Soldiers use smartphones during a training exercise. Companies are scrambling to meet DoD mobile security standards. (Army)
The Defense Department may be a small player in the global mobile device market, but its clout with companies like Google and Apple is rising.
Not because these companies are driven by the promise of big federal business. Rather, by meeting DoD security standards, companies see an opportunity to expand their business into other security-conscious sectors.
“If they can get to our level of security, then they can market out to the corporate world for health, banking [and] financial, ... and you’re starting to see that,” said Greg Youst, mobility lead for the Defense Information Systems Agency, at a cybersecurity event last month.
“The drivers for these devices ... is the commercial market,” Youst said. “We’re a drop in the bucket.” But “the market is listening to us,” he said. “Industry is coming to us.”
In sit-down meetings with Defense officials, these companies are asking how they can build devices and operating systems that meet department standards. DoD began talks with Samsung more than a year ago and gave the company guidelines for developing its Android-based Samsung KNOX, Youst said. Samsung KNOX devices were approved for department use in May.
Android-based smartphones make up 80 percent of the global market share, according to data released last week by research firm Strategy Analytics.
But that business is largely driven by consumers not large organizations like federal agencies, banks and hospitals. In a recent overview document about its KNOX product, Samsung cited a 2012 Gartner survey that found less than 10 percent of organizations planned on buying Android devices in the following year because of a “perceived lack of security.”
Samsung is playing up the fact that it submitted KNOX to the government for a compliance review “to enable its use in government and other highly regulated enterprise environments” like health care and finance.
KNOX includes security features developed by the National Security Agency that can separate data and apps on the phone into different domains to contain damage caused by a malicious or flawed app.
Youst said he was contacted by Google and given a week to create a wish list of DoD’s mobile security needs; he has had similar discussions with Apple about security.
“I went nuts,” he said of the Google conversation. He worked with the military services to develop a wish list, which included security requirements for verifying a user’s identity before the user can access a device. “How do we make sure that you are who you are?” he said.
Apple also has taken steps to meet federal security standards. Apple’s iOS 6 operating system meets National Institute of Standards and Technology standards required to encrypt data on mobile devices used in government. This is often referred to as Federal Information Processing Standards (FIPS) 140-2 certification.
“In many ways, security is migrating from a post-award cost to a competitive advantage,” for companies, said George Holland, a vice president at Juniper Networks.
While DoD is reaping the benefits of security features being built into mobile devices, these upgrades haven’t solved all of the department’s mobile problems.
One of DoD’s main challenges today is that the only way to verify the identity of its mobile users is with a Common Access Card (CAC) and an additional device that can hold the CAC card in place, connect the card to the device and allow users to access the device. DoD is exploring options for storing the digital identities found on CAC cards inside smartphones on a Subscriber Identity Module (SIM) card or microSD card or other secure locations that vary depending on the mobile device, said Ben Andreas, vice president of sales for security software company Intercede. Companies like Intercede are working with DoD to explore secure and standard ways of doing this.
For now, DoD is testing solutions from companies like Precise Biometrics. The company builds cases that double as a smart card reader and fingerprint scanner for such devices as the iPhone and iPad. It, too, is hoping other industries will follow suit and use smart card technology like DoD.
“It’s a business decision,” Youst said. Companies have to decide: “Is it worth it to add that additional cost in the production line” to meet government standards.
When it comes to supporting CAC cards for mobile devices, “a lot of us are finding it hard to apply that particular technology outside just the DoD,” said Tom Simmons, area vice president for Citrix U.S. Public Sector. “We don’t see a lot of private-sector companies that embrace CAC authentication for mobile.”
Citrix has a software solution that allows mobile users to securely access documents and office apps from any device. It allows DoD to enforce the use of CAC cards, but DoD is now exploring alternatives to using the physical card.
“As we build business cases to support these kinds of standards and certifications, a good portion of the business case is based on how we can repeat that or apply that technology to the private sector,” Simmons said.