Cellular Devices in Classified Spaces
By Mike Hernon, Tony Soules and Bob Turner - Published, May 22, 2010
Not a week goes by without an inquiry to the Department of the Navy Chief Information Officer or the Navy or Marine Corps Designated Approving Authority (DAA) regarding the desire to bring a commercial wireless device, usually a BlackBerry, into restricted areas where classified information is discussed, stored or otherwise processed.
These requests are not surprising given the increase in the DON's enterprise mobility capability. As this capability increases, our mobile devices become more closely integrated with our desktop environment — for both voice and data applications — and more critical to our ability to perform our jobs.
Many people, of course, work full or part time in environments where these devices are prohibited and most tend to accept the prohibition as a function of their job requirements. On the other hand, for the many people whose jobs occasionally entail going into classified areas, the prospect of being without the information stored on the device even for a short period of time is viewed as a significant impediment and has led to this rise in inquiries.
Regardless of your job requirements, if you fall into the category of wanting this capability, well, there is a policy for that!
DoD Policy, "No, but …"
The standard reply to an inquiry regarding bringing a commercial cellular device into a classified space is "No, but …" As in all things wireless, we turn for overarching guidance to DoD Directive 8100.02: Use of Commercial Wireless Devices, Services and Technologies in the DoD Global Information Grid. The relevant sections state:
4.2. Cellular/PCS and/or other RF or Infrared (IR) wireless devices shall not be allowed into an area where classified information is discussed or processed without written approval from the DAA in consultation with the Cognizant Security Authority (CSA) Certified TEMPEST Technical Authority
(CTTA).
4.3. Wireless technologies/devices used for storing, processing and/or transmitting information shall not be operated in areas where classified information is electronically stored, processed or transmitted unless approved by the DAA in consultation with the CSA CTTA. The responsible CTTA shall evaluate the equipment using risk management principles and determine the appropriate minimum separation distances and countermeasures.
Therefore, while the presumptive answer is "no," if there is a bona fide mission requirement, there may well be a way to get your BlackBerry into that restricted space — but you have to convince your local security authority and the DAA first. Their risk management evaluation will weigh the benefits of such approval against the security risks inherent in the scenario of cellular devices in an area where there is also classified information.
Risky Business
You may ask, "How risky can it be? After all, I use this device everyday and have never had a problem." The answer is that it can be very risky indeed, to the point that you could potentially be the source of a compromise of classified information and would never even know it. To gain an appreciation of the risk, go to your favorite Internet search engine and search for "cellular vulnerabilities" or a similar phrase. The results may surprise you.
Although we refer to them as mobile "phones," any cellular device is actually a mobile radio, one that receives and transmits just like any other radio. Further, they do a fair amount of transmitting and receiving on their own outside of your oversight or control. Cellular networks operate on two distinct sets of channels — the traffic channel where your calls and data sessions are conducted, and the control channel, which handles network maintenance, operational tasks and text messages. (See: "Putting Text to the Test.")
Some of the tasks that are conducted over the control channel include the phone letting the cellular network know where it is (and, by extension, where you are), call set-up and initiation. The control channel can also put the phone in diagnostic mode, which includes turning on the microphone. This, in a nutshell, is the primary reason that cellular devices are not allowed in classified spaces.
Using the control channel, an adversary or run-of-the-mill hacker could turn on the microphone — without any visible change in the phone's appearance — and freely listen in. Thus, you have just brought a bug into an area where classified information is now being transmitted into the ether. Not a pleasant scenario.
In addition to the inherent cellular vulnerabilities, all electronic equipment is capable of emitting electronic emanations. This is where TEMPEST (Transient Electromagnetic Pulse Emanation Standard) practices come into play. TEMPEST refers to the shielding of these electromagnetic emanations, which is different from the actual interception of these emissions.
Due to the vulnerabilities associated with electronic equipment in general, it is mandated that the CTTA play a role in accepting the use of these devices in classified spaces.
Process and Practice
Given these risks, it is clear why the presumptive answer is no. If, nonetheless, you still believe there is a mission requirement to maintain possession of your cellular device when in an area where it is normally prohibited, you may begin the process outlined in DoDD 8100.02 by consulting with the CSA for the location in question. It is important to note that the risk management and approval processes are tied to specific locations — not to individuals or job functions. While there are general vulnerabilities shared by all wireless devices, the specifics of any given location could either mitigate or aggravate the risks that would be incurred by the introduction of a device.
If approved, the practice is managed locally under the overarching guidelines specified by the DAA. Day-to-day compliance monitoring and enforcement of any mitigation actions would be conducted under the auspices of the CSA for the location. Such mitigation actions could include allowing only government-owned and inventoried mobile devices into the Sensitive Compartmented Information Facility (SCIF).
Disabling all radios while in a SCIF should be strictly monitored and enforced as well (e.g., through the use of cellular detection systems). In addition, requiring mandatory user awareness training should be implemented for all users who work in classified environments.
Future
It is likely that the desire to use BlackBerrys and other commercial cellular devices in classified spaces will only grow. However, the vulnerabilities of devices designed for consumer consumption will not be easily overcome. Even the secure mobile environment, portable electronic device (SME PED), recently deployed, is prevented by DoD policy from being brought into an area where classified information resides — and it has a "SCIF" switch that turns off the radio.
Moving forward, the DON remains engaged with industry and our government partners to develop additional, secure use cases for commercial, cellular-based technologies.
We are also engaged in a review and re-write of DON wireless policy; you may participate by joining the discussion on the Pulse, the DON collaborative site for the information management and information technology community (https://www.doncio.navy.mil/pulse (CAC-enabled)).
Mike Hernon is the former chief information officer for the city of Boston and currently serves as an independent consultant. He supports the DON CIO in a variety of areas within the enterprise services management group including telecommunications and wireless strategy and policy.
Tony Soules supports Headquarters Marine Corps C4 Information Assurance in wireless technologies and solutions.
Bob Turner supports the Naval Network Warfare Command office of the Designated Approval Authority.