Security Concerns Grow as Technology Tools Shrink

June 2001
By Maryann Lawlor
E-mail About the Author

Personal digital assistants open windows of opportunity, but not without risk.

Although good things may come in small packages, a handheld device that carries the power of a personal computer raises large information security issues. As more military service members employ cellular telephones, pagers and personal digital assistants to keep track of schedules or to perform duties, their leaders must address the new threats these pocket-sized devices pose in the workplace.

The tiny tools also could provide awesome capabilities in the battlespace. However, while the technology is available, the means to secure the information remains a major stumbling block to its deployment. Various approaches are being considered. Once in place, a warfighter’s personal digital assistant (PDA) may become as indispensable as a weapon.

Perhaps the biggest challenge PDAs have created in the military is posed by the speed at which this equipment has found its way into commands. In some cases, it has not been personal purchases that have caused the influx. The advantages handheld computers offer have not been lost on U.S. Defense Department decision makers, and many service members receive PDAs as part of their standard issue equipment.

But as the number of people using PDAs increases, military leaders are scrambling to promulgate security policies that address the risks they pose. Most agree that these minicomputers can improve military business processes in a way that rivals the dawn of personal computers. On the flip side, they could disrupt communications with the same magnitude and in general are not allowed in areas where classified information is shared or stored.

The U.S. Air Force has launched a yearlong information assurance awareness campaign that specifically includes security issues as they relate to PDAs. One goal is to ensure that users recognize the damage these devices can cause if they are not handled appropriately.

According to Lt. Col. Anthony Paulson, USAF, chief, technology assessment division, Scott Air Force Base, Illinois, the equipment may come out of the box as a scheduler, memo pad and telephone book, but in reality it is more powerful than just an electronic notepad. “These devices also have microprocessors and memory, so they are like the standard computer. My Palm Pilot has more memory than my first two PCs. So, people look at it like an electronic Daytimer, but this is the thinnest of the thin clients that we could have in an architecture,” Col. Paulson relates.

Because the equipment is so small, it presents an additional problem, the colonel relates. Hackers now have a new weapon in their arsenal that is easy to carry and conceal yet potent enough to wreak havoc.

The colonel explains that users can purchase full programs and local area network wireless cards for the devices. “But just as we found out with standard computers, every new capability has new vulnerabilities associated with it. These vulnerabilities can emerge either by accident or by users not thinking about the issues,” he says.

Gene Zuratynsky, chief, information protection architectures branch, Scott Air Force Base, explains that some of the risks are a result of the design of the PDA operating systems. For instance, the systems have a limited password scope. Vendors are currently working on this problem, he says.

However, vulnerabilities also emerge from connecting the devices to other infrastructure. PDAs can be susceptible to viruses and Trojan horses. In some cases, these wipe out all of the information on the device. At other times, the PDA acts as a recessive gene. The virus does not affect the handheld equipment; however, when it is connected to a personal computer, it injects the virus into the computer and subsequently into a network.

One way to address these security issues is with the traditional method used in personal computers. Virus detection software must be loaded on both the PDA and the network, Zuratynsky explains.

Many handheld communications devices have wireless capabilities that create additional risks. Because commercial wireless communication does not include encryption, messages can be intercepted. This may be acceptable in the civilian world but is unacceptable in a military environment, Zuratynsky states.

In addition, commercial Internet service providers offer an e-mail capability that forwards messages in real time. A virus scanner searches only for a virus moving to the PDA but not for viruses that could be passed through the PDA to a personal computer once the two are connected. Current Air Force policy prohibits wireless devices with commercial wireless connections from interfacing with Air Force systems.

The U.S. Navy recognizes the enormous opportunity PDAs offer, but also acknowledges that they can be equally hazardous. The service is aggressively pursuing the implementation of handheld devices into its units (SIGNAL, February 2000, page 29) and even distributes a PDA to every U.S. Naval Academy graduate. Currently, the Navy is experimenting with using the handheld equipment onboard ships for activities such as the distribution of the plan of the day, maintenance activities and other management processes.

According to Capt. David Aland, USN, special assistant for the chief information officer, Space, Information Warfare, Command and Control Directorate, U.S. Navy headquarters staff, portable electronic devices (PEDs) support the Navy’s effort to go paperless, a move the service has been discussing for years. Although computers in general assist in this endeavor, PEDs fulfill a criterion that has been overlooked in the past. “PEDs are electronic devices that you can hold in your hand just like you do a clipboard. They’re idiosyncratic. The challenge is the devices themselves. They are built to the expectation of ubiquitous access—hook into an information source any time, any place, under any conditions. The problem is that it is a security challenge. ‘Any time, any place, any conditions’ information access just doesn’t work when you have to protect your information systems from intruders,” Capt. Aland explains.

Capt. James S. Newman, USN, division director for information warfare, Space, Information Warfare, Command and Control Directorate, U.S. Navy headquarters staff, agrees that PEDs, like other communications technologies, present problems with information protection. “Addressing security issues begins with an acknowledgment that we all share º that open network structures are on a sandy foundation. So the applications we use are unknown to us and contain more vulnerabilities that we don’t even know about,” Capt. Newman says.

The Navy continues to do what it can to mitigate the impact of security breaches through the use of access and configuration controls, virus detectors and the distribution of information on safe computer practices to users.

The Defense Department’s rollout of private key infrastructure (PKI) will support security efforts on PEDs, Capt. Newman offers. This endeavor is especially difficult in an organization as large as the Defense Department; however, the captain believes that if it is done well, handheld devices will be more secure. “Defending our networks is something we all have to do. You don’t buy computer network defense, you do computer network defense,” he says. Information security involves three elements: people, policy and technology, he adds.

The Navy also faces a distinctive challenge. While commercial firms prohibit their personnel from using company computers to conduct personal business, the Navy encourages sailors to use it to write to family members or perform personal business transactions, Capt. Aland offers. “Our culture is unique in that our office building goes away for six months. If the people on the ship are to be encouraged to use the technology to keep in touch with family through e-mail, to see pictures of their new nephew or maybe a new son, or to do banking, then you have to take this into consideration, and you have to protect the systems. There are several forces in tension. Those little devices that we are finding we can’t live without are good, but unless we solve the security challenge, they’re not as useful as they could be,” the captain says.

Lt. Cmdr. Scott Dipert, USN, assistant for information assurance, Information Warfare Directorate, agrees that the balance between information security and PDAs’ usefulness is precarious. “Even in the policy, we want to be very clear that although we need to be cautious, we want to be able to do as much as we can with these devices. There’s not too much difference between a handheld device and a computer. So the way we look at these devices and policy is that they are not that different than the other policies and problems we’ve had for computers as they were introduced into the work force,” Cmdr. Dipert says.

Capt. Aland admits that the security issues cannot ever be totally resolved, but efforts can be made to bind them. “The challenge is making sure that we distribute these devices and use them in a secure fashion. Once you’ve bound the current security challenge, the next challenge is that, as the technology moves faster, you have to address new challenges,” he says.

One of the latest endeavors for the military is bringing the power of PDAs directly to the battlespace. The Enhanced Linked Virtual Information System (ELVIS), developed by Logicon, a Northrop Grumman company, Herndon, Virginia, can provide commanders with a common operational picture. The PalmELVIS offers a comparable capability in the palm of the warfighter’s hand.

According the Dr. Lee Whitt, vice president of information technology for Logicon’s Inter-National Research Institute (INRI), Reston, Virginia, the system has been outfitted for both Palm Pilots and Pocket PCs. The company received funding to design the system from both the U.S. Marine Corps and the Defense Information Systems Agency. Although the technology has been part of demonstrations and exercises, it cannot be introduced into the field until the information security concerns are resolved, Whitt explains. “This fact alone speaks volumes about the security issues that have to be addressed,” he says.

These issues include encrypting data over wireless connections and protecting the data that reside in a PDA.

“The Defense Department requires a hardware piece to do the encryption on wireless communications. The problem with this in the field is that you have a small PDA that weighs only ounces, but then you have to carry a 15-pound large device on your back to do the encryption,” Whitt relates.

Once the classified information is in the PDA, the next problem is protecting it. Typically, this is accomplished through log-in and passwords. However, Whitt suggests that this may not be enough. “We’re still grappling with this. The question is should you have a biometric or some other access control and identification authentication system?” he explains.

To resolve these issues, the company is examining approaches being taken by the commercial community. Whitt points out that his group is not competing with the commercial sector, noting that these companies have a vested interest in solving the problem and have developed some techniques, such as PKI, that may work on PDAs. INRI plans to leverage these products for PalmELVIS as they become available.

Despite the availability of commercial solutions, the unique problems posed by a military environment forces the developers to keep options open. While the commercial sector may accept 128-bit encryption, for example, the Defense Department may require a higher level of security.

Another option would be to pair PDAs with a secure telephone unit-III (STU-III). Warfighters could connect the PDA to the serial port on the STU-III for encryption. Because the STU-III is already in the field, it would not be necessary to transport additional security equipment.

Whitt explains that there are three approaches to securing the information once it is in the handheld device. First, ensure that only the authorized person can access the data. Second, devise a way to destroy the data. Last, destroy the device itself. Each solution presents its own difficulties.

Commercial companies are developing valuable biometric technologies that could address concerns regarding identification authentication. However, PDAs would have to be outfitted for this type of security technique.

Software could be used to wipe the device’s memory clean. However, in case of injury, a warfighter may not have enough time to run the program and if captured could be compelled by the enemy to share the information.

Finally, while destroying the device appears to be a logical solution, it is not a simple one. The equipment must be ruggedized to be inserted into the battlefield environment. Demolishing it may not be an easy task.

While the individual services continue to address the everyday information security challenges that PDAs pose, the Defense Department also is pursuing a departmentwide policy that can be implemented. According to department officials, military leaders are examining the issues and are working on an overarching policy that will address acceptable practices for the safe use of PDAs.