- The inherent insecurity of wireless devices is now a matter of national security. John Stenbit, the Pentagon's CIO, said this week that he plans to issue new policy guidelines that will ban most if not all wireless devices within military installations.
The change in policy comes only months after Computerworld first reported the results of wireless security audits at major US airlines and the facility housing the US Defense Department's global network operations centre.
Pentagon officials fear that the latest generation of wireless devices, including cellphones and two-way pagers, can be used as eavesdropping devices during classified meetings. Military facilities and offices that are used for highly classified meetings are already routinely scanned for listening devices.
However, with the growing use of personal wireless communications systems, security audits increasingly find military officers attending meetings in classified office spaces with these devices on their person, creating the potential for adversaries to turn these devices into crude eavesdropping systems, military officials acknowledged.
Devices such as cellphones have long been banned from facilities known as Sensitive Compartmented Information Facilities. In fact, all military personnel who are granted top secret security clearances are required to attend an indoctrination briefing on the growing list of threats posed by electronic devices. However, the new Pentagon policy extends the wireless ban to the majority of office spaces where sensitive but unclassified information may be discussed. It also builds upon a larger government policy of using the government's purchasing power as a market driver to get the IT industry to improve the security of its products if it wants to sell into the government.
"Why is it that companies have sold products that they know are insecure?" asks Richard Clarke, President Bush's chief cybersecurity adviser. "And why is it that people have bought them? We should all shut [wireless LANs] off until the technology gets better."
Steven Aftergood, a defence analyst at the Federation of American Scientists in Washington, says the policy change makes perfect sense for a high-risk environment such as the military.
"People get accustomed to using nifty products that are extremely useful in other parts of their lives, such as cellphones, wireless internet connections and all kinds of recording devices," says Aftergood. "And it's easy to forget that these are inappropriate in a secure environment."
In May, a wireless security expert managed to detect the nonsecure wireless LAN at the Defense Information Systems Agency (DISA) in Arlington, Virginia. While parked across the street from DISA's headquarters, the security expert was able to view the Service Set Identifier numbers of access points and numerous IP addresses. Using a standard 802.11b wireless LAN card attached to his laptop computer and access point detection software from San Diego-based NetStumbler.com, he was able to scan the network in less than half an hour.
Some airlines also pulled the plug earlier this year on their wireless bag checking systems after auditors managed to hack their way into sensitive back-end systems, such as the passenger manifest and aircraft maintenance systems.