How Obama might get his way on BlackBerry

Security experts reveal what pitfalls he may be underestimating.

Naysayers aside, President-elect Obama appears determined to take office Tuesday with his BlackBerry — or at least some PDA — firmly in hand. Here's how experts say he might pull it off — and what pitfalls he may be underestimating.

The Presidential Records Act requires retention of the bulk of documents generated by the president for public review at a later date, so any message Obama creates with his BlackBerry would have to be retained and stored, subject to scrutiny in the future. But the larger problem is that the BlackBerry is unlikely to get the nod as the presidential wireless handheld from the National Security Agency (NSA) or other federal entities with a traditional oversight role in top-secret communications security, according to experts.

"The most significant issue here is security," says Randy Sabett, partner at Washington-based law firm Sonnenschein, Nath & Rosenthal LLP. "The number one target of anyone anywhere in the world would be the e-mail communications of the most powerful man in the world, the president of the United States." Sabett, who has worked at the NSA, says that "nation-states, terrorist organizations and criminal gangs" could all be expected to be trying to break into a president's BlackBerry.

There is a version of the BlackBerry that uses AES-256 encryption, which has been approved by the Defense Department for sensitive communications. Research in Motion, maker of the BlackBerry, points to a number of government and third-party security certifications as evidence that its key-management system is secure.

A November 2008 certification by the Fraunhofer Institute for Secure Information technology in Germany, for example, gave a positive evaluation to the BlackBerry's use of cryptographic algorithms and life-cycle management of shared secrets or keys and passwords.

But for top-secret communications, the NSA has a history of turning to select manufacturers for custom-designed equipment. These include the high-security STU-III phones or the more recent Secure Mobile Environment/Portable Electronic Device program under which General Dynamics built the Sectera Edge smartphone and PDA.

This Sectera is compliant with what's called the Secure Communications Interoperability Protocol and the High Assurance Internet Protocol Encryptor Interoperability Specification for secure interoperability with in-line encryption devices used on the government's Secure Internet Router Network (SIPRnet).

L-3 Communications has also built an SME PDE-style PDA called the Guardian, which is undergoing certification.

But use of any PDA smartphone remains problematic for a president.

Smartphones are programmable devices and "local devices are increasingly vulnerable to attacks by injecting hostile software onto the device," says Phil Zimmermann, a fellow at the Stanford Law School's Center for Internet and Society, and creator in 1991 of Pretty Good Privacy (PGP), the public-key encryption and authentication system.

"If that code can gain control of the device, it could take such actions as activate the microphone, record his conversations and then transmit them somewhere," Zimmermann says. "You're being ratted out by the device in your pocket."

Potentially, the device could even "rat out" your location, he adds, because many smartphones provide highly accurate GPS capabilities.

While a simple BlackBerry for the president may not get the thumbs-up from the NSA, Obama should not necessarily consider this the final word, says security expert Bruce Schneier.

"Look, he can decide to paint the White House blue if he wants," Schneier says. "The Internet is the greatest generation gap since rock and roll. . . . The NSA will tell you the risks, but they will never say here's what the benefits are." Obama might be so productive and effective with a BlackBerry or other PDA, it would outweigh the risks.

But Schneier also acknowledges the risk of hacking the presidential PDA is high and in any event, it is not possible to have absolute certainty that e-mail actually came from Obama.

"No encryption program solves that," says Schneier.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags BlackberryBarack Obama

More about 3Com Australia3Com AustraliaACTAES EnvironmentalAMPBlackBerryCreatorGartnerGeneral DynamicsMotionNational Security AgencyNSAPGPRockStanford Law SchoolVIA

Show Comments
[]