As part of the NSA’s program to certify commercial off-the-shelf technology for use inside the agency, mobile devices from Samsung and Boeing have been cleared for use by NSA employees.
This move by the NSA is part of its Commercial Solutions for Classified program (CSfC) to enable government use of the same products that we in the private sector enjoy, rather than specially engineered government-only products that are often feature-poor, slow to market and expensive.
+RELATED: How the NSA is improving security for everyone +
Samsung’s products include the Galaxy S4/S5, Galaxy S5 with KNOX, Galaxy Note 3, Galaxy Note 10.1 2014 Edition, Galaxy Note 10.1 2014 Edition with KNOX 2, Galaxy Note Edge with KNOX 2, Galaxy Tab S 8.4 and 10.5 LTE with KNOX 2, and the Galaxy Alpha with KNOX 2. For Samsung, Knox provides the added security features key to making the grade in the CSfC program.
Boeing’s offering, which is not commercially available, is the Boeing Black smartphone. Sold only to government agencies and contractors working with government agencies, the Black smartphone is a sealed, tamper proof device.
The heightened level of security built into both product lines comes at a time when the world has seen a significant rise in cyberattacks upon the Android OS. For example, a recent FireEye Mobility Security Team study of the top 1,000 most downloaded free Android Apps found 68 percent susceptible to Man-in-the-Middle (MITM) attacks and contained one or more SSL vulnerabilities.
John Morrison, senior director, Samsung Research America says “the CSfC Program really stretches the boundaries of high security on mobility.” He adds that “the innovation driven by the U.S. government results in more secure products in private sector hands.”
In order for these products to be certified, the vendors must satisfy stringent security requirements. For example, the devices must generate asymmetric cryptographic keys used for key Establishment and Authentication; perform encryption/decryption in accordance with a specified cryptographic algorithm; perform cryptographic hashing in accordance with a specified cryptographic algorithm and message digest size; and they must restrict the ability to configure policies for passwords, session locking, device enabling/disabling, application installation, VPN protection or specify wireless networks.
A key example of the security issues surrounding BYOD smartphones and tablets is the camera that most have. Morrison says, “The issue for various government and commercial entities is that they have unique missions and therefore require customization or a different configuration for the devices they want to use. For example, while many commercial work sites that permit cameras to be available for use, there are many sites, both government and commercial, where the CAMERA MUST ALWAYS BE OFF.”
He went on to explain that some sites have requirements that cameras be off in certain locations and/or at certain times. Issues like this drove the need for government, as well as many commercial users, to have customizable security settings and why Knox has over five hundred programming interfaces that a Mobile Device Management (MDM) system can configure.
Of course, all of this new-found ability to protect the intelligence community and the military – as well as the rest of us in the private sector – comes with a catch: The available mobile security features must be invoked and managed. Otherwise systems remain at risk like the many users who install antivirus software but fail to keep both the signature files as well as the program itself up-to-date.