Thursday, January 8, 2009

Obama's Blackberry Security - we should be ashamed

There are plenty of reasons why President-elect Barack Obama is being advised to give up his blackberry. I fully understand the issues surrounding presidential records, but I think the security issues are just FUD.

Are we really, as IT and security professionals, saying that the President's Blackberry can't be secured? Are we saying that the best minds available can't find a way to ensure that the President can securely communicate? Are we also saying that we can't place filters and rules on the mail server to ensure that certain documents and messages don't get sent to the blackberry?

Are we, as a group, giving up on the security of that device?

Are we giving up on message security in general?

And what are we giving up?

We are potentially giving up a chance to have a president that is connected. A president that can get beyond the White House bubble that has insulated too many presidents. We are potentially giving up having a president that can truly understand the reality of life in America post "GWB, Inc." The biggest lesson we should learn from the last administration is that an insulated, out of touch President, is a bad thing. Bad ideas, bad decisions, bad consequences.

If we are giving up on this effort, then I am ashamed to be member of the community.

What does giving up say about the state of the industry?

And what does it say about the security of modern electronic communication? Should we really be promoting the use of smart phones and other devices for federal leaders? Should we be relying so heavily on devices that we really don't trust?

We need to look long and hard at this.


  1. I don't feel that this is a technical controls issue. All the controls are available and given the right process these devices can be secured. The problems that I see with this is that people will make mistakes and 'forget' to update the software, read the fine manuals, etc. My concern is will the people entrusted to secure these devices at the highest levels do their jobs without roadblocks (i.e. the typical politics that always seem to slow down the security process).

  2. This is somewhat naive. There is already support in government for secure handhelds that can deal with secret and top secret (non-classified) communication (I think General Dynamics makes it and ugh-based on Windows mobile).

    There are two issues:

    FIA- The Freedom and Information Act does make certain communications discoverable by the public and the press. I think if the user is smart in the way the tool is used, it's easier to deal with. i.e. don't do classified or secret stuff on your handheld!

    Security- Blackberry emails have two prong encryption and gaps in the middle. the message is encrypted from handheld to Blackberry Datacenter servers, decrypted, re-encrypted and then sent to the back-end server (Exchange/Notes) and then the reverse. This is a simplified view. That decryption/encryption gap in the middle takes place OUTSIDE the borders of the united states. A handheld that makes its communications security directly with a back-end server like Windows Mobile-Exchange is done, is a better solution in this case. It doesn't mean the implementation is the best, most user friendly in the world but it mitigates the potential national security whole.

    Overall, I would prefer that the President would have a laptop in the Oval office that he can use for all the research and keeping in touch with the world. Within the walls if the White House it's got a better chance of securing.

    GWB being out of touch is crap. Like him or not, agree with him or not, (I think there were mistakes made for sure) his out of touchness did not govern him, but rather his core principles. The interpretation or implementation of those principles are subject to criticism for sure.