Apple and Google Make the Department of Defense Jump Through Hoops for Mobile Device Security

Despite the unseasonably cold weather, I participated in a mobile security event yesterday at the historic Willard hotel in Washington DC. I set the stage and presented a bunch of ESG Research data on mobile device use, security, and management. Other organizations presenting included the Defense Information Systems Agency (DISA), the Nuclear Regulatory Commission (NRC), the US Patent and Trademark Office, and Juniper Networks.It turns out that DISA is doing some very interesting things around mobile computing. For example, members of the US military can access an information portal called Defense Knowledge Online from their mobile phones. DISA also talked about a program called Go Mobile meant to provide numerous communications, training, and collaboration applications to mobile soldiers. Since we are talking about the US Department of Defense, mobile device security is a critical requirement for this program so Go Mobile includes user authentication, secure data storage and transfer, secure device management, etc. Initially Go Mobile was build for Blackberry devices but DISA is now adding support for Apple iPhones and Google Android phones because of high demand from users. Unfortunately, adding iPhone and Android support is more difficult than DISA anticipated. Why? Because both Apple and Google refuse to give DISA access to their security APIs so DISA had to do a series of workarounds to meet its security requirements. For example, DISA had to add an external Bluetooth device to provide secure personal networking capabilities because Apple wouldn’t provide API access to its iPhone security stack. Hold the phone here! Apple and Google aren’t willing to provide additional technical support to the United States Department of Defense? Nope. One person I spoke with from DOD said that Apple flat out refused to play ball, telling DOD to “talk to our integrators and carriers.” I understand that Apple and Google want to control their technology. If Citi or GE asked for API access, perhaps it would make technical sense to refuse but we are talking about the Department of Defense here. Apple and Google have a market advantage and they know it — Androids and iPhones are so popular that Apple and Google can thumb their noses at DOD. In most cases, DOD would exercise cyber supply chain security best practice and refuse to purchase insecure Android or iPhones at all. The fact that DOD is going the extra mile and developing workarounds demonstrates that it is willing to do the right thing for American troops in spite of this lack of industry cooperation. It seems to me that Apple and Google are making self-centered bad decisions here that won’t play well with the American public. Clearly, Apple and Google should re-think these myopic and selfish policies. Providing API access to DOD is the patriotic and morale thing to do, especially since DOD is opening the door to lots of sales opportunities for both companies.