Analysis: Obama can't have a BlackBerry. Should your CEO?

The press has been all over President-elect Barack Obama's addiction to his BlackBerry and the possibility that he might have to give up the device for reasons of national security. But no one in the media seems to be asking the most logical follow-up question: Is the technology that can compromise the future chief executive's BlackBerry also a threat to mobile devices being used every day by thousands of senior executives in corporate America?

One security expert, Ron Cochoran, president of RER Technology, answers that question quite succinctly: "If the president can't use it for security reasons, then there's obviously something wrong with the security system."

(Discover eight ways to make your iPhone more secure. Now that the WPA security protocol has been hacked, should you be worried?)

The prohibition against BlackBerries in the White House actually started with President George W. Bush's administration. "We made a judgment call prior to Sept. 11, 2001, that people in the White House could not use a BlackBerry," recalls Joe Hagin, who served as deputy chief of staff for operations for seven years and is now the CEO of Jet Support Services Inc., an aircraft-leasing company.

Ironically, the Bush White House suspended that policy for some staffers after those terrorist attacks. "On Sept. 11, we had tremendous communications challenges, while people on the Hill [Congress] had communications [through their mobile devices]. I made the decision that we couldn't operate without them. We bought 200, then 400, and finally about 600. They are common around the executive branch, and more than just BlackBerries."

But users of the White House mobile devices are restricted in what they can do, to reduce the chance of cyberespionage. Global Positioning System capability is disabled, no one is permitted to transmit classified data over an unsecured device, and mobile devices can't be used overseas where the local networks are often vulnerable, Hagin says. As Hagin knows firsthand, there are many highly sophisticated tools available on the cheap and sold online that could compromise a government or a corporation.

Economic and national security at stake

While the consensus among the security experts whom InfoWorld consulted is that no system is 100% secure, they also agree that wireless technology is inherently less secure than a wired desktop behind a firewall. But even desktop-based communication systems may have more risks in their information being snooped once e-mails, instant messages and so on leave your network.

So, what's at stake when your execs are using wireless devices such as smart phones and laptops, or are working at home or in a coffee shop on their laptops? As it turns out, far more than a CEO's contact list and calendar. On the line, say the experts, are billions of dollars in proprietary intellectual property and the maintenance of a continuous flow of capital, the lifeblood of business. Not to mention the fact that as private industry supplies more and more services to the government, the infrastructure that directly affects our national security is at risk.

U.S. business is already under cyberattack, say two security experts who served on a congressionally sponsored study being conducted by the Center for Strategic and International Studies (CSIS) to give recommendations to the next president regarding U.S. cybersecurity.

The Threats Working Group, part of the Commission on Cyber Security for the 44th Presidency, issued its final report this week, with some startling insights into the depth and breadth of that threat.

Tom Kellerman, chairman of the Threats Working Group and vice president of security awareness at Core Security Technologies, says the U.S. government has identified more than 100 countries that use military-level technologies to help their companies gain a competitive advantage. "Many of these countries endow [their] national corporations with cyberespionage capabilities so as to steal intellectual property for the sake of economic advantage," he says.

The plain and simple fact is that technology is completely interwoven into how government and corporations operate, says Amit Yoran, another member of the Threats Working Group and a former director of the National Cyber Security Division of the U.S. Department of Homeland Security. That technology -- communications technology, in this case -- is thus a key vector into discovering, and perhaps even manipulating, the information behind key industries. Protecting those industries' competitiveness is a key part of a country's national interest, he adds.

The communications revolution that lets people work almost anywhere and share information across public and private networks has helped many businesses be more agile as barriers to knowledge work are removed. But this "de-perimeterization of business" also means there are no borders that can be defended, says Phillip Dunkelberger, president and CEO of PGP Corp., a point-to-point encryption vendor.

Private enterprise needs to meet the de-perimeterization security challenge with security systems as sophisticated as what cyberthieves use because cyberattacks can now do tremendous damage -- including taking down utility companies and banks and rendering them unable to distribute electricity or move money.

The Threats Working Group's Yoran says we need to think of our computer network as an aquatic environment. If you don't protect the entire aquatic ecosystem, you don't stand a chance of protecting the integrity of your own data inside it, he says.

Mobile is the least secure medium

Although the de-perimeterization risk affects all methods of electronic communications, mobile communications is most at risk, Dunkelberger says, because of their very architecture.

One reason for mobile technology's higher risk has to do with the stability of the desktop environment versus the ever-changing designs of mobile devices, says John Pescatore, an analyst at Gartner Inc. and a former member of the U.S. Secret Service. The hardware for the PC hasn't really changed much in 20 years, so security experts have had the time they needed to develop systems that are highly secure. At many businesses, the only system that security administrators have to worry about is a Windows-based PC, and having just one platform to focus on makes it much easier to manage potential threats, he notes. By comparison, the vast majority of mobile devices have unique, proprietary hardware and their own set of operating systems.

In the mobile world, "the BlackBerry and the iPhone are the closest examples we have to a controlled platform," Pescatore notes. That control is good, he says, adding, "RIM and Apple build both the hardware and software, making them the most secure handheld platforms."

Pescatore says Research In Motion Ltd.'s BlackBerry is the safest device to use for e-mail, as long as users also deploy strict policies for encryption of mail over the air. He also said while the iPhone isn't yet as secure as the BlackBerry, it could be made just as secure if Apple Inc. chooses to make it so.

But even with the BlackBerry and iPhone's advantages, several security experts aren't sanguine about the use of handhelds to carry sensitive data.

Encryption, or lack of it, is perhaps one of the main reasons mobile devices have what PGP's Dunkelberger calls a "higher threat ratio" than desktops. Most information sent in an IM, for example, is in the clear, unless point-to-point encryption is used.

Dan Hoffman, chief technology officer of security vendor SMobile Systems, says that if he is given access to a mobile device, perhaps left behind in a hotel room or at a meeting, he can pull data off that device in about 34 seconds and at the same time install Trojan horse malware.

One such hacker tool, called CSI (Cell Seizure Instigator), automatically downloads everything on the device. It is legal and can be purchased on the Internet for about $200.

Another mobile spy tool out of Bangkok, called FlexiSpy, can do a lot more than monitor cheating spouses, which is what it is marketed for. Once installed on a mobile device, FlexiSpy can intercept every e-mail and SMS message, track where a person is and -- most dramatic of all -- listen to conversations without the user ever being able to detect that the microphone is turned on, says Hoffman.

Imagine the president at a cabinet meeting or an executive at a board meeting putting his mobile device down on the conference table and not being aware that every word is being heard, at least as long as the perpetrator doesn't say something like, "Can you speak up?"

The security experts whom InfoWorld consulted say that many senior execs -- not just President-elect Obama -- should be very cautious about when they use their BlackBerries, at least until better wireless and device security is available. Perhaps they should just give them up, suggests Kellerman. "Is it that important to use your 'CrackBerrys' when you know you can't maintain the ultimate control of that device?" Kellerman asks.

"Mobility is a double-edged sword that most executives don't want to acknowledge. There is a culture of deniability," adds Yoran.

Risks beyond mobile: Crossing national boundaries or using the cloud

Dunkelberger says you should accept that fact that if you are sending data across national boundaries -- such as designing products in one country and building them in another -- governments and competitors can read the proprietary data you may be sending back and forth unless you are using point-to-point encryption. This is true for desktop and wired communication -- not just for wireless or mobile devices.

The increasingly popular cloud-computing option is also risky, Dunkelberger says. The technology is a boon to de-perimeterized executives who want to access corporate applications outside the firewall, but that means sensitive data also lives outside the firewall, beyond your control. If your company uses SaaS (software as a service) or other cloud-type offering, you should ask the service provider how it secures its applications when federated across 50 different systems, Dunkelberger advises. "Do not put [intellectual property] on a SaaS service," he warns.

Traditional Web security products and services filter URLs and can inspect malicious files on downloadable objects. However, Web sites now often stream AJAX-based and other Web applications that launch without user interaction. Most security software checks the file only after it has been downloaded; such software does not protect against malicious code running in the cloud.

"Security professionals should look at security in the cloud and specifically Web security in the cloud, which is critical to being able to protect users on the Web when they leave the office perimeter and access the Web in hotels, airports, at home, or in the office on laptop and mobile device," says Paul Judge, CTO at Purewire Inc., a Web SaaS company.

The more hops that data travels, the greater the risk of it being intercepted, say most security experts. And you may be surprised how many hops data travels. You can use a Unix utility called TraceRoute to track the route taken by packets across an IP network. In one quick test, going from one computer to CNN.com took 12 hops -- each a potential entry point to cyberthieves.

According to Core Security's Kellerman, a huge number of hacking programs is available for electronic espionage. "It is a regular arms bazaar," he says. "It's like the Dark Ages with mercenaries for hire."

Both organized crime gangs and sovereign nations have made a business of stealing intellectual property, such as trade secrets, by conducting cyberespionage. Such espionage is worth hundreds of billions of dollars in business, and unsurprisingly, major criminal syndicates from the Chinese Triad to the Russian mafia are heavily involved in hacking, says Kellerman. Even the Brazilian drug underworld is getting involved because, as it turns out, it is easier and safer to hack a system and sell the information than it is to grow, process and distribute cocaine. And cyberespionage is more profitable as well.

The result, Kellerman says: "We are hemorrhaging data."

The answer -- in addition to rethinking what information you make available through unsecure devices and networks in the first place -- is to get real about which of your security systems are actually working as they should, he says. It's not just about having a firewall or a virus scanner, but vetting, assessing, assuring and testing to demonstrate that they are functioning. "In other words," Kellerman says, "make sure that your dogs bark."

This story, "Analysis: Obama can't have a BlackBerry. Should your CEO?" was originally published by InfoWorld.

Copyright © 2008 IDG Communications, Inc.

  
Shop Tech Products at Amazon