How Obama might get his way on BlackBerry

From: Paul E. Niedermeyer <p..._at_pn.com>
Date: Sat, 17 Jan 2009 18:20:02 -0500

How Obama might get his way on BlackBerry

By Ellen Messmer and John Cox , Network World , 01/15/2009
Sponsored by:

Naysayers aside, President-elect Obama appears determined to take office
Tuesday with his BlackBerry -- or at least some PDA -- firmly in hand.
Here's how experts say he might pull it off - and what pitfalls he may be
underestimating.

The Presidential Records Act requires retention of the bulk of documents
generated by the president for public review at a later date, so any message
Obama creates with his BlackBerry would have to be retained and stored,
subject to scrutiny in the future. But the larger problem is that the
BlackBerry is unlikely to get the nod as the presidential wireless handheld
from the National Security Agency (NSA) or other federal entities with a
traditional oversight role in top-secret communications security, according
to experts.

"The most significant issue here is security," says Randy Sabett, partner at
Washington-based law firm Sonnenschein, Nath & Rosenthal LLP. "The number
one target of anyone anywhere in the world would be the e-mail
communications of the most powerful man in the world, the president of the
United States." Sabett, who has worked at the NSA, says that "nation-states,
terrorist organizations and criminal gangs" could all be expected to be
trying to break into a president's BlackBerry.

There is a version of the BlackBerry that uses AES-256 encryption, which has
been approved by the Defense Department for sensitive communications.
Research in Motion, maker of the BlackBerry, points to a number of
government and third-party security certifications as evidence that its
key-management system is secure.

Related Content

How to build a presidential PDA
Click to see: How to build a presidential PDA

A November 2008 certification by the Fraunhofer Institute for Secure
Information technology in Germany, for example, gave a positive evaluation
to the BlackBerry's use of cryptographic algorithms and life-cycle
management of shared secrets or keys and passwords.

But for top-secret communications, the NSA has a history of turning to
select manufacturers for custom-designed equipment. These include the
high-security STU-III phones or the more recent Secure Mobile
Environment/Portable Electronic Device program under which General Dynamics
built the Sectera Edge smartphone and PDA.

This Sectera is compliant with what's called the Secure Communications
Interoperability Protocol and the High Assurance Internet Protocol Encryptor
Interoperability Specification for secure interoperability with in-line
encryption devices used on the government's Secure Internet Router Network
(SIPRnet).

L-3 Communications has also built an SME PDE-style PDA called the Guardian,
which is undergoing certification.

But use of any PDA smartphone remains problematic for a president.

Smartphones are programmable devices and "local devices are increasingly
vulnerable to attacks by injecting hostile software onto the device," says
Phil Zimmermann, a fellow at the Stanford Law School's Center for Internet
and Society, and creator in 1991 of Pretty Good Privacy (PGP), the
public-key encryption and authentication system.

"If that code can gain control of the device, it could take such actions as
activate the microphone, record his conversations and then transmit them
somewhere," Zimmermann says. "You're being ratted out by the device in your
pocket."
Potentially, the device could even "rat out" your location, he adds, because
many smartphones provide highly accurate GPS capabilities.

Related Content

While a simple BlackBerry for the president may not get the thumbs-up from
the NSA, Obama should not necessarily consider this the final word, says
security expert Bruce Schneier.

"Look, he can decide to paint the White House blue if he wants," Schneier
says. "The Internet is the greatest generation gap since rock and roll. . .
. The NSA will tell you the risks, but they will never say here's what the
benefits are." Obama might be so productive and effective with a BlackBerry
or other PDA, it would outweigh the risks.

But Schneier also acknowledges the risk of hacking the presidential PDA is
high and in any event, it is not possible to have absolute certainty that
e-mail actually came from Obama.

"No encryption program solves that," says Schneier.

Gartner analyst John Pescatore, whose background includes working with the
Secret Service, says NSA-approved devices like Sectera would be secure
enough for use in a closed system, but the problem is switching to
unclassified mode to use the Internet.

"Internet e-mail is totally unacceptable for a president to use," Pescatore
says. "There is no strong authentication -- how can anyone prove an e-mail
came from the president? There is no integrity -- how can anyone prove the
content wasn't changed?"

Use of something like the PGP public-key infrastructure could help the
president communicate with others in a larger closed system, says Pescatore,
"But that doesn't stop anyone from forwarding an e-mail from him outside
that closed loop."

Pescatore says he would also be concerned that any wireless device might act
as a radio-frequency beacon to reveal the president's location.

The other challenge -- the legal requirement under the Presidential Records
Act that a president store all documents in order to make them available to
the public in the future -- is also a factor Obama and his team must
consider.

Most legal experts and scholars say there's nothing in the Presidential
Records Act to prevent use of e-mail.

"What it does do," says Dickinson College political-science professor Andrew
Rudalevige, "is make every presidential e-mail a public record and thus
something -- unless classified for other reasons, such as national security
-- will be released via the presidential library system."

Records are typically deemed "open" 12 years after the president leaves
office, but can be opened by presidential consent, by the Freedom of
Information Act or subpoena before then, he adds.

However, current law doesn't require presidential phone calls to be
recorded, though they have to be logged.

So, between the Presidential Records Act and the threat of PDA hacking,
presidents have some good reasons to avoid e-mail, Rudalevige notes.
Received on Sat Mar 02 2024 - 00:57:22 CST