[Scan-DC] Securing the Presidential BlackBerry

TMartin831 at aol.com TMartin831 at aol.com
Sun Jan 18 16:17:51 EST 2009 

Securing the Presidential BlackBerry

Security efforts explain how the military-level encryption and  restricted 
use could enable Obama to keep his handheld.

Ellen Messmer, Network World 
Sunday, January 18, 2009 09:02 AM  PST
 
Naysayers aside, President-elect Obama appears determined to take  office 
Tuesday with his BlackBerry -- or at least some PDA -- firmly in hand.  Here's 
how experts say he might pull it off -- and what pitfalls he may be  
underestimating.

The Presidential Records Act requires retention of the bulk of  documents 
generated by the president for public review at a later date, so any  message 
Obama creates with his BlackBerry would have to be retained and stored,  subject 
to scrutiny in the future. But the larger problem is that the BlackBerry  is 
unlikely to get the nod as the presidential wireless handheld from the  
National Security Agency (NSA) or other federal entities with a traditional  
oversight role in top-secret communications security, according to  experts.

"The most significant issue here is security," says Randy Sabett,  partner at 
Washington-based law firm Sonnenschein, Nath & Rosenthal LLP.  "The number 
one target of anyone anywhere in the world would be the e-mail  communications 
of the most powerful man in the world, the president of the  United States." 
Sabett, who has worked at the NSA, says that "nation-states,  terrorist 
organizations and criminal gangs" could all be expected to be trying  to break into a 
president's BlackBerry.

There is a version of the BlackBerry that uses AES-256 encryption,  which has 
been approved by the Defense Department for sensitive communications.  
Research in Motion, maker of the BlackBerry, points to a number of government  and 
third-party security certifications as evidence that its key-management  system 
is secure.

A November 2008 certification by the Fraunhofer Institute for Secure  
Information technology in Germany, for example, gave a positive evaluation to  the 
BlackBerry's use of cryptographic algorithms and life-cycle management of  
shared secrets or keys and passwords.

But for top-secret communications, the NSA has a history of turning to  
select manufacturers for custom-designed equipment. These include the  
high-security STU-III phones or the more recent Secure Mobile  Environment/Portable 
Electronic Device program under which General Dynamics  built the Sectera Edge smartp
hone and PDA.

This Sectera is compliant with what's called the Secure Communications  
Interoperability Protocol and the High Assurance Internet Protocol Encryptor  
Interoperability Specification for secure interoperability with in-line  encryption 
devices used on the government's Secure Internet Router Network  (SIPRnet).

L-3 Communications has also built an SME PDE-style PDA called the  Guardian, 
which is undergoing certification.

But use of any PDA smartphone remains problematic for a  president.

Smartphones are programmable devices and "local devices are  increasingly 
vulnerable to attacks by injecting hostile software onto the  device," says Phil 
Zimmermann, a fellow at the Stanford Law School's Center for  Internet and 
Society, and creator in 1991 of Pretty Good Privacy (PGP), the  public-key 
encryption and authentication system.

"If that code can gain control of the device, it could take such  actions as 
activate the microphone, record his conversations and then transmit  them 
somewhere," Zimmermann says. "You're being ratted out by the device in your  
pocket."

Potentially, the device could even "rat out" your location, he adds,  because 
many smartphones provide highly accurate GPS capabilities.

While a simple BlackBerry for the president may not get the thumbs-up  from 
the NSA, Obama should not necessarily consider this the final word, says  
security expert Bruce Schneier.

"Look, he can decide to paint the White House blue if he wants,"  Schneier 
says. "The Internet is the greatest generation gap since rock and roll.  . . . 
The NSA will tell you the risks, but they will never say here's what the  
benefits are." Obama might be so productive and effective with a BlackBerry or  
other PDA, it would outweigh the risks.

But Schneier also acknowledges the risk of hacking the presidential PDA  is 
high and in any event, it is not possible to have absolute certainty that  
e-mail actually came from Obama.

"No encryption program solves that," says Schneier.

Gartner analyst John Pescatore, whose background includes working with  the 
Secret Service, says NSA-approved devices like Sectera would be secure  enough 
for use in a closed system, but the problem is switching to unclassified  mode 
to use the Internet.

"Internet e-mail is totally unacceptable for a president to use,"  Pescatore 
says. "There is no strong authentication -- how can anyone prove an  e-mail 
came from the president? There is no integrity -- how can anyone prove  the 
content wasn't changed?"

Use of something like the PGP public-key infrastructure could help the  
president communicate with others in a larger closed system, says Pescatore,  "But 
that doesn't stop anyone from forwarding an e-mail from him outside that  
closed loop."

Pescatore says he would also be concerned that any wireless device  might act 
as a radio-frequency beacon to reveal the president's location.

The other challenge -- the legal requirement under the Presidential  Records 
Act that a president store all documents in order to make them available  to 
the public in the future -- is also a factor Obama and his team must  consider.

Most legal experts and scholars say there's nothing in the Presidential  
Records Act to prevent use of e-mail.

"What it does do," says Dickinson College political-science professor  Andrew 
Rudalevige, "is make every presidential e-mail a public record and thus  
something -- unless classified for other reasons, such as national security --  
will be released via the presidential library system."

Records are typically deemed "open" 12 years after the president leaves  
office, but can be opened by presidential consent, by the Freedom of Information  
Act or subpoena before then, he adds.

However, current law doesn't require presidential phone calls to be  
recorded, though they have to be logged.

So, between the Presidential Records Act and the threat of PDA hacking,  
presidents have some good reasons to avoid e-mail, Rudalevige notes.
~~~~~~~~~~~~~
1998-2008, PC World Communications, Inc.
 
_http://www.pcworld.com/article/157907/article.html?tk=nl_dnxnws_ 
(http://www.pcworld.com/article/157907/article.html?tk=nl_dnxnws) 
**************Inauguration '09: Get complete coverage from the nation's 
capital.(http://www.aol.com?ncid=emlcntaolcom00000027)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.qth.net/pipermail/scan-dc/attachments/20090118/4baf7039/attachment.html

More information about the Scan-DC mailing list