When it comes to wireless security, the federal government is under close watch.
The CIA and National Security Agency have been drilled with questions about their supposed global electronic surveillance system, known by the code name Echelon. The United states, United Kingdom, Canada, Australia and New Zealand can presumably intercept satellite, microwave, cellular and fiber optic communications around the world, run them through data warehouses and gather and read private information almost at will.
In May, just weeks after a European Parliament committee hearing on Echelon, the U.S. government released its annual wiretap report. In 2000, sixty percent of the 1,190 wiretaps authorized by federal and state governments were for wireless devices such as mobile phones and pagers.
But the headlines have overshadowed the work that some in the federal government are doing to ensure wireless security. A cadre of federal employees is actually striving to make wireless communications more secure. Certainly enterprises can stand to learn a thing or two from them.
James Craft bears the unwieldy titles of information systems security officer for the U.S. Agency for International Development and chair of the Security Practices Subcommittee of the Federal CIO Council. While Craft says he is as focused on strategic best practices and leadership initiatives as he is on keeping hackers out of mobile phones, he clearly has a passion for wireless security.
"Mobile computing will change work habits as radically as personal computers did," said Craft in a recent presentation. But with any revolution comes headaches. "Control of the environment will be the security manager's nightmare."
In three years there will be more than 800 million wireless data users in the world, according to research firm Gartner, and executives must act now to ensure that employees have wireless access to national networks, corporate servers and each other--secure wireless access, that is.
While Craft hasn't encountered any serious wireless enterprise break-ins or hacks, that doesn't mean they can't happen--or aren't happening already. Nation states are known to intercept transmissions and even pass on intelligence to national industries, he says. If wireless spying is happening at opposite ends of the organizational spectrum, it's only logical to conclude that it's happening in the middle.
Craft describes the kinds of threats enterprises must be wary of; every current danger exists for wireless systems, but they will take new forms:
Social Engineering."If you've got 50 million users out there, someone will find out that all they have to do is call you and say, 'I need your password. I'm a systems administrator with Sprint, and we've received a trouble report."
Hostile Code.Cell phone viruses are an emerging problem.
Electronic Warfare. Craft describes a Venn diagram with one circle representing a network's RF or wireless vulnerabilities and an adjacent circle representing computer vulnerabilities. Managers concerned about such security issues as denial of service must zero in on where they overlap, right? Wrong. They need to be worried about the entirety of both circles, he says without a trace of facetiousness.
Craft recounts the state police force that was pilot testing VoIP technology for wireless communications. He realized that if he had all the server addresses, he could flood the network with packets using a low-power walkie-talkie, since the servers were secured to guard against standard RF attacks.
The Swipe and the Switch. If your Palm were switched with an almost identical one, how soon would you know? What would be lost? In many cases, hardware protection is based on a human being, not on devices or applications.
Exploiting the Boundaries. The most vulnerable parts of your wireless enterprise are the spots where different networks connect. "It's the boundary between two different types of regimens that is the problem," Craft adds.
In fact, he argues that relying on any given wireless protocol to safeguard your corporate intelligence creates a possible opening for criminals. Many security features and standards currently in use were added as an afterthought to existing wireless protocols, he notes.
Craft urges managers to carefully examine different protocols and to never confuse security features of one standard with another. "When you have environments that bridge different technologies or depend on different protocols, every weakness is another weakness," he adds. With too many protocols, you invite hackers to "pick their hole du jour."
Finally, Craft hints that the most important piece of any company's security infrastructure is the one that is most often overlooked: its people. All the encryption applications on earth are not going to stop an underpaid, overworked employee from bolting to your competitor with a Palm full of sales data. For Craft, leadership in any area, including wireless security, begins by creating a culture of integrity and loyalty--a refreshing outlook for someone who works for the federal government.