A Secure Foundry for Government Mobile Computing Needs

• About
• Latest Posts

Randy Siegel

Government and Business Development at Purism, SPC

Latest posts by Randy Siegel (see all)

• A Secure Foundry for Government Mobile Computing Needs - September 12, 2024
• Flipping the Script: Exploring New Paradigms in Secure Mobile Computing - August 22, 2024
• Phone Kernel Development at Purism - August 19, 2024

Purism offers a comprehensive solution for those seeking to protect their digital lives. As threats to digital security continue to evolve, Purism’s dedication to privacy and security positions it as a leader in the field, providing a solid foundation for secure mobile computing.

The government’s near dependence on consumer, Commercial off The Shelf (COTS) products and technology to solve complex mobility solutions underscores the need for a more robust and secure alternative.

COTS

Commercial Off-The-Shelf (COTS) solutions, while beneficial in many contexts, often fall short of meeting the stringent security needs of government agencies. It’s helpful to define precisely what COTS really means as it relates to mobile technology. Having conversations with peers across Industry, Government, Academia, and a Federally Funded Research and Development Center (FFRDC) for decades now on the proper definition. I posit that if the device and its component parts (Hardware, Software, Firmware, etc.) require significant customization or augmentation, then by definition, this solution ought not to be considered as “COTS.” A more accurate moniker would be “GOTS” (Government off The Shelf).

MDM Market

One has only to look at the robust market that quickly developed for enterprise management of devices – Mobile Device Management (MDM)/Enterprise Mobility Management (EMM)/Unified Mobility Management (UEM) – to get a taste for some of the additional customization needed to more properly kit, lock down, and deploy devices on a large scale. Indeed, after the fall of RIM’s iconic Blackberry device – where arguably much of the management function was handled by centralized IT leveraging their famous NOC architecture and BES servers, the market for software to help manage devices became very important indeed – culminating in VMWare’s purchase of AirWatch for $1.53B.

Even at Microsoft, leading with Windows CE and Windows Mobile, began by pointing out that these mobile devices could leverage native Exchange encryption and Exchange ActiveSync (a synchronization protocol with basic device management) and also another product – System Center Configuration Manager which was widely used to manage Windows devices. However, Microsoft quickly understood the requirement for additional management and thus was born the inelegantly named System Center Mobile Device Manager or SCMDM. On top of this, Microsoft felt an additional need to fund and stand behind a company named Reality Mobile to essentially work with enterprise and government clients in a white-glove fashion. After the twin 2007 announcements of Apple’s iPhone and the Google Open Handset Alliance, all these efforts by Microsoft were essentially made moot.

Just looking at the device management market alone might prove my point – these devices are hardly ready “off the shelf.” (The number of anecdotes across the US Federal government alone are legion including one agency specializing in law enforcement that required all personnel to physically come into the office from the field because over-the-air (OTA) updates were not possible and because at the time mass-scripting and kitting out of devices mostly had to be done by hand and in-person.)

Greater Than COTS

Samsung took a lead position early in what I would define as COTS+. The huge international consumer behemoth Samsung took the position of working very tightly with the government to incorporate many security-focused elements into devices right “out of the box.” Samsung Knox and related technologies including the later evolution and development of the Galaxy Tactical Edition, tried mightily to incorporate as many security and government-centric elements as possible (including incorporation of tactical radio waveforms and much more).

All of this is really custom builds based off of commercially available products.

Customization

COTS alone is not enough to secure government or large enterprise devices. Here are additional reasons:

• Customization and Flexibility
  • Limited Customization: COTS solutions are designed to meet the needs of a broad market, which means they may not offer the level of customization required for specific government security needs.
  • Inflexibility: Adapting COTS solutions to fit unique government requirements can be challenging and costly.
• Security Concerns
  • Generic Security Measures: COTS products typically come with standard security features that may not address the specific threats faced by government agencies.
  • Vulnerability to Exploits: Since COTS solutions are widely used, they can be more attractive targets for hackers. Any discovered vulnerabilities can be exploited across multiple organizations.
• Compliance and Regulations
  • Regulatory Compliance: Government agencies must comply with strict regulations and standards (e.g., FIPS 140-2/3 for DAR/DIT, NIAP/CC, FedRAMP IL4 and above, CSfC Components Listing, DISA STIGs, etc.). COTS solutions do not meet these requirements out-of-the-box.
  • Data Sovereignty: Ensuring that data is stored and processed in compliance with national security regulations can be difficult with COTS solutions.
• Supply Chain Risks
  • Supply Chain Integrity: The supply chain for COTS products can be complex and opaque, increasing the risk of introducing compromised components.
  • Dependency on Vendors: Relying on a single vendor for critical security solutions can pose risks if the vendor fails to address security issues promptly.
• Lifecycle and Support
  • Lifecycle Management: Government systems often have longer lifecycles than commercial products. COTS solutions may not be supported for the entire lifecycle of a government project.
  • Support and Maintenance: Ensuring timely updates and patches for COTS solutions can be challenging, especially if the vendor’s priorities do not align with government needs.
• Integration Challenges
  • Compatibility Issues: Integrating COTS solutions with existing government systems can be problematic, leading to potential security gaps.
  • Interoperability: Ensuring that COTS products work seamlessly with other government systems and technologies can require significant effort and resources.

While COTS solutions offer advantages like reduced development time and lower initial costs, they often lack the tailored security features, compliance, and flexibility required by government agencies. For these reasons, many government entities prefer custom-built solutions or Government Off-The-Shelf (GOTS) software, which can be specifically designed to meet their unique security and operational needs.

Government Off-the-Shelf with Purism

Purism stands out as a beacon of privacy and security. As a company dedicated to creating secure hardware and software, Purism offers a robust platform upon which mobile computers and smartphones can be built. Purism’s commitment to open-source principles, hardware security, and privacy-centric software makes it an ideal foundation for secure mobile computing.

Purism’s dedication to open-source software is a cornerstone of its security strategy. By leveraging open-source code, Purism ensures transparency and trust. Users and developers can inspect the code, identify vulnerabilities, and contribute to its improvement. This collaborative approach not only enhances security but also fosters a community-driven ecosystem that prioritizes user freedom and control.

Hardware Security

At the heart of Purism’s offerings is its secure hardware. Purism designs its devices with security in mind from the ground up. This includes the use of hardware kill switches for the microphone, camera, and wireless communications, allowing users to physically disconnect these components to prevent unauthorized access. Additionally, Purism’s devices are built with tamper-evident features, ensuring that any physical interference is immediately noticeable.

Privacy-Centric Software

Purism’s software ecosystem is designed to protect user privacy. The PureOS operating system, which powers Purism’s devices, is a fully open-source, Linux-based OS that prioritizes security and privacy. PureOS includes a suite of privacy-focused applications and services, such as encrypted messaging, secure browsing, and decentralized communication tools. By default, PureOS avoids proprietary software and services that could compromise user data.

End-to-End Encryption

One of the key features of Purism’s platform is its support for end-to-end encryption under the owner control. This ensures that data transmitted between devices is encrypted and can only be decrypted by the intended recipient.

Supply Chain Integrity

Purism takes a holistic approach to security by ensuring the integrity of its supply chain. From the sourcing of components to the manufacturing process, Purism maintains strict oversight to prevent the introduction of malicious elements. This commitment to supply chain security is critical in an age where hardware-based attacks are becoming increasingly sophisticated.

User Empowerment

Empowering users to take control of their digital lives is a fundamental principle of Purism. By providing tools and resources for users to manage their own security and privacy, Purism fosters a culture of digital self-reliance. This includes comprehensive documentation, user-friendly interfaces, and ongoing support to help users navigate the complexities of digital security.

Coalition of the Willing

Purism represents a secure, electronics-made-in-the-USA platform upon which the future of mobile computing can be built. I learned during my nearly twelve-year tenure at Microsoft that the mobile ecosystem was vital to producing replicable, secure solutions. I feel the same way today. It will take multiple companies all working in concert to ensure that the government and regulated industries have the most secure mobile devices possible.

The ecosystem is made up of many players, but a non-exhaustive list would include: Silicon Chip Vendors, ODMs/OEMs, Network Equipment Providers, ISVs of all stripes but especially the end-point-management and protection vendors, the Cellular Operators, the Cloud Service providers, the Peripheral vendors, and many more.

These participants and others (namely cryptographic specialists) are busy on multiple published and non-published efforts at building a more secure device for both unclassified and classified use cases. There are dozens of both In Garrison (Office) and Tactical (Field) deployments going on at any one time. In addition, NATO and other friendly countries often look toward the US in terms of setting the high-bar as it comes to Information Assurance/ Security.

Similarly, regulated industries (ranging from Healthcare, Pharmaceuticals, Energy Utilities, Financial Services, Education and others) similarly view the United States federal government as setting the high bar in terms of security.

Through its commitment to open-source principles, hardware security, privacy-centric software, end-to-end encryption, supply chain integrity, and user empowerment, Purism offers a comprehensive solution for those seeking to protect their digital lives. As threats to digital security continue to evolve, Purism’s dedication to privacy and security positions it as a leader in the field, providing a solid foundation for secure mobile computing.