The Defense Department says it’s committed to a future in which service members and civilians can use the latest and greatest mobile technology to get their work done, regardless of the device manufacturer. But it’s still struggling mightily with one of the biggest challenges for mobility in the government: identity management.
While the Pentagon thinks it’s gone a long way toward making sure its security approval processes for mobile devices, apps and infrastructure can keep up with the pace of commercial technology, there’s one enormous nut the department still hasn’t cracked — how to make sure DoD users can securely authenticate themselves on the network via mobile devices, the same way they do today from desktop and laptop computers. On those computers, users slide their common access cards (CaCs) into a smart card reader in order to do multi-factor authentication.
Using that same method on a mobile device defeats the purpose of having a mobile device.
“To date, the solutions have been Bluetooth or corded card readers that are very difficult to use, they have separate power sources, they’re not really in favor with generals and senior executives,” said Devon O’Brien, the lead mobile engineer for public key infrastructure (PKI) at the Defense Information Systems Agency. “The user experience is awful and because we’re such a niche market, the cost per device is awful. That’s sort of what prompted the look for alternate credentials.”
Those alternate credentials would be just as trusted by DoD networks as the PKI certificates that are currently stored on common access cards. But they would have to be different credentials, since the card isn’t actually attached to the device. The National Institute of Standards and Technology is finalizing a new special publication (SP 800-157) that describes what are called “derived credentials” and how they can be used securely.
Waiting on OMB
Greg Youst, the chief mobility engineer at DISA, said DoD is waiting for that special publication from NIST, but also for some final decisions from the Office of Management and Budget about how derived credentials can be used.
“Because the issue is, we need to define separation,” he told a small audience at a mobile technology symposium hosted by AFCEA DC in Vienna, Va., on Friday. “One of the requirements from OMB says that the certificate has to be separate from the device it’s authenticating in.”
And OMB’s decisions could make or break some of the potential solutions DoD is exploring for mobile two-factor authentication. For instance, one idea might be to place those derived credentials on a microSD card that’s inserted into the phone. Another might be to put the certificates onto the same SIM card that a commercial smartphone uses to identify itself to the commercial cellular network it runs on.
“Here’s the debate. Is a microSD separate? I can take it out and put it back in. What about a SIM chip? I can take it out, but now the phone doesn’t work,” he said. “There’s still policy stuff that’s being worked out at the federal level on how we’re going to approach mobility and PKI, and this is a very complicated field.”
But DoD says it does have some specific requirements that are going to govern how it handles ID management in the mobile realm: whatever solutions it settles on are going to have to integrate seamlessly with the Defense Enrollment Eligibility Reporting System (DEERS), the massive and expensive centralized infrastructure the Defense Manpower Data Center already operates to manage the identities of 42 million service members, civilians, contractors, retirees and dependents.
Beyond the derived credential options that use technologies such as microSD and SIM cards, the department is also exploring technologies that would let users hold their actual CaC cards up to their phones and authenticate via near-field communication, a technology already built into many smartphones.
“The challenge there is because of the policies around federal PIV cards, which have a whole lot of esoteric nonsense that we have to plow through,” said Michael Butler, DMDC’s deputy director for identity services. “But we’ve made it work. My guys actually built an email client, you can sign, you can encrypt and it’s certainly a better user experience than the [external card reader]. We’ve worked with Google, Samsung, a number of different folks, and we’re working on an NSA assessment. It’s really pretty simple technically, it’s really making all the standards work and getting all the standards folks to agree with it that’s the hard part.”
Apple is a no-go
There’s another hard part. None of the potential solutions DoD is exploring through its pilots will do any good with regard to many of the devices that are most coveted by DoD users. While the department is optimistic about coming up with solutions that could work for the open source Android operating system first and Windows Mobile and BlackBerry devices a bit further down the line, Youst said none of the current ideas would do any good for any product made by Apple.
“Unfortunately, the solutions don’t work for everything,” he said. “We’re still talking to Apple, but they won’t open up their (application programming interface) for smart cards. Yet, everybody in DoD wants an Apple device. But they’ve told us they will not change anything from an enterprise standpoint that could impact the customer’s experience.”
Youst said all of the military services are clamoring for a way to use mobile devices without extra hardware for authentication, but the biggest demand signal right now is coming from the Marine Corps. That service published a mobility strategy in April that envisions heavy usage of commercial mobile devices on the battlefield.
Rob Anderson, the chief of the vision and strategy division in the Marine Corps’ CIO’s office, said his service sees huge potential in the idea of derived credentials in places like Afghanistan.
“Most of our casualties that we experience in combat today deal with the fact that we have to put marines on the road, and there are only several places in Afghanistan that issue CaC cards,” he said. “If we don’t have to put marines on the road just to go get a frickin’ 2-inch by 3-inch piece of plastic with a little chip in it, we’re going to help save lives.”
BYOD a possibility
Anderson said he thinks those credentials could be wirelessly transmitted onto the battlefield so that marines could access data systems that heretofore would have required a physical smart card.
But those changes also could enable what’s been seen as a pipe dream so far in DoD — the idea that service members and civilians could use their own devices to connect to military networks.
“If we can get this technology to where we can load it to a FIPS-validated container, then we’re going to succeed into moving into a personally-owned, corporately-enabled environment,” Anderson said. “There are only two things that are going to prevent that. One is having the ability to authenticate into the network with multi-form factor authentication, and the other is being able to demonstrate to the lawyers that we can completely separate the personal from the organizational on the devices that we use. You have to be able to separate person and organization, and it’s a very sensitive issue today because of issues that have happened in the news over the last four or five months.”