U.S. Marines are testing novel solutions to provide the necessary security and legal safeguards that will allow commercial, personally owned devices on their networks. If successful, the service could recognize a substantial monetary savings in mobile phone expenses and open the door to future cost decreases in other areas.
The government’s overall mobile strategy should reduce total ownership costs in the mobile space. The Marine Corps alone could save $3 million a year by changing the way it executes mobility in garrison. Those command operations and maintenance dollars then could be funneled to other needs such as training, fuel, ammunition or batteries.
The Marines do not like to use the term “bring your own device” when discussing this type of effort because of the negative security connotations. Instead, they prefer personally owned, corporate enabled (POCE). After releasing the Commercial Mobile Device Strategy in April 2013, Marine Corps officials have put into place various efforts to advance their mobile communications plan. “It’s becoming more mature,” says Rob Anderson, chief of the vision and strategy division, Headquarters Marine Corps/Command, Control, Communications and Computers. The process, however, has not been easy. “One thing my boss told me is I couldn’t spend any money on this,” Anderson continues. “It’s very, very difficult to get free things.”
To overcome the challenges, Marines worked through the service’s contracting and legal departments to create a bailment agreement, which is expected to be fulfilled by the time of publication as it was in its last stage before going back to industry. Verizon, Sprint and AT&T each agreed to provide seven phones with data plans—both iOS and Android platforms—loaded with their security solutions. Though the Corps is not paying for the products, Anderson says, the companies all were eager to participate. Once the devices are in hand, the military will conduct tests such as evaluating penetration prevention to determine the best path forward. Anderson predicts beta testing will take place in April and May 2014.
Industry can help Marines on this POCE effort by addressing the service’s biggest concern: the security of the encrypted data containers on the devices. Developers must ensure that if a platform is compromised in any way, the data container remains intact. The worry is that an intruder could use these devices to access Marine Corps networks.
Teammates of both Verizon and AT&T are providing sandbox solutions, dubbed Divide and Toggle, respectively. Personnel load a sandbox onto their devices through a portal, and the solution offers an encrypted container with FIPS 140-2 validation. The sandboxes do not create a situation in which the government takes over the device entirely. The technologies aim to keep the government information and functions of the phone completely separate from the personal side to the point that if a device is compromised, administrators can wipe only the government portion.
Divide and Toggle connect through the Marines’ enterprise virtual private network (VPN). “The beautiful point about this is we already have a VPN solution in our networks,” Anderson explains. As a result, no additional infrastructure cost is incurred. The sandboxes also will work on tablets because devices are only the transport mechanisms, whereas the sandbox actually enables users to connect to the network.
Sprint offers a different type of technology, teaming with ViaSat on a trusted handheld multiple-personality device. Anderson says this offers the most secure option, but the technology is not yet mature. This last effort comes out of the Marines’ Trusted Handheld program. Anderson is working to prove to the Corps’ lawyers that POCE solutions can protect the device owners’ 4th and 5th amendment rights and that they will have completely separate organizational and personal instances. He believes both the sandbox and the trusted handheld approaches will meet data at-rest and in-transit policies.
Anderson prefers the trusted handheld solution, and he shared that opinion with the companies, but sandboxes can serve as a bridge while the other technology matures. He does not expect any multiple-personality devices with a virtualization layer on top of the client hardware to arrive on the market for another 12 to 14 months, but when they do, the existing contract vehicles and pre-testing will make it easier for the Marine Corps to procure what it needs. While the sandbox options will apply only to in-garrison, unclassified networks, the trusted handheld ones are expected to be secure enough for tactical application.
If these solutions prove effective, the Marines can advance the program by procuring what they need through existing U.S. Navy and General Services Administration contract vehicles. The Corps would use those agreements to pay for managing the devices, while individuals would pay for their personal plans. Anderson estimates it will cost about $60 to $72 a year to manage the devices with the sandbox solutions but is unsure of the cost for the trusted handheld option. These prices are significantly lower than previous contracts and, if 50 percent of the people currently using government equipment want to trade in their BlackBerrys to use their own devices, the Marines could afford to add 85,000 devices to their network at no additional cost.
“That’s why POCE is a big deal,” Anderson states. “You would actually create a mobile work force. You would actually be in line with the federal digital government strategy. You would be moving forward in creating this environment where they gain access to their organizational data when they need to.”
For the plan to work, the approach must be 100 percent voluntary; forcing people to participate will result in litigation, he adds. The Marines are conducting a survey to determine members’ interest in participating and how much they are willing to pay.
Litigation is a major concern for Anderson while pursuing this project. He expects that one day, an employee of a major company will bring a lawsuit pertaining to bring-your-own-device policies. At some point, he predicts, civil rights will become enough of a concern to industry partners that the market will demand a multiple-personality platform. When that happens, such technology will come into its own.
Many people ask Anderson about the legal aspect of this effort, including what to do if a personal device must be confiscated. He responds that if a court order demands the device, people must turn it in, just as they do with today’s court orders. “Those scenarios exist today because of the Telework Act, but no one’s ever thought about it in this way,” Anderson explains. However, a commercial mobile device is no different than a laptop in that regard and could accommodate additional security measures.
The current U.S. Defense Department policy about the use of personal devices on the job is outdated, he believes. For example, when employees use their own laptops to telework, they already are in a type of bring-their-own-device situation. The POCE scenarios should prove to be even more secure because, while the government cannot wipe someone’s laptop remotely, it could do so for its side of mobile devices.
Government and industry are working closely at many levels of the POCE effort, and most of the major players involved in this type of technology know each other. Juniper Networks is helping the Marines integrate technologies in the beta test onto the VPN because the Corps has Juniper VPN software. The Marines pay nothing extra for this—they already own the software—but Juniper is helping as an added service to the delivered product. Furthermore, technologies beyond those in the beta testing are being developed, and officials are watching that activity for future procurement possibilities, including work done by other companies who participated in the Trusted Handheld program. In a separate endeavor from the current beta testing, the Corps will evaluate Microsoft and BlackBerry options this year.
After the beta testing, the Marine Corps plans to roll out a pilot program in the Northern Virginia area with 500 volunteer users. The result of all this testing will be a better informed military customer. “We are going to prove if we can do this,” Anderson explains. “If we can’t do this, we have at least proved that we can’t do this.” If evaluators find POCE is not the solution for the Corps—at least for now—they can recommend others refrain from using it as well. “But I believe the technical solution is sound,” he says.
One technical hurdle still to overcome involves identity verification. Today, personnel need Common Access Cards to gain admittance to the network, so they have to attach some sort of card reader to their platforms. “People don’t like that,” Anderson says.
When reviewing a cost-effective enterprise-level scenario, a solution to distribute derived credentials to the FIPS-validated software container is the only way to ensure security, authentication and nonrepudiation of the individual on the commercial mobile device. The container needs to be based upon the current identity validation infrastructure. The Marines have teamed with the Space and Naval Warfare Systems Command (SPAWAR) Atlantic and the Defense Information Systems Agency to engineer a solution.
They also have spoken to multiple government and other partners that are interested in their derived certificate approach. “We have an industry partner that we believe has the technology and platform required to do this. Several pieces still must be figured out before this is a reality,” Anderson says. “That is the next challenge. We need to find funding for our SPAWAR team to continue work on this effort. After July 2014, they turn into pumpkins.”
The ramifications of this Marine Corps POCE project could stretch beyond mobile devices. One day, the government might not furnish much of the equipment even in the office environment. A USB stick with a VPN connection could allow individuals to bring any personal devices into the network and boot up to that stick. The result could be a replacement of government-issued laptops and desktops with personal ones.
Part of Anderson’s job is to think ahead, and he says his most recent big-idea, unorthodox approach would be to consider creating information technology allowances of $300 per year to employees who use their own machines. Under the plan, personnel would receive funding toward new purchases when their current devices complete their life cycles, and the Marine Corps could save millions of dollars annually because it would not have to purchase equipment.