Security concerns suppress Pentagon's appetite for wireless devices

The U.S. military wants to go wireless. It wants handheld devices to replace desktop computers, it wants information available for troops "anywhere, on any device anytime," it wants employees to telework, and it wants to do this all with commercial products.

But it also wants security. And for now, the lack of military-grade security for smart phones, iPads, tablets and other mobile devices is the biggest impediment to a wholehearted embrace of mobile computing, military officials told a gathering of technology vendors Thursday.

"Security -- I can't stress that enough," said Robert Carey, the Defense Department's deputy chief information officer. And today, the security provided in commercially available mobile devices simply doesn't meet military requirements, he said. That's why the military limits the use of many mobile devices, such as Apple iPads, and services such as social networking.

"Operational security comes first," Carey said.

When Marine Corps pilots wanted to load digital maps into iPads and Kindle devices so they could get rid of bulky briefcases full of paper maps, the Corps said no, Brig. Gen. Kevin Nally, the Corps' CIO, recalled.

The pilots pushed back, demonstrating how they could Velcro the devices to their thighs for quicker, easier access to maps in flight. The Corps finally relented, but forbade connecting the devices to aircraft communications networks -- for security reasons, Nally explained.

Before they're approved for use by the military, smart phones and other mobile computers must undergo testing for security and win approval from the National Security Agency. That can take up to 18 months, by which time some of the devices might be obsolete, military officials said.

There signs that the military is making an effort to adapt to commercial technology standards. "We have moved away from saying 'Hell, no,' to just saying 'no,' " said Troy Lange, chief of the cryptographic products engineering office at the NSA. But "we really have to move to the culture of saying 'How?' "

The reason is clear to military members who want to use new technology.

"Technology is moving so fast. We used to drive the train, but now that train's driving us and we're just trying to hang on," said Col. Scott Moser, CIO of the Army National Guard.

"In five years, the desktop will be a dinosaur," he said. But it's not clear yet that the military will be comfortable securitywise with whatever replaces it.

The military services need industry's help, Moser and other Defense speakers told technology company representatives at the Armed Forces Electronics and Communications Association's Next-Gen Mobile Technologies Symposium.

But the Pentagon is a demanding customer. For example, it wants mobile computing devices that will accommodate Common Access Cards, employ NSA-level data encryption and provide other security measures.

Industry representatives say the military might be asking for too much. Big as it is, the Defense Department is a relatively small customer compared to the vast sea of ordinary consumers in the marketplace for smart phones, handheld computers and similar devices. The military simply doesn't have the buying power to demand significant changes in commercially produced devices, vendors said.

Beyond that, protracted defense procurement process -- it can take 81 months for the Pentagon to decide what it wants and then complete the procedures to buy it -- is ill-suited to technology that refreshes every six to 18 months, they said.

"We would love to help you out," a company official said. But if the military wants handheld devices that include, say, a Common Access Card reader, Defense must commit to buying a certain number of the devices, and so far that's not happening. Without guarantees of sales volume, it's not economical for companies to build card readers into mass-produced devices because mass market consumers don't want them, he said.

The technology impasse goes beyond military security demands. Some companies have refused to share proprietary information about their operating systems -- information the military needs to determine how the security measures it wants might be included in the technology the companies produce.

In other instances, commercial device operating systems change so fast that by the time the military devises a security solution to a particular system, the system is obsolete and has been abandoned by device makers, an Army official said.

Defense is trying to speed testing of commercial products to address that problem. It also is consulting with other large technology customers that need more secure technology, such as the banking, transportation and aviation industries, according to one department official. Working together, the military and the industries plan to develop a larger, more attractive market for technology companies, he said.