria, Virginia.
“There are certain countries you go to, you bring your phone up on the national network and they will push rogue code onto your system,” Bejtlich said in an interview. “The second problem you run into is how easy is it for a rogue party to introduce a malicious app onto your system.”
The Pentagon sought bids in November from vendors capable of securing as many as 300,000 mobile devices in the next several years.
The winner will enforce security policies on all mobile devices, ensuring only authorized users can tap into military networks. When smartphones or tablet computers are lost or compromised, the vendor must be capable of remotely wiping devices of data, according to the agency.
Companies such as Sunnyvale, California-based Good Technology and Fort Lauderdale, Florida-based Citrix Systems Inc. are on teams that have submitted bids.
Good Technology already has performed similar work with other agencies such as the Department of Homeland Security, said Jeff Ait, public-sector director for the company.
While the Pentagon’s security endorsements are considered key milestones, they won’t lead to immediate boosts for Apple and Samsung devices.
“I expect it’s going to take at least another year or two before there is a true broad embrace of these kinds of platforms for the type of usage you’ve seen historically with BlackBerry devices,” said Sreenivas, the Rapid7 vice president.
The Defense Department’s security clearance is valuable because it may encourage other industries, such as health care and financial services, to switch to Apple or Samsung devices, said Carolina Milanesi, research vice president at Stamford, Connecticut-based Gartner Inc.
“Other organizations that might have been reluctant to open up their doors to these providers might change their views going forward,” she said in an e-mail.