Government departments have been given the go-ahead to use iPhones to send and receive sensitive emails, as part of moves to broaden the number of approved public sector mobile devices beyond BlackBerrys.
Under new guidelines, civil servants and ministers could use Apple devices for restricted information deemed to compromise the workings of government if released to third parties.
Until now, BlackBerry has been the only device accredited for the use of restricted information by the government’s security arm CESG.
The news comes amid mounting concerns over the long-term viability of BlackBerry, which has seen a successive fall in sales.
According to Whitehall sources, the government currently has around 20,000 BlackBerry devices in circulation.
Peter Sommer, London School of Economics professor and cyber war expert, said the move was a sensible continuity plan, given BlackBerry-maker Research in Motion's (RIM) troubles.
"There is an urgent requirement to find an alternative to BlackBerry, and that is entirely sensible,” he said.
Read more about mobile devices in government Government may struggle to deliver user device strategy Government opens smartphone provider market Apple squashes BlackBerry as Brent deploys iPads
A review by CESG concluded that iOS6, the latest operating system (OS) for iPhones and iPads, is now secure enough to handle restricted government information, providing departments build in additional security controls.
CESG has warned that security on iO6 requires organisations to extend their network monitoring and security systems and relies on users correctly using the iPhone security features. Failure to follow any of these controls could compromise information security, said the guidelines.
BlackBerry handsets are still the most secure device for government as they operate a more closed system, but Apple offers the second most secure operating system for the workings of government said Sommer. “If it can’t rely on RIM being in business, the next best bet is Apple,” he said.
“The risks of moving from Blackberry to Apple are largely ones of careful implementation – if they are hurried, problems will occur,” said Sommer.
There is an urgent requirement to find an alternative to BlackBerry, and that is entirely sensible
Peter Sommer, London School of Economics professor and cyber war expert
Maintaining government data security standards
A spokeswoman from the UK Government Communications Headquarters (GCHQ) said the move did not represent a relaxation in security standards.
“We are providing informed risk management and advice and guidance for those in the UK public sector who might be considering deploying iOS. The goal of this guidance is to assist them in effectively managing the risks to sensitive information when working remotely on smartphones,” she said.
Rik Ferguson, director of research at security company Trend Micro, said the government should be able to maintain the same level of control on iOS6 devices as BlackBerry 7 OS.
The firm recently compared the security of mobile operating systems, and found BlackBerry to be the most secure, followed by iOS, Windows and Android.
He said the government ought to be able to enforce the same policy on Apple iO6 devices as RIM's BlackBerry 7 OS, including full device encryption, the ability to remote wipe, and locking down apps to ensure no further ones could be added to the device if necessary.
The primary goal of the guidance is to help protect sensitive emails, but advice is included on additional scenarios and on third-party applications, said the GCHQ spokeswoman.
Expanding public sector smartphone choices
Moves are also underway by government to broaden the number of mobile devices used for restricted information to potentially include those running Android and Windows mobile operating systems.
The risks posed in the event of government information being compromised are currently categorised under a six business impact level system, 0 being the lowest and 6 used to categorise top secret data.
However, under the new Government Protective Marking System the six business impact levels will be regrouped into three tiers. Impact levels 1-3 will be loosely classified together in the same Tier 1 category, which means a greater range of smartphone handsets could be used to handle restricted information.
Why app downloads are posing security risks
App downloads are becoming an increasing security risk for corporate and government networks, as uncertified third-party applications sometimes carry malware or spyware that can retrieve emails, messages, call history, client lists and other corporate data.
“Applications carrying malware can transform the device into a gateway for Trojans and viruses to enter the enterprise network or may cause data leakage or exposure,” said Nitin Bhas, senior analyst at Juniper Research.
“In addition, new applications installed on mobile devices can locate the device on a map and track the movements of the device and the user," he said.
“Consequently, there is a need to consider mobile devices as just another endpoint, and security functionalities should be integrated within the device management platform,” he said.