The use of iPhones and iPads for managing classified information within NATO requires some systematic reflection on the inclusion of commercial products in the military and national security sector by Andrea Monti – adjunct professor of digital identity, privacy and cybersecurity at the University of Rome-Sapienza – Initially published in Italian by Formiche.net
A recent press release available on Apple’s website announces that the German government has authorised the use of iPhones and iPads running iOS version 26 to manage “NATO Restricted” information.
Net of the understandably enthusiastic tone adopted by Apple’s marketing department, this news deserves some further analysis of the interaction between operational security and technological security in the context of NATO’s policy on the purchase of products classified as Commercial Off-The-Shelf (COTS).
A national authorisation, not a NATO one
Firstly, it should be clarified that the use of these devices has been authorised not by NATO as such but by a single member, namely Germany.
Secondly, it should be noted that iPhones and iPads may only be used to exchange “NATO Restricted” information, i.e. information classified at the fourth level of the Atlantic Alliance’s classification system, the unauthorised disclosure of which could adversely affect the interests of the Alliance itself but would not cause more serious damage.
Thirdly, it should be noted that access to this information does not necessarily require the personnel involved to hold security clearance. In other words, NATO Restricted information is also available to personnel who have not undergone additional checks beyond those required for their role or assignment.
Finally, the certification of iPhones and iPads does not exclude the possibility of using Android apps to manage NATO Restricted information.
Why use is limited to low-criticality information
Although designed with greater attention to security and, in particular, with the possibility of activating “lockdown mode”, devices and operating systems are not invulnerable. This is so true that even at the level of criminal investigations (i.e., with fewer resources than those of a hostile organisation), under certain conditions, iOS security could be circumvented. This would explain why commercial products have been relegated to use in low-criticality areas.
Device security and the need for counterintelligence
Until now, we have looked at the characteristics of Apple devices from the point of view of their resistance to attacks by hostile operators. However, it is quite possible that this particularly high level of security could become a problem, for example if it were necessary to access the contents of an iPhone belonging to someone suspected of being a spy.
The issue of cooperation with Apple
To deal with this eventuality, one could imagine that some kind of “master key” function has been built into the operating system to allow access to the contents of the device even against (or without the knowledge of) the user.
However, Apple had already in 2016, at the time of the San Bernardino massacre, and more recently in the dispute with the British government, fiercely denied the existence and willingness to include this picklock in its products.
While this industrial choice may be acceptable in the civilian market, it is more problematic in the military sphere: is it acceptable that tools that NATO cannot fully control may be used in classified areas, even at a low level?
Four possible scenarios for data access
In abstract terms, this question admits several possible answers.
The first is that, in fact, even NATO could not (easily) circumvent security measures when using Apple products if it needed to identify the source of an information leak. The point, to be clear, is that although NATO Restricted information is of (relatively) little value, the real security hole would be the greater difficulty in finding the “mole”.
The second, as unlikely as it may seem, is that Apple has “discreetly” agreed to weaken the defences of its operating system and related hardware.
The third is that Apple has agreed, as it has already done with the British government, to disable certain security features to allow law enforcement agencies easier access to smartphone content.
The fourth is that client-side scanning software has been installed on these devices, i.e. to check the nature of the content to be sent before it is encrypted and sent. Apple already possesses this technology, given that at around the same time as the United Kingdom and the European Union, the Cupertino-based company proposed the installation of such a system for the “protection of minors”. Subsequently, nothing came of it, but the technology remains available and therefore nothing would have prevented its use from being extended to other types of information.
Operational security is the perimeter to be guarded
The above are, of course, conjectures, but it is clear that, from a purely technological perspective, the decision to allow the use of civilian tools in classified areas poses problems that are difficult to solve in a simple way. It would therefore seem more sensible to reconsider the decision and return to the use of equipment under the full control of NATO — and, in general, of a structure that handles classified information.
If, however, this is not possible, then it would be appropriate to consider raising the level of operational security that personnel equipped with Apple hardware should comply with. This would mean, for example, making security clearances mandatory even for consulting NATO Restricted information, increasing periodic checks on personnel and activating key escrow procedures.
Ultimately, therefore, the lesson to be learned from the decision to include commercial products in the classified information management infrastructure is that one should not fall into the trap of thinking that technological security alone is sufficient to protect the Alliance from attacks that may be less “fascinating” but no less effective.
This approach may work as a marketing lever for a private company, but not as a policy requirement for those working in high security.