Government iPhone ban blamed on Apple secrecy

News

Government iPhone ban blamed on Apple secrecy

Mark Ballard

The British government ban on iPhones and iPads stems from Apple's refusal to allow its source code to be analysed by computer experts working for the intelligence services.

This version of events was "broadly true", an information assurance expert at CESG, the arm of the UK Ministry of Defence that oversees security of government computer systems, said in a written statement.

The confirmation settles three years of speculation over Apple's failure to secure a CESG certification when its rival Blackberry has had one since at least 2008. The security clearance is required for such communications devices to be permitted for use by civil servants and government ministers.

Details of Apple's recalcitrance was leaked by Andy Tait, deputy head of cloud computing at the Cabinet Office, at conference in the Autumn. Tait said it might be possible to use iPads to do things like view "generic presentations".

But using Apple products for more serious government work "at higher security levels" was impossible because the vendor had not co-operated with the government evaluation.

"Whereas CESG get to crawl all over the code on general PC products, I think Apple are less keen on opening up at the code level how their phones operate. Therefore, we can't get an information assurance accreditation for those type of phones at the moment," Tait told a conference of Socitm public sector IT managers.

A CESG expert confirmed Tait's comment was "broadly true", though what has been called a ban on Apple products is technically a boycott in the absence of security clearance for the vendor.

"We don't manually review every single line of a product's source code, but we do look at critical functions in detail, and also employ automated tools to discover potential implementation problems," said the expert, who asked not to be named.

He said CESG experts employed by the government's GCHQ Signals Intelligence centre in Cheltenham could only put a product through the CESG Approved Products Service (CAPS) evaluation with the full co-operation of its vendor.

CESG put vendors through a pre-evaluation procedure "referred to officially as 'consultancy and advice'", said the spokesman. When the decks were set, CESG commenced its full-blown evaluation.

"The goal is to enter the evaluation phase with confidence that it can be successfully completed," he said, implying that there was no pulling out after the pre-evaluation hand-shake had been done.

"Obviously, CESG evaluation of a product requires a vendor who is willing to engage in the full evaluation process, such as providing access to product engineering staff, and allowing CESG's evaluators to perform a detailed examination and review of the product's design and implementation," said the spokesman.

But he refused to say whether Apple had entered the pre-evaluation process and then withdrew, whether CESG had rejected Apple, or whether public sector demand for Apple devices had been so high that CESG had been forced to attempt a CAPS evaluation but was snubbed or otherwise unsuccessful.

Apple was given a number of opportunities but did not comment. Security experts said the CAPS evaluation was rigorous.

Debbie Ashenden, senior research fellow in information assurance at Cranfield University's Shrivenham Campus, the UK Ministry of Defence Academy, said: "As you go up the higher levels of classification for a system, you have to be more and more convinced that the software you are using is secure.

"The most certain way of doing that is going through the code line by line. But its expensive and time consuming," said Ashenden.

Geoff Harris, president of the Information Systems Security Association and founder of Alderbridge Consulting, a CESG-listed adviser, said: "It's entirely down to the organisation. They need to make their code available and pay lots of money."


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy