The US Office of the Secretary of Defense has issued a memorandum that prohibits the use of many types of wireless technologies in the Pentagon and much of the U.S. Army, Navy and Air Force until the military has developed a wireless security strategy, which it expects to do with assistance from the National Security Agency.
John Stenbit, assistant secretary of Defense for Command Control and Communications and the Defense Department's chief information officer, signed the memorandum along with the OSD's acting director of administration and management, Howard Becker. Attached to the memo, which pertains to use of wireless in the military's IT networks, is a document entitled "Pentagon Area Common Information Technology Wireless Security Policy." The document elaborates on the dangers of wireless to network security and the steps the Penatgon and its service branches are taking to come to grips with it. The decision on wireless had been expected for several months.
Because wireless technologies, particularly wireless LANs, bring with them new ways to break into networks, the Pentagon has decided to prohibit the connecting of wireless devices to a classified network or computer, the document states.
Use of some types of wireless devices will be allowed for unclassified data only. These devices would include cellular telephones and personal digital assistants "in areas where unclassified information is electronically stored, processed or transmitted." In addition, according to the document, "they would also be allowed in areas where unclassified information is stored" and "when there is a documented operational need."
The Penatgon's wireless security policy document specifically notes that the prohibitions on wireless do not pertain to "land mobile, emergency, and tactical radios and one-way receive-only devices."
"Given the exploitable vulnerabilities inherent in current wireless products and technologies and the interdependence of Defense and Pentagon networks, it is essential and expected that all tenants will strictly adhere to this policy," Stenbit stated in the Sept. 25 memo. Stenbit notes that the OSD has asked the National Security Agency to "develop a Wireless Technology Vulnerabilities Database" for the Defense Department.
The document released by the Defense Department establishes a policy, definitions and responsibilities to eliminate vulnerabilities associated with wireless technologies, with the expectation of an annual review of the policy.
It reiterates standing notions of security for voice, data and video, network servers, LANs and telecommunications, noting that all need to protect against intrusion, disabling and failure to authenticate users. A particular goal is to ensure that user authentication of Defense Department information transferred via wireless computing devices takes place and to ensure that there will be no adverse impact to critical Defense Department operations if wireless computing devices and supporting infrastructure are rendered inoperable.
The document recommends that military's "network-capable, wireless computing devices" use security mechanisms that include password protection or authentication based on public-key certificates or biometrics, among other technologies. In addition, wireless devices must conform to Defense Department guidelines for intrusion detection, auditing, monitoring, encryption and virus protection.
The document points to concerns that wireless LANs and other types of wireless technologies may enable remote eavesdropping and unauthorized entry into Pentagon systems if not used with the appropriate security.
The Pentagon wireless security document asks defense agencies to record and gain certification for any wireless information systems they use, and to conduct an audit to detect unauthorized wireless information systems.