At this moment, nearly 100 U.S. intelligence professionals in a dozen agencies are carrying Android smartphones that let them engage in top-secret conversations using a commercial cellular carrier.
The U.S. National Security Agency began the pilot project in December, enlisting communications specialists as the first participants. It is a hallmark of Army Gen. Keith Alexander’s effort to push the intelligence community to modernize by embracing cloud computing and mobile devices. NSA calls the effort Project Fish Bowl to capture the idea of users talking securely behind extra encryption measures, much as glass can protect fish.
During the pilot, NSA’s red team hackers will try to break into the communications. Other experts will assess whether the extra security steps required to protect top-secret conversations over a commercial network are causing dropped calls or excessive latency, or rendering voices unrecognizable.
As important as all that is, NSA has a broader goal in mind. One of the agency’s roles to is to accredit communications devices for professionals across the intelligence community and Defense Department. The agency hopes the phones will bridge a generation gap in its customer base between digital and nondigital natives.
“It is a very large cultural shift, because we do have people, like myself, who have been at the agency for more than 20 years who had it drilled into our heads that the whole use of mobile technology is bad,” said Troy Lange, NSA’s mission manager for mobility. “I really firmly believe that if we as an organization want to continue to attract the best and the brightest, we have to solve this problem.”
The pilot is just one step in what would be a bold transition. NSA and its partners at other agencies must resolve a host of questions about how to expand top-secret mobile communications. The pilot is restricted to voice at the moment, but data capabilities eventually would need to be added. Information policies must be updated to better address when and where workers can talk about sensitive projects or access particular kinds of data. Commercial carriers and NSA would need to agree on government access to employee subscriber lists. Would NSA be able to control the carrier’s over-the-air upgrades to software on the phones?
Perhaps the largest hurdle to broader adoption is that the pilot devices work only off premises. That’s because the walls of intelligence facilities, such as the NSA campus at Fort Meade, Md., are built to prevent spying by blocking wireless electromagnetic signals. NSA wants to figure out how make a top-secret phone transition seamlessly when an intelligence worker carries it from commercial 3G and 4G networks into a sensitive compartmented information facility, or SCIF, which can be a specific room or an entire facility.
NECESSITY OR CONVENIENCE?
The long-term vision is about more than providing convenience, Lange said. It’s about efficiency and information sharing.
“I’ll use myself as a personal example,” he said. “I tend to fall very behind in my email, and I will spend much of my time at the end of the day trying to catch up. It would be wonderful if as I’m moving around, and I’m moving between meetings, I had a way of accessing my secure email so that I could respond to them.”
Ultimately, NSA expects individual agencies to purchase all sorts of commercially produced digital devices, from smartphones to tablet computers. NSA would approve the devices for voice and data services if they were made to operate under the security procedures tested in the pilot and published as a PDF file on the NSA public website.
As it stands, the pilot phones are programmed with Voice-over-Internet-Protocol apps that allow users to engage in top-secret conversations under very strict rules. Users must be aware of their surroundings and closely mind operational security.
“It’s not just willy-nilly, talking top secret because you feel like it,” Lange said. There must be “a mission imperative for you to do that.”
The operator must key in a password to make a call, and the phones are programmed with a secret code so that the network will recognize that the phone is an authorized device.
NSA eventually expects to add a data app that would allow such features as digital chat. A thin-client approach would be adopted so that little information is stored on the phone. Sensitive information would be housed in the private cloud of computers NSA also is pioneering for the intelligence community. Losing a phone would be bad, but not front-page news.
“If you lose the device, there’s very little interesting data actually on that phone,” Lange said.
The pilot phones are accredited for top-secret collateral conversations, which refers to information that is broadly available for those with top-secret clearances. They aren’t approved for higher-level sensitive compartmented information or special access program information, although NSA says it is working toward those higher level requirements.
Among those who do not have to be won over to NSA’s proposed revolution are the legions of experts who devise software and strategies to secure consumer wireless communications. An estimated 854,000 people hold top-secret clearances in the U.S., according to a 2010 investigation by The Washington Post, creating a potentially lucrative market for those who follow NSA’s procedures to make $500 smartphones work securely over consumer carrier networks.
The phone in the pilot is a commercial phone, but Lange declined to name the brand, saying he wouldn’t want readers to think the agency favors any particular vendor.
“It’s the kind of smartphone that you’d be able to buy at an electronics store, at a phone kiosk. There’s nothing particularly special about the hardware,” he said.
In February, NSA published a “Mobile Capability Package” describing the security approach for the industry.
The industry looks interested, judging by the response to a presentation given by Lange’s colleague at Fort Meade — Margaret Salter, one of the technical directors within NSA’s information assurance directorate. As Salter prepared to speak at the RSA cybersecurity conference, the line to get into Room 130 of San Francisco’s Moscone Conference Center snaked down a hall and across the center’s giant foyer. Salter had to give an encore presentation that evening.
She started with a story to illustrate the difference she thinks the mobile phones can make.
“Something happened back at the ranch, and they called me and said, ‘We really need to talk to you about this thing, but you know it’s a classified thing, so could you please get to a classified phone?’Ÿ”
That was impossible because Salter was at RSA and far from the nearest classified facility. At first she thought, “I’m going to have to call him on my cellphone; we’ll talk around it, like we always do.” Then she remembered that Lange, who had traveled to RSA, too, had a Fish Bowl phone in his pocket. She realized she could find a place to sit and have the top-secret conversation.
“This is an amazing thing,” Salter said. “It may not seem amazing to a lot of you because you’re not used to working with top-secret data and all the constraints that we have, but it’s an amazing thing for us and for all of our customers.”
NSA’s big challenge in establishing the mobility project was to define a process that would let the intelligence community take advantage of fast-paced innovations in the consumer electronics industry, but at an acceptable level of security risk.
Devices need to be accredited more quickly than in the past, which required a procedural overhaul because NSA has always dived deeply into a device’s computer code before approving it for use by the community.
NSA is now trying to shed the weight of history. In the old days, “industry would come up with something that’s kind of cool and interesting. We’d say, ‘Wow, we’d like one of those, but we need a secure one,’Ÿ” Lange said.
NSA would hand the industry a list of 700 security requirements, and a bidder would build a device to those specifications. The agency then had to verify that the device was, in fact, operating to those specs.
“We would get their source code and go through it line by line, and eventually do a certification of a commercial offering,” Lange said. The process could take anywhere from two to five years.
The earliest equipment built like that required security specialists to install encryption keys. These experts would get the devices up and running and then step back to let policymakers or top intelligence officials make their calls.
In the 1980s, NSA took a step toward direct user equipment with a desktop phone called STU-3, for Secure Telephone Unit-3. The STU-3s were followed by more streamlined desktop phones, called Secure Terminal Equipment.
NSA got those projects done, Salter said, but “it always took us a really, really long time.” As much as the agency tried, it won no awards for user friendliness.
“For us, security was and always is job one. So we didn’t worry if it was really, really hard to use, as much as we made sure it was really, really, really secure,” Salter said.
NSA wants the next step in the evolution to be adoption of commercial devices whose transmissions would be sent according to a security recipe established by NSA. Lange and Salter must show that these devices can be accredited quickly but securely.
In the new approach, NSA won’t completely rip apart the source code line by line to certify a device.
“We envision that we would do a somewhat less rigorous review,” Lange said. “Essentially, what we’re trying to do is weed out the really bad stuff.”
To make up for the less rigorous review, an extra encryption layer has been added to the voice communications traveling through secure “tunnels” within the commercial carrier network.
The key, Lange said, is that the double encryption layers be independent of each other.
“If we’re using the same crypto library, you’d have the same vulnerabilities in the same layer,” he explained. “But if you can envision two independent encryption layers [and] a vulnerability in one, if the vulnerability were discovered, you’d still be protected by the other layer.”
In operation, the phones could improve security by removing the temptation to try to talk around a sensitive topic on an unclassified cellphone, as Salter was tempted to do at RSA.
A big question still to be resolved is whether carriers such as AT&T or Verizon would agree to allow NSA to exert control over part of its infrastructure. Carriers maintain a subscriber database for billing purposes.
“That’s a function that we think ought to have some government overview of, at least [for] government employees,” Lange said. “Would the carriers maintain a separate database of secure users? Or perhaps we’d maintain our [own] database.”
Also, NSA has concerns about over-the-air updates of the software on the phones. Those updates are necessary to keep the phones operating smoothly, but they are a potential attack vector for malware. In fact, voice transmissions are potential malware routes, too, because for NSA they will be done digitally.
“Currently, we have very little control, or knowledge, or insight into how our phones might be updated by the carrier,” Lange said.
For purposes of the pilot, wireless updates are not allowed.
In the long term, NSA wants the same devices to work on open 3G or 4G networks and inside secure facilities. NSA isn’t sure how to do that yet, but it’s exploring two options.
“Do you set up something like a picocell — basically a small cell tower in the building?” Lange said. “One of the other things that we’re looking at is, perhaps, when you’re inside of a SCIF, you’d connect with the ... Wi-Fi internal network, and then as you left the building, you would then transition to the 3G, 4G network.”
If the mobile revolution plays out the way Lange, Salter and other advocates hope, then policies spelling out when and where workers can access top-secret information might need a matching modernization. Policies currently allow classified conversations outside a secure facility in certain circumstances, such as emergencies.
“I think what we really need to look at are: Are those completely appropriate? Are there situations where we might expand that?” Lange said.
There are many options that can be enabled by technology, he said: “Is it receive-only, say, if you’re outside of a secure facility? Perhaps it’s appropriate that you’d only be consuming information, as opposed to producing it, where you might be overheard.
“All those things are areas where, I think, that we really need to relook at as we move into the future of using mobile devices.”
Ultimately, the phone should be smart enough to automatically enforce whatever the new policies look like. A user in a secure facility “might have access to a full range of classified data — top secret, secret and unclassified,” but when he leaves the building, “smarts built into the system” would “make decisions about who you are ... what accesses you would maintain,” Lange said. The device could identify a user’s location, providing different accesses when he is abroad than when he is in the continental U.S.
NSA thinks the approach can be used to link war fighters directly to commanders, for example.
“These devices all have cameras on them,” Lange said. “To be able to securely deliver that information back to a commander somewhere so that they can make tactical decisions based on real-time data — that’s really what we’re trying to look at.”
Progress will require a balancing act between long-standing security concerns and the desire to tap the commercial revolution in mobility and cloud computing.
“How can we allow that innovation and creativity, protect that securely, and not lock down the device so much that people can’t do the things they need to do?” Lange said.
Project Fish Bowl is a first step toward the answer.
This story appears in the April 2012 edition of C4ISR Journal.