DOD moves on mobile code

The Pentagon chief information officer approved a highly anticipated policy

Nov. 7 governing the military's use of mobile code, which can be used for

cyberattacks.

Mobile code is widespread throughout the Defense Department and other

government agencies, according to the policy letter signed by Art Money,

the Pentagon's CIO.

"Mobile code is a powerful software tool that enhances cross-platform

capabilities, sharing of resources and Web-based solutions," Money stated.

"Its use is widespread and increasing in both commercial and government

applications. In DOD, mobile code is employed in systems supporting functional

areas ranging from acquisition to intelligence to transportation.

"Mobile code, unfortunately, has the potential to severely degrade DOD

operations if improperly used or controlled," Money continued. "To protect

DOD systems from the threat of malicious or improper use of mobile code,

we must assess and control the risks imposed on the technology."

The new policy defines mobile code as "software obtained from remote

systems outside the enclave boundary, transferred across a network, and

then downloaded and executed on a local system without explicit installation

or execution by a recipient."

Microsoft Corp.'s ActiveX is one of many items listed in the new policy

as potentially dangerous. Others include Java applets and other Java code,

LotusScript and Shockwave/Flash.

ActiveX allows programs — hostile or not — to be e-mailed to a computer

and automatically interfaced with other programs, according to Navy Capt.

David Meadows, information assurance division chief with the Joint Chiefs

of Staff.

"One of the biggest challenges in mobile code as identified by a lot

of the commercial information assurance people is ActiveX," Meadows said.

"When it downloads into your system, it allows that product that it brought

with it to interact with every program you have in your system, regardless

of what the program is or how it was designed. You can see for yourself

that ActiveX can also be malicious."

The policy places mobile code technologies into one of three categories

based on the threat they pose to DOD systems, with Category One mobile code

being the most dangerous, in part because those technologies are easy to

activate and have no known countermeasures.

The document also lists a number of emerging mobile code technologies,

which have not been review for categorization and will be "blocked by all

means available."

The policy has been in the making for more than a year and has proved

controversial within the military, according to Meadows.

"There are a lot of smart people out there who were members of this

mobile code [policy] group, and every one of them had a different opinion

on what it meant and how it operated. It was just as dynamic as being in

a room full of Air Force and Navy pilots discussing air power vs. carrier

power. You'd have to bring in the [military police] to separate the two,"

Meadows said.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.