Pocketful of Security
NSA’S NEW PERSONAL DIGITAL ASSISTANT PROVIDES SECURE, MOBILE VOICE AND DATA ACCESS TO SECRET NETWORKS.
The National Security Agency is breaking the mold by introducing a vanguard wireless, secure smart phone that is the first of its kind ever to run on SIPRNet. The converged voice and data product, called the Secure Mobile Environment Portable Electronic Device (SME PED), incorporates the highest level of security with the latest technology available in the commercial wireless world.
The SME PED is similar to personal digital assistants (PDAs), such as Research in Motion’s BlackBerry or Palm’s Treo, with specialized hardware and software added where required. “Market advances in electronics miniaturization of both cell phone and PDA technology have allowed SME PED developers to create a specialized product that has similar form, fit and functionality as comparable commercial products,” said Richard Scalco, NSA chief of edge systems solutions engineering.
“This is a converged, secure voice and data product that is the first to provide a secure voice as well as mobile secure e-mail capability via SIPRNet,” he said.
As a result of a competitive source selection, NSA awarded two $18 million contracts— to General Dynamics C4 Solutions and L-3 Communication Systems-East. “Both vendors utilize an NSA-mandated development strategy that provides documentation through the development process to support Information Assurance Directorate certification for the processing of classified information,” Scalco said.
KILLER APP
General Dynamics and L-3 developed the product to support commercial carrier certification so the SME PED could be used on the commercial CDMA and GSM infrastructures. The SME PED also must support the Defense Integrated Switched network Security Architecture Working Group (DSAWG),which approves it, along with supporting architecture, for access to the SIPRNet.
“Before the SME PED program there were no wireless means to access the SIPRNet and other classified networks. Sectera Edge SME PED also provides access to the NIPRNet as well as the unclassified commercial Internet,” explained Tom Liggett, General Dynamics C4 Systems Edge product manager in the Information Assurance Division.
General Dynamics’ Sectera Edge is the company’s implementation of the SME PED. The Defense Information Systems Agency (DISA) is working with NSA to manage the interface of the SME PED with the SIPRNet and NIPRNet.
General Dynamics’ Sectera Edge is the company’s implementation of the SME PED. The Defense Information Systems Agency (DISA) is working with NSA to manage the interface of the SME PED with the SIPRNet and NIPRNet.
“The wireless e-mail is the killer app for this, in my opinion,” said Keir Tomasso, L-3 manager of information assurance products. “Without DISA, there’s no e-mail on the device on the SIPRNet or the NIPRNet. DISA will install infrastructure on the SIPRNet and NIPRNet to support the SME PED,” he said.
The NSA’s SME PED program also represents the ongoing push toward Internet Protocol security, by incorporating the High Assurance Internet Protocol Encryptor (HAIPE) and Secure Communications Interoperability Protocol (SCIP).
“SME PED is the first NSA-funded development that offers both HAIPE and SCIP in a converged device,” said Tomasso. The NSA directed L-3 and General Dynamics to implement HAIPE and SCIP in such as way as to provide compatibility with the installed base.
“SME PED is backward and forward compatible with the existing family of currently fielded SCIP and HAIPE products,” said Scalco. “SME PED also provides a means to securely communicate between first responders, Department of Homeland Security personnel and senior state and federal government officials.”
Both SME PED vendors use custom-developed hardware platforms with commercial components as the bedrock for a secure platform from which to add commercial operating systems and applications. “Security-desirable architectural aspects are designed into the product from the beginning rather than added to the product after it has been designed,” Scalco said.
L-3 assessed the security vulnerabilities in commercial products that would prohibit them from classified use. Then the development team plugged all the security holes. “The design of the product contains assurance standards that are met in order to be failsafe,” said Glenn Adair, vice president of information assurance for L-3 Communications-East.
The SME PED includes not just Top Secret and Unclassified, but also all levels of security in between. For example, L-3’s version of the SME PED also will support S/MIME encryption, a Microsoft cryptography implementation that is a COTS product approved for Sensitive but Unclassified (SBU) applications. It will also support the DoD’s Public Key Infrastructure (PKI) Common Access Card (CAC) initiative to protect SBU communications.
“We will adopt the S/MIME email to meet the DoD PKI initiative and also use the NSA-approved security implementation to give access to classified e-mail at the secret level over the DoD SPIRNet as well as non-DoD secret networks in the FBI, for example,” said Tomasso.
DATA AT REST
Aside from being the first of its kind to access the SIPRNet, the SME PED is also groundbreaking in how it secures data on a portable device. “This is the first portable end-user device of this kind that encrypts and stores the user’s classified data on the device,” said Liggett.
The SME PED uses secure data-at-rest technology. “If the device is lost, stolen, misplaced or unattended, it will automatically encrypt all classified data. This is similar technology to the time-out feature on a Windows desktop. It is easily configured by the user to set the device to lock itself within any period of time,” said Liggett.
With one keystroke, the user can switch between classified and unclassified data and voice, Liggett added.
Both L-3 and General Dynamics use the Windows CE operating system on the device to render it user friendly and provide COTS applications that are familiar to users, such as Word, Excel, Windows Media Player, PDF files and PowerPoint.
In addition, the device will also have wireless push e-mail. Similar to a Blackberry or Treo, e-mail will be automatically synchronized with a Windows desktop. By leveraging commercial technology in this way, the vendors will be able later to capture a broader market, since the security on the device will be relatively transparent.
“We are also leveraging the technology that allows us to provide interchangeable wireless modules on the device. Users can swap out wireless modules in order to use the device on a GSM or CDMA cellular network or even a wireless LAN,” said Liggett.
Because of the modular way in which General Dynamics designed the architecture, SME PED users will be able to upgrade the device as the wireless industry evolves from 3G cellular networks to support 4G networks, Liggett pointed out.
The ability to upgrade the SME PED is one way the product has been designed with flexibility for ease of user and management support in the enterprise. “The SME PED products utilize pre-programmed product improvement. Signed software updates provide new and additional functionality to the baseline platform for maximum flexibility. As 3G and 4G standards evolve, additional hardware RF modules can be integrated to take advantage of the additional capabilities offered,” said Scalco.
EASE OF USE
From the start of the SME PED program, senior NSA management stressed ease of use. “The program office came up with the internal slogan, ‘Ease of use, ease of procurement and ease of deployment,’ for the product launch of the SME PED to be successful,” said Scalco.
The NSA program office placed “ease of use” as a top priority so as to enable users to hit the ground with running use of the device, rather than being stalled by learning curve impediments. The “ease of procurement” was addressed by using the two vendors in a direct sales agreement as indefinite delivery/indefinite quantity negotiable contracts. “These contract vehicles allow maximum flexibility for the user community to procure and Military Interdepartmental Procurement Request funding to purchase the product and its ancillaries,” said Scalco.
To provide “ease of deployment,” most notably, “push” secure e-mail via the SIPRNet, the SME PED program office has been working with the vendors and DISA to ensure a robust system architecture utilizing a multi carrier entry point for both GSM and CDMA wireless commercial carrier connectivity. “These communications can then be routed to the appropriate user communities secure enclaves in order for them to send and receive e-mail on the SIPRNet as well as to Web browse,” said Scalco,
To achieve wireless push e-mail, it is necessary to provide an additional server that works with an existing enterprise e-mail server. “We provide that server as part of our complete product solution, along with installation support, free 24/7 customer phone support and free software upgrades. The installation is similar to that of a Blackberry with a few additional steps and configurations that we tried to make as simple as possible,” said Liggett.
Both vendors configured their versions of the SME PED to make it easy for users of a non-secure commercial mobile device to migrate to the secure device, by migrating critical information such as e-mail contacts, e-mail history, calendar and phone numbers, without interruption of service. “It’s all synchronized to their desktop, so whenever the information changes on their desktop, it also changes in their wireless device,” said Liggett.
While the SME PED is designed with a commercial look and feel, it is also ruggedized to Military Standard 810F. “It requires the device to withstand a four-foot drop, rain, dust, vibration and extreme temperature. The Sectera Secure product can be used in the field in tactical applications and also for first responders. We’re working with a General Dynamics company named Itronix, which provides ruggedized laptops. They have the ability to swap out their family of ruggedized computing devices to support user interchangeable wireless modules,” said Liggett.
Both vendors are hoping to use their versions of the SME PED for other markets. “When we designed the product, we tried to design it to fit into multiple markets without having to change it significantly. We wanted it to be as compact and light as possible while also being ruggedized,” said Crystal Cooley, marketing manager, General Dynamics Secure Voice and Data Products in the information assurance division.
Once NSA has certified the SME PED for Type I security, policy and doctrine will be updated to permit the SME PED in areas where all wireless devices are currently prohibited. “The overarching wireless policy, which is DoD 8100.2, prohibiting wireless devices in the Pentagon or the NSA, will require modification. The NSA is working with the Office of the Secretary of Defense to redraft the policy and doctrine to incorporate SME PED,” said Tomasso.
The individual services will draft their own policies for where and how they will allow the SME PED to be used. There are some aspects in the commercial capabilities of the SME PED that might be available only under restricted conditions.
“We enabled a hands-free speaker phone for classified use, but it gives a lot of people heartburn, so we made it possible for an administrator to turn off that function,” Tomasso said. “That’s why we created a flexible architecture that is fully customizable—to meet varying policy and doctrine requirements.” ♦
