The U.S. Air Force has abruptly cancelled a plan to buy nearly 3,000 iPad 2 tablets, just days after a news site raised questions about including a Russian-developed app for encrypting and reading documents.
The original plan, posted in late December on the Federal Business Opportunities website, was to buy 2,861 iPad 2 machines to be used as electronic flight bags carrying digital versions of charts and technical manuals. The procurement specified the use of GoodReader, a popular iPad document reader developed by a Moscow, Russia software developer, Yuri Selukoff, of Good.iware. The same application, which has been well-reviewed by bloggers and tech sites, has been used in two other similar deployments, one for Alaska Airlines and another for Delta.
In this case, the iPads would be used by the Air Force Special Operations Command (AFSOC), which maintains a fleet of surveillance aircraft and helicopter gunships, according to reporting by NextGov, which is part of the National Journal Group and the Atlantic Media Company, and covers IT management in the federal government.
Bloomberg this week reported about what seems to be a separate but similar Air Force project, that could eventually total 18,000 iPad 2 tablets, also being used to store flight documentation.
So far the Air Force has not offered any explanation for the cancellation.
But the cause may have been inquiries last week by NextGov's Bob Brewin, who drew attention to the use of Russian software on a Chinese-manufactured tablet for use by special operations pilots and crew. Brewin's story was published Feb. 17. In it, he noted that AFSCO specified the use of GoodReader: "Device must be capable of using the GoodReader application, which meets mission security and synchronization requirements. Operation of this application requires the iOS operating system and its inherent security features."
The mission security requirements apparently include encryption. GoodReader can encrypt data files, which is an important feature because iPad 2 has not been certified as under the Federal Information Processing Standard (FIPS) 140-2 for secure data storage and transmission.
Despite that, several current and former military officials in the NextGov story raised concerns about military pilots relying on Russian software, and about whether the SOC had adequately vetted Good.iWare and its code.
In researching the story, Brewin contacted the Air Force which didn't directly respond to specific security concerns. But the day before the NextGov story appeared, the procurement was canceled.
As the story gained circulation, others questioned the basic model of storing military information on any kind of client mobile device, especially one that lacks FIPS certification.
"We disagree that data should come outside the [secure] network," says Tony Busseri, CEO
For Route1, a Toronto company that offers a security and identity management platform, MobiNet, which lets remote users securely access data behind a firewall from any kind of client. Its customers include the U.S. Navy and Department of Homeland Security.
Busseri notes that the consumer-oriented iPad 2 is not designed from the ground up with security in mind, that it currently lacks federal security certification, and there are alternatives, even in a flight bag application, to storing such data on a client device. "We were quite taken aback by the original procurement [plan]," he says. "We're active in recommending that military data [that's] stored on these devices has negative security consequences."
Brewin also exchanged emails with GoodReader developer Yuri Selukoff over the issue.
"Selukoff, in an email exchange with Nextgov, bridled at the suggestion that GoodReader could pose a security risk to U.S. government users just because he is Russian. 'Ha, someone's still living in 1970, aren't they?' [he replied when asked about security concerns.] When asked to address concerns about malicious code in GoodReader, Selukoff replied, 'What is this offensive and insulting assumption based on? Are there any actual facts or complaints that such thing has ever happened?'
"'I am not affiliated with any government institution, neither Russian, nor any other,' he added. 'GoodReader doesn't have any malicious code built into it. Having said that, I am open to any security/penetration tests that anyone would be willing to perform on the app.'"