Is Obama's Mac A National Security Risk -- And Will He Be Allowed To Keep It?

There was a lot of focus a few weeks ago about whether President-elect Obama was going to be allowed to keep his BlackBerry. The discussion seemed kind of silly given how many BlackBerrys are in wide use in the U.S. government. However, you may recall that a foreign national stole a couple a few months ago, which certainly raised the security profile for these devices.

So what about Obama's Mac?The vast majority of remedial security solutions currently in use by the federal government run on Windows. In addition, the government is one of the most aggressive users of Trusted Platform Modules to ensure the protection of the data and the integrity of the system's network connection. Absolute Software (LoJack/Computrace for PCs) is also in wide use for PC tracking. Government PCs generally have smart card readers to secure them, and some use biometrics, but Apple machines typically don't allow for either. Finally, management tools are widely used to do things like ensure USB ports can't pass data to USB keys and that any laptop brought into a secure organization isn't a carrier for malware that could compromise the security of that unit. The vast majority of the tools used to do all of this simply don't run on the Mac OS. Many require hardware components like the TPM, which aren't installed in Mac hardware and can't be retrofitted. Macs, while perceived as more secure than Windows, are commonly used as carriers for malware because they generally don't run malware scanning software. I'm writing this at a meeting with a bunch of desktop IT analysts from a variety of firms, and the consensus is that on the first day of the job someone will quietly take Obama's PC and promise to give it back to him when his term of office expires. I'm not so sure -- the guy will be President after all -- and think that he may instead order them to find a way to fix the problem. Will The New President Be Allowed To Use A Mac?

I'm going to disagree with my peers and suggest that rank has its privileges; I expect Obama will eventually be allowed to use his Mac. I base this on my experience at IBM, where we hired a CEO for the storage division during the OS/2 years, and he was allowed to create a little Mac island for himself and his admin. I figure if someone who wasn't the CEO of IBM could bring in a competitive product that violated a massive number of policies, then the vastly more powerful U.S. president could get a variance allowing him to bring in his beloved Mac.

So how will he or one of his people solve this problem?

There is antivirus software for the Mac, and custom scripts can be created to scan and ensure his exception machine when it connects to the network. Card readers and biometric readers can be added as peripherals. It isn't pretty, but it can be done. An equally secure RSA token solution also can be used on his machine (some parts of government do this today). The problem is the Absolute Software requirement and the TPM, neither of which can be retrofitted.

Now I think they can accept the Absolute product and put a physical tacking technology onto Obama's notebook. The Targus DefCon 1 laptop lock and alarm might be adequate, if used properly, to mitigate the theft risk, but it isn't as comprehensive as Absolute. However, I'm sure they have more advanced tracking devices they can get from the NSA, FBI or CIA that are even more effective at tracking than the Absolute. Granted, they are likely more expensive, but given the value of what is on this laptop, I'm sure the cost can be justified. The TPM is a bigger problem because it is one of the key components to ensuring the laptop's drive can't be pulled and compromised. So remote the data. There are few places Obama will be where he won't have a secure data connection available to him. All his organization has to do is find a secure way to connect his laptop to it (clearly some care will need to be taken here). If no critical data resides on the laptop, then the risk of loss is effectively mitigated and could be the first implementation of what is effectively a diskless Mac. Of course, they could also call Apple and quietly suggest it put in and enable its notebooks with a TPM. I'll bet even Steve Jobs will take a call from the U.S. CTO or president. (If it were my laptop I'd be tempted to make this call myself.) Having a technology-using president will force a number of changes. One of these changes may be ways to better integrate Macs into both government and business. Unfortunately, I doubt they will share this solution with us. but given how many things leak out of the government I expect it won't be long before someone figures this out and posts it. Who knows -- they may even share the information to help others in similar situations given that this new administration is promising more transparency.

Granted, they may have to solve the Zune vs. iPod questionfirst.