NSA approves Samsung and Boeing mobile devices for employee use

As part of the NSA's program to certify commercial off-the-shelf technology for use inside the agency, mobile devices from Samsung and Boeing have been cleared for use by NSA employees.

As part of the NSA's program to certify commercial off-the-shelf technology for use inside the agency, mobile devices from Samsung and Boeing have been cleared for use by NSA employees.

This move by the NSA is part of its Commercial Solutions for Classified program (CSfC) to enable government use of the same products that we in the private sector enjoy, rather than specially engineered government-only products that are often feature-poor, slow to market and expensive.

+RELATED: How the NSA is improving security for everyone +

Samsung's products include the Galaxy S4/S5, Galaxy S5 with KNOX, Galaxy Note 3, Galaxy Note 10.1 2014 Edition, Galaxy Note 10.1 2014 Edition with KNOX 2, Galaxy Note Edge with KNOX 2, Galaxy Tab S 8.4 and 10.5 LTE with KNOX 2, and the Galaxy Alpha with KNOX 2. For Samsung, Knox provides the added security features key to making the grade in the CSfC program.

Boeing's offering, which is not commercially available, is the Boeing Black smartphone. Sold only to government agencies and contractors working with government agencies, the Black smartphone is a sealed, tamper proof device.

The heightened level of security built into both product lines comes at a time when the world has seen a significant rise in cyberattacks upon the Android OS. For example, a recent FireEye Mobility Security Team study of the top 1,000 most downloaded free Android Apps found 68 percent susceptible to Man-in-the-Middle (MITM) attacks and contained one or more SSL vulnerabilities.

John Morrison, senior director, Samsung Research America says "the CSfC Program really stretches the boundaries of high security on mobility." He adds that "the innovation driven by the U.S. government results in more secure products in private sector hands."

In order for these products to be certified, the vendors must satisfy stringent security requirements. For example, the devices must generate asymmetric cryptographic keys used for key Establishment and Authentication; perform encryption/decryption in accordance with a specified cryptographic algorithm; perform cryptographic hashing in accordance with a specified cryptographic algorithm and message digest size; and they must restrict the ability to configure policies for passwords, session locking, device enabling/disabling, application installation, VPN protection or specify wireless networks.

A key example of the security issues surrounding BYOD smartphones and tablets is the camera that most have. Morrison says, "The issue for various government and commercial entities is that they have unique missions and therefore require customization or a different configuration for the devices they want to use. For example, while many commercial work sites that permit cameras to be available for use, there are many sites, both government and commercial, where the CAMERA MUST ALWAYS BE OFF."

He went on to explain that some sites have requirements that cameras be off in certain locations and/or at certain times. Issues like this drove the need for government, as well as many commercial users, to have customizable security settings and why Knox has over five hundred programming interfaces that a Mobile Device Management (MDM) system can configure.

Final thoughts

Of course, all of this new-found ability to protect the intelligence community and the military as well as the rest of us in the private sector comes with a catch: The available mobile security features must be invoked and managed. Otherwise systems remain at risk like the many users who install antivirus software but fail to keep both the signature files as well as the program itself up-to-date.

Join the CSO newsletter!

Error: Please check your email address.

Tags galaxysamsungboeingsecuritynsaKno

More about AlphaCommercial SolutionsFireEyeGalaxyNSASamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Dirk A. D. Smith

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place