DOD IMPOSES WIRELESS RESTRICTIONS IN NAME OF SECURITY
Wireless security policy just released by Defense Dept. keeps intact year-old moratorium on construction of new wireless networks at Pentagon and bars wireless connections to classified networks or computers. Long-awaited policy, released quietly in DoD memo last week, keeps in place July 2001 moratorium on installation of wireless network infrastructure at Pentagon and related facilities until: (1) Security vulnerabilities are assessed fully. (2) Wireless design for Pentagon is developed. (3) “Appropriate policies and procedures are established to support the responsible introduction of wireless technologies into the Pentagon” and shared facilities with common networks. Continued moratorium is “in recognition of the exploitable vulnerabilities that wireless devices introduce to Pentagon area facilities and networks,” memo said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
DoD Chief Information Officer (CIO) John Stenbit and Administration & Management Acting Dir. Howard Becker signed policy Sept. 25 and sent it to office of the Chmn. of Joint Chiefs of Staff, undersecretaries of defense, DoD’s gen. counsel and defense agency directors. Pentagon Area Common IT Wireless Security Policy “establishes a balanced approach for mitigating vulnerabilities and security risks while supporting the responsible introduction of new technologies into the workplace,” memo said. “Given the exploitable vulnerabilities inherent in current wireless products and technologies in the interdependencies of defense and Pentagon networks, it is essential and expected that all tenants will strictly adhere to this policy.” Policy, which took effect immediately, sets penalties for wireless users who flout security requirements and restricts wireless users from connecting to classified computer or synchronizing with information technology (IT) devices not explicitly approved by DoD. Stenbit and Becker have tasked National Security Agency (NSA) to compile wireless technology vulnerabilities database for DoD. They said database would provide “an initial assessment of the potential vulnerabilities of specified wireless features and capabilities along with the associated risks and a countermeasures recommendation.”
Memo also said “DoD Enterprise Wireless Knowledge Management” process would be developed by Office of the Secy. of Defense “to promote the sharing of wireless technology capabilities, vulnerabilities and vulnerability mitigation strategies” throughout DoD. Parts of policy had been widely expected after Stenbit said in Washington speech recently that Pentagon was poised to release policy that would restrict how DoD personnel used wireless devices, including pagers, PDAs, Blackberry handhelds. DoD summary made available in Aug. elaborated on some of details, including extent to which connection of wireless devices would be barred for classified networks or PCs. Policy’s prohibition of new wireless network construction appears to take more restrictive view of Wi-Fi and other wireless networks than White House cybersecurity policy released last month. Final version of National Strategy to Secure Cyberspace had toned down language in earlier versions that cautioned that security gaps in 802.11 networks should be plugged before secure systems were deployed. Final version dropped earlier recommendation that federal agencies requiring secure networks either disconnect from wireless LANs or strictly limit access.
New Pentagon policy appears to take a more conservative approach. It covers wireless systems that include 3G wireless handsets, PDAs, Blackberry devices, interactive TV, wireless/infrared (IR) copiers and faxes and infrastructure components such as transmitters, receivers, amplifiers and antennas. Policy specifically excludes land mobile, emergency, tactical radios and one-way, receive-only devices. It says that in Pentagon wireless devices can’t be: (1) Connected to classified network or PC. (2) Used where classified information is electronically stored or transmitted without encryption. Exceptions to that restriction can be made if there’s an operational need and “mission cannot be accomplished” without the use of that wireless technology, the device’s infrared, radio frequency and microphone/audio capabilities are disabled and certain rules from the director of Central Intelligence Directive are followed. (3) Used as mission critical system. (4) Used as “primary means of communications for mission operations.” (5) Used to download or load freeware or shareware enhancements. (6) Used to synchronize to non-Pentagon or otherwise unapproved systems, including “personally owned home computers or contractor-owned computers or networks.”
Wireless information systems can be used for unclassified as well as “sensitive but unclassified” information, policy said. It directs all network-capable, wireless computing devices used in Pentagon to take security precautions such as password protection “or strong identification and authentication” using techniques such as biometrics. Policy said acquisitions of wireless information systems must comply with “most recent DoD policy for authentication,” use intrusion detection and monitoring mechanisms and use encryption through National Institute of Standards & Technology/Federal Information Processing Standard or NSA-approved systems. DoD said policy will be reviewed annually and updated, if needed, to include technology improvements that would apply to kinds of security risks covered in document.
Besides protecting DoD wireless devices from unauthorized disclosure, policy’s goals are to: (1) Protect DoD data against intrusions that “could alter, disable or circumvent the transmission.” (2) Require central oversight of wireless systems. (3) Guard against physical compromise, in part through “immediate notification of misplaced or missing DoD wireless devices to the appropriate authority.” (4) Ensure user authentication of DoD information that is transmitted between wireless computing devices. (5) Guard against any adverse impact on critical operations “if wireless computing devices and the supporting infrastructure are rendered inoperable.”
Pentagon officials in past have acknowledged that enforcement of wireless restrictions is likely to be challenging, although policy contains some teeth to ensure compliance. Designated approving authority (DAA) for Pentagon -- who is empowered to decide on security safeguards for particular information system -- is directed under policy to provide oversight for wireless policies and to offer guidance on vulnerabilities, threats, risks. DAA would have “final connection approval authority” over wireless information systems in Pentagon. Policy stipulated that DAA would make recommendations to DoD’s CIO of cases in which agency should be disconnected from Pentagon’s common IT transport infrastructure if there were more than 3 violations “of a nature that jeopardizes the security” of Pentagon’s common IT networks.
Wireless service provider for common IT transport network at Pentagon, under policy, is to be under direct federal control and must be able to “restrict user options to minimize the amount of traffic-related information transmitted” and must use security safeguards that can interoperate with similar mechanisms used for wireline voice and data networks.