DOD focused on wireless security

As part of a governmentwide effort to overcome the security gaps in commercial wireless devices, Defense Department officials plan to issue stricter rules for how defense personnel use them, the department's top technology manager said last week.

"We're going to put some constraints on what kind of devices can be used, where they can be used," said John Stenbit, DOD's chief information officer. He expects the department to release the new rules by the end of the month.

DOD and other federal officials worry that sophisticated wireless devices could potentially be used to overhear or even record sensitive conversations.

DOD has successfully secured the department's traditional, broadcast wireless communications, such as cell phone conversations, but officials are less confident that the messages sent via networked wireless devices are secure, Stenbit said.

Agencies, including DOD, are moving quickly to incorporate wireless communications and networking into their information technology architectures, so security policies are needed soon to address issues ranging from the devices used by the back-office business personnel to frontline warfighters, said Robert Gorrie, deputy director of the Defensewide Information Assurance Program.

"It's proliferating among every soldier, sailor, airman in the Department of Defense," he said.

Stenbit and Gorrie did not provide any more details about the upcoming directive.

In general, wireless networks and devices are not as secure as the government requires, and according to federal and industry experts, the devices won't be secure anytime soon. "The only good news is [that] not that many people in the U.S. are connected to the Internet yet" using wireless devices, said Art Martin, president of the McAfee Security division at Network Associates Inc.

As wireless devices become more sophisticated and easier to connect to the Internet, the Trojan horses, worms and viruses that have affected other countries will start to affect the United States, Martin said.

As part of a governmentwide effort to secure the devices, the National Institute of Standards and Technology (NIST) released a draft July 24 outlining basic steps to close some of the security gaps in existing wireless standards and products.

Standards such as IEEE 802.11 do not provide enough security, and the stories of people accidentally or deliberately picking up signals transmitted by wireless devices are all too common, said Richard Clarke, President Bush's cyberspace security adviser and chairman of the Critical Infrastructure Protection Board.

Once someone can receive signals, transmitting new ones back is only a step behind, which opens the door for injecting false or harmful commands and messages, said Joseph Wilkes, director of advanced wireless network architecture at Telcordia Technologies Inc.

The NIST guide outlines the potential vulnerabilities and risks for many of the most prevalent wireless network technologies, including 802.11 and the Bluetooth standard for connecting mobile phones, personal digital assistants and other handhelds.

The guide also provides recommendations for security configurations, information on emerging wireless security standards and a case study outlining the secure deployment of wireless local-area networks.

Stenbit hopes that industry leaders will help define a security certification and accreditation process for wireless devices, similar to the Common Criteria evaluation process already in place to certify software with security features.