Is Wi-Fi secure enough for the federal government?

Jon Green, chief technology officer for Aruba Government Solutions, explores why mobility and wireless network access in the federal government is growing and not a security risk.

Access to an internet connection – whether at an airport, restaurant, coffee shop, or even a hospital – is usually available through Wi-Fi in today’s mobile world. Within government, however, regulations and other security considerations make it more complex than simply jumping on an agency’s Wi-Fi network through a username and password. Although progress is being made, there are arguments that wireless connections aren’t secure enough to be used in government. However, others say that when used correctly, Wi-Fi can be even more secure than a wired network.

According to Jon Green, chief technology officer for Aruba Government Solutions, Wi-Fi access is available in three different levels. The first is referred to as open Wi-Fi, which does not require security credentials to access. This can be found in a hotel, airport, coffee shop, or anywhere there is public use internet access.

The second level is what one might use in a home, which Green explained comes from an internet service provider such as Comcast or Verizon, and typically requires a password to use. This provides good security, but it’s not meant for large organizations, Green said.

“As soon as an employee leaves the company, you’re obligated to rekey the network,” Green said. “That doesn’t scale very well, so organizations don’t do it.”

The third level, which the federal government falls under, is more suited to an enterprise network with a large number of users on it.

“It’s an enterprise-grade Wi-Fi solution,” Green said. “Every user will have a unique credential to identify themselves to that network, whether that’s a password or a smart card. And within the federal government, there are standards that require that you use that form of Wi-Fi and that you have the appropriate policies in place to ensure that the network is secure.”

Green said it’s not unusual to hear people criticize the security of Wi-Fi.

“That’s a common objection that we hear from people. They say, ‘Wi-Fi isn’t secure because it’s radio waves,’” he said. “It travels outside my building; it travels in places I don’t want it to go. In fact, some customers have asked us to engineer their Wi-Fi network so that the signal doesn’t cross the outer threshold of the building or the fence line or that sort of thing, and it’s really an ineffective way of trying to build in security. It’s actually a false sense of security to do it that way.”

Green said the Wi-Fi system itself has security built in so there isn’t a need to worry about where those signals travel.

“But people have that perception that their wired network is going to be more secure just because people have to get into the building,” he said.

Does wired mean more secure?

Green argued that gaining physical access to a building may not be as difficult as people think, and if access is gained, it likely wouldn’t be difficult to access the network.

“There are many types of people who can be authorized to be in a building – visitors, repair people, guests for a meeting,” he said. “If they’re left alone in a conference room, those wired ports are sitting right there and nothing really stops them from plugging into it. In fact, sometimes that is how they are encouraged to get guest internet access, by plugging into a port. That could be a port that is set up specifically for guest access, but more than likely it’s probably just connecting to the internal network.”

From there, damage could be done rather quickly. But gaining network access is much harder to do through Wi-Fi.

“Wi-Fi has authentication built in, so to use it, I need to prove who I am to the network, whether that’s through a password or a smart card. And, the network has encryption built in, so that people listening to that communication can’t monitor it. And it has access control built in,” Green said. “With the advanced authentication and policy capabilities that Wi-Fi delivers, I can say that I want my inventory bar code scanners that are used in a warehouse to have access only to this type of file or application while I want corporate laptops to have much broader access to other information, and corporate laptops issued to top level executives to have even wider access still. That’s something that I can do with Wi-Fi very easily. It’s much more difficult to do that on wired networks. So we actually make the statement that wireless is more secure than the average wired network.”

Green referenced Defense Department chief information officer Terry Halvorsen as a pioneer in how Wi-Fi is viewed, and used, throughout government.

“[Halvorsen] has said that he wants guest Wi-Fi in the Pentagon, and that he wants it to be a Starbucks-like experience, so anybody coming in as a visitor can have that sort of access,’” Green said. “And that’s a good goal, yet there has been pushback from people saying ‘this is a DoD network; we can’t just allow it to be used by anybody who wants to connect to it.’ There was a lot of debate on that, but they’ve settled it now and there will be a guest network. It will not be wide open, but instead will be sponsored guest access. So, if you’re there on legitimate business and have a contact in the Pentagon, you’ll be able to go in and get access to that guest network. If you’re coming in, say, for the public tour, it’s not necessarily going to be open to you. With today’s Wi-Fi technology, agencies can set up guest networks that provide general internet access for visitors but that keep their internal networks secure.”

Green also noted that guest access can have different meanings between the commercial and public sectors.

“In the government, ‘guest’ doesn’t necessarily mean member of the public,” he said. “Sometimes they use that term to mean somebody who is a government employee from a different department. In the military, it might be a service member who is coming in from a different base, and it’s not their usual work location, but they are an authorized user of the network.”

The impact of Bring-Your-Own-Device

The concept of mobility and secure Wi-Fi in government also leads to a discussion around Bring-Your-Own-Device (BYOD), and the impact on productivity as well as recruitment and retention in today’s technology-driven world.

Green said it’s all connected, but must be thought through carefully to ensure the best outcome.

“People may be more productive if they have their own device,” Green said. “If an executive has an iPad and they can use that to read email throughout the day, that may have a benefit for the organization and improve productivity, but I don’t necessarily want to give that personally owned device access to everything on my network. It comes down to how we segment these devices: enterprise-issued devices, BYOD for one of my employees, and then visitor access. Within those, you have a lot of room to move back and forth in terms of what sort of access you want to provide.”

There are also privacy concerns on the end user side, who may be concerned with how much their employer can see on a personal device.

“On a true BYOD system, where it’s a personally owned device, typically the organization prefers to say, there’s a hard line there,” Green said. “We’re not going to manage that device. We’re not going to have visibility into what is happening on that device. We don’t want that. We will monitor what goes on our network to make sure it’s following correct usage, but we’re not going to look into the device at all.”

As mobile devices and wireless connections have become a big part of people’s daily lives, particularly younger workers, Green said the policies put in place today will go a long way in determining how the government is viewed as a potential employer for tomorrow’s workforce.

“You won’t find a higher education institute today that doesn’t have Wi-Fi,” Green said. “If you didn’t put it in, students wouldn’t come to your university. But if those students enter the federal workforce, one of the first things that they find is that technology doesn’t exist there, or if it does exist, it’s very limited and only works with certain devices. I think the best example is the Intelligence Community. The very first thing that happens when you walk into that place is you see the row of lockers where you need to lock up your phone, lock up your personal devices. Until recently, no Fitbits, no electronics of any sort went into these spaces.

“So you take somebody who has had Facebook their entire life and suddenly tell them that they can’t have any connectivity to their friends; it’s difficult. We did a study recently and people said that Wi-Fi is more important than daily hygiene. I wouldn’t go quite that far, but I do find it irritating when I go into places and I don’t have my productivity tools available to me, just because I’m less productive in those places.”

Green praised National Intelligence Director James Clapper, who decided to make Wi-Fi available throughout the Intelligence Community.

“This is going to be operating at classified levels, not an open internet with Facebook, etc., but rather with high security Wi-Fi networks. They’re looking at things like building a social media network inside the organization,” Green said. “The thing that people miss is not necessarily being connected to the internet. It’s being connected to the people that they interact with and the information sources they rely on each day. If you could build an internal social network that was just for that particular agency, for example, you give people back a lot of what you’ve taken away from them, and it really does help with employee retention. That was his point behind why it needed to be done. I think the average retention time for somebody coming into the federal government is 3.8 years, and it’s probably worse with the millennial generation. So it is a serious concern and it’s one of those things they think can make the situation better.”

As for the future of Wi-Fi in government, Green said consistency and uniformity will offer the best path to success.

“Wi-Fi in government is growing very quickly and we see the biggest need being some type of unifying policy around how it gets deployed,” he said. “If I start out at one military base, I should be able to go to any military base and have my device work the same way. It’s mobility both within the site and outside the site. So it’s happening, and we’ll see standards continuing to evolve and to unify, and I think in 5-to-10 years we’ll see this pervasive everywhere.”