In a nut shell, the BlackBerry service is too public to be used. Let's be rational here, how would you feel if you knew the president used a public copy of WindowsXP on all his PCs, or if he used a public copy of Internet Explorer and Outlook? How warm and fuzzy would you feel about the security of our Gov’t secrets? Of course Obama would like to keep his Blackberry, who wouldn’t? BlackBerry’s without a doubt increase the users productivity and availability. However, for most users the security of the BlackBerry solution is just an after thought. Obviously, if you are the most powerful man on the planet your security posture becomes a bit more critical (understatement of the year). In this blog I will lay out 3 major reasons why the security risk is just to great to allow President Obama to keep his beloved BlackBerry.
Over the years the President's access to mainstream communication systems has been prohibited, and for good reason, they are not secure enough. This is why the White House has its own communications network for e-mail, voice, video, and data delivery. They don’t just go and sign up with Qwest. That is why all the applications the President uses are custom. Everything from his e-mail client, browser, operating system, instant messaging system, word processor, etc. has had its source code either written from scratch by the Gov’t or highly modified by the Gov’t to make it more secure. Even many of the crypto algorithms that are used to encrypt the President's data at rest and in transit are custom developed and classified. My point is that everything the President touches in the digital world has been highly customized for him with a relentless focus on security.
Almost all of this customization code, techniques, algorithms, etc are highly classified. See NSA cryptography definitions around Suite A algorithms. Sure you could argue that it is a bit of security by obscurity but it seems to be a pretty successful tactic in the government’s bag of tricks so far.
So this brings me to my main premise for denying Obama the use of his BlackBerry device. The BlackBerry network is too public. Their vulnerabilities are published publicly, their SDKs are public, their devices are public, parts of their code is public, their RIM network is public, their software is public, anyone who pays $100 is allowed to obtain a RIM key to sign their code, exploit code to attack the multiple vulnerabilities in BlackBerry is public, etc. etc. etc.
Don’t get me wrong my whole argument is not based around obscurity per say. Instead it is based on the fact that if our President uses a completely public communication mechanism, like BlackBerry, which was not designed with “eyes only” security as an objective throughout its dev process then the likely hood of it being compromised jumps exponentially. This is especially true when every detail about the BlackBerry solution is available to the public and has been for years.
Let’s take a brief look at the state of BlackBerry security.
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
He won't keep it
No way he gets to keep it. If he does, it will take about 3 months and someone will post some private communique of his and that will be the end of it.
They're are secure (non-RIM)
They're are secure (non-RIM) gov issue mobile device that BO may choose from.
Most other gvmt managers use them
One: grammatical error in first sentence.
Two: Most all of the current Federal and State management and decision making managers already use the government issued devices. The security horse is already out of the barn. The lower rank and file is where true information and details are captured and created long before it gets to the presidential level.
"Grammatical error in first
"Grammatical error in first sentence"? The whole piece is riddled with spelling and grammar errors. The problem with this is that, right or wrong, it detracts from the message you're trying to convey (which I happen to agree with in this case, by the way).
grammer
Sorry guys I pounded this out in record time to meet some deadlines. Not an excuse but just letting you know. I just fixed several errors. If you find others please email them to me and I'll update it.
Thanks,
Jamey
Corrections
"In that the case the district" - remove 'the'
"service is to public to be used" - change to 'too'
"compromised as well But then the whitepaper" - add comma, lowercase 'b'
"If your not, read on anyways" - should be "you're"
"were fixed by RIM where talked about" - change to 'were'
Please get real
This article is another example of the FUD the security market do not need anymore.
If there are more secure applications available to the POTUS, they should absolutely be made available to many others (if not the public). Critical infrastructure comes to mind as a prime user for such secured apps (BTW if the critical infrastructure is destroyed, who cares about the POTUS? i.e. may be he is not the most powerfull/important person on the planet).
Also if the government is willing to spend large amount of money developping secured apps (and OS?) from the ground up, maybe they should (if I were a US citizen, this "should" would become a "must") fund and mandate that critical apps be written with security built in from the beginning.
Last but not least, the POTUS has been democratically elected and his position is such that if he wants to keep his BB he can. Everyone will simply have to trust him that nothing of "value" happens through this BB which is exactly what has to be done in the "normal" world: trust your users. (If you can't trust the POTUS who can you trust?)
Can't tell
I can't tell if you are agreeing or disagreeing with the article so I will only comment on the trust your users/president point.
Of course we have to trust our president, that is why he got elected. However, letting our President do something that will potentially impact our national security is quite another. For example, the president cannot dismiss his secret service agents if he doesn't want them around, he cannot use AIM as a communication mechanism between him and his top national security advisors, he's not allowed to post pictures of our top secret agents on facebook. My point is (if you haven't figured it out yet) is that there are lots of restrictions placed on the president already. The blackberry is just the latest one that needs to be figured out.
Government blackberry use...
Did the author look up gov regulations for BB use? Mandatory encryption, use of gov controlled BES, camera and bluetooth disabled, antivirus required, no 3rd party app. installation, etc.? So, the pres. wouldn't be able to install AccuTracking anyway. And the Feds already ban any sensitive or personal info from any mobile device. So that leaves the possibility of a hostile agent getting a hold of the BB and planting a bug in it... well, could happen I guess - or in his shoe, or his tie tack, or...
BO's Blackberry Use
He will use his Blackberry for his very extensive communication with non government entities for non government purposes. This does not preclude the use of proper channels for governmental communications. I see no problem here.
Post new comment