Personal Devices Pose Challenge for Defense Department Security

The proliferation of smartphones has caused a dramatic shift in how hackers target the Defense Department and its industrial base, cybersecurity company officials said.

Instead of going after an organization’s infrastructure, such as servers and firewalls, hackers are infiltrating employees’ personal smartphones and laptops, which usually aren’t as hardened.

“It’s so much easier for the Chinese to hack the CEO of Lockheed [Martin]or the development group of Boeing’s engineers’ personal devices” than to hack the companies’ networks, said Mike Janke, chief executive officer and co-founder of Silent Circle, a National Harbor, Md.-based company that offers a suite of encryption technologies.

Even without Defense Department permission, uniformed and civilian personnel have been using their personal devices during deployments to communicate with family members or conduct business, Janke said. As the Pentagon considers employing a “bring your own device” strategy, hackers increasingly may view smartphones as easy targets.  

Hackers could put malicious code on smartphone applications that target service members, said Michael Markulec of Lumeta Corp., a Somerset, N.J.-based developer of network detection software.

“So now the soldier takes that phone … and then uses that app on a WiFi network inside of the military network,” he said. “They launch that app, that piece of malware is then introduced into the network, and you have a potential problem.”

Lumeta currently is rolling out software that would allow all of the Defense Department’s networks to track what devices are connected to it, but there are other methods the department might use to secure personal devices themselves, Markulec said.

One way would be to upload some kind of security agent to a mobile device that monitors applications, much like anti-virus software on a computer. Another is to disable certain functions on the device when it is connected to Defense Department networks, he said.

Silent Circle takes a different approach. Rather than securing the device or network, it protects the data going back and forth between devices. The subscription-based smartphone service can be used to encrypt conversations, video and texts between two Silent Circle users.

To use the service, the subscriber downloads an application on their iPhone or Android.
When one Silent Circle user calls another, the two smartphones exchange a shared encryption key that is automatically destroyed at the end of the call. 

This “peer-to-peer” method of encryption contrasts with the more commonly used “server-side” approach, where data is encrypted once it reaches the server. The problem with that is the server can be wiretapped or hacked, Janke said.

With Silent Circle, “everything that leaves my phone … leaves the phone completely encrypted,” he said.

Janke said several U.S. intelligence agencies are among Silent Circle’s customers, though he would not name specific organizations.

Topics: Cyber, Cybersecurity, Defense Department, Infotech, Infotech