Wisen up to handheld security

When Joe Hagin arrived at the White House in 2001 as deputy chief of staff for operations, nobody at 1600 Pennsylvania Avenue had an official BlackBerry.

At the time, the handheld messaging devices were widely used on Capitol Hill, but security agencies were opposed to White House officials using them. Then came the Sept. 11 terrorist attacks, and suddenly the value of the devices snapped into sharp focus: White House officials, using standard cell phones, had substantial communications problems that day. Those working on Capitol Hill were in far better shape with their BlackBerries.

“We had to make a cost/benefit decision of the security risks of using BlackBerries but at the same time being able to communicate in an emergency,” Hagin said. “We obviously decided it was worth it.”

But just as the use of handheld devices in government has vastly expanded during the past eight years, so have the security risks, many experts say.

Malware, spyware and viruses, long the scourge of PCs and office servers, now also target handhelds. And they are on the rise, according to experts. Federal agencies need to know the risks and take steps to protect sensitive data and communications.

In Hagin’s seven and a half years with the Bush administration, security measures for BlackBerries were often primitive. On foreign trips, White House staff members’ BlackBerries were disabled and collected on board Air Force One for the duration of overseas visits, he said.

“I look at this as being kind of equivalent to where PCs were in the mid-to-late '90s,” Hagin said. “Today you wouldn’t dream of having a PC or laptop without security software on it. Now we are carrying around computers on our belts that are relatively naked.”

Security officials now have more options. For example, officials at the state-run Technical College System of Georgia use a service to keep tabs on the dozens of BlackBerries that employees use, said Steven Ferguson, a senior network engineer at the college system.

A state mandate requires that gambling and pornography be blocked on any state-owned device that can access the Internet. Meeting the mandate for mobile devices is more difficult than for a traditional office computer, Ferguson said, because handhelds usually are connected to a public network, not a hardened, controlled private network.

So the college system uses a software-as-a-service tool from Purewire that acts like a proxy gateway, allowing officials to enforce policies and filter all the traffic going in and out of handheld devices.

Agencies should apply the same rules for standard computers to handheld devices, said Randy Siegel, a Microsoft enterprise mobile strategist who works on federal government projects.

For example, Customs and Border Protection and the Transportation Security Administration require handheld devices and software to adhere to cryptographic standards such as Federal Information Processing Standard 140-2. Handhelds can also be subject to mandates such as Homeland Security Presidential Directive 12, which, among other things, calls for two-factor identification — such as using a smart card and password — to log on to government computer systems.

The Air Force Communications Agency, meanwhile, requires that mobile users access the devices with Common Access Cards. The solution involves installing a Bluetooth wireless card reader on all mobile devices. The connection established between users' handheld devices and smart cards allows them to digitally sign or encrypt e-mail messages and log on to secure Web sites.

The threat associated with handheld devices is growing largely because agencies are starting to use more applications on them, such as Google Maps and mobile office applications that provide access to Word and spreadsheet documents.

“We are seeing people use these the exact way they use PCs and laptops,” said Dan Hoffman, chief technology officer at SMobile Systems. Which is why they also need to be secured the same way.