Securing consumer devices for classified use
11 Mar 2026| and ASPI staff

NATO’s decision to approve configured iPhones and iPads for handling classified information up to NATO restricted level—without requiring special software or settings—highlights a shift in how governments approach secure mobility. The significance lies not in a consumer device suddenly becoming secure, but in the widening acceptance that commercial technology can meet national security thresholds if information security is considered in the design and development of such products.

The 26 February announcement is notable because it democratises the availability of secure devices, previously only available to sophisticated government and enterprise organisations after significant investment in bespoke solutions. But it should still be understood in context. Several NATO member states have long deployed commercial mobile devices with built-in security capabilities in classified environments. In Australia, certain Apple and Samsung devices have been authorised for use up to the Protected level provided they are implemented with appropriate configuration controls and governance in line with the government’s protective security policy framework; guidelines for businesses’ integration of mobile devices; and the Australian Signals Directorate’s information security manual.

What NATO’s decision reflects, then, is a broadening recalibration. For years, parts of the defence ecosystem defaulted to bespoke hardware and software stacks that were often costly, slow to field and difficult to sustain. Meanwhile, commercial platforms have evolved rapidly. Mass-market devices incorporate hardened silicon, secure enclaves—protected sections of the processor designed to safeguard sensitive data and encryption keys—hardware-rooted trust chains and continuous patch cycles operating at global scale.

The strategic shift is not that a phone is inherently secure, but rather that commercial engineering tempo can now intersect meaningfully with classified assurance frameworks.

But this milestone exposes the next layer of the problem.

An approved phone is still only an endpoint. Information and data, classified or otherwise, does not remain static within a device. It synchronises, authenticates, replicates and traverses infrastructure beyond the user’s physical control. Accreditation of an endpoint does not equate to systemic assurance across the full data lifecycle.

The strategic question therefore shifts. It is no longer whether we trust the device but whether we trust the pathways and key material protecting the data once it leaves the device.

We have seen this logic before in debates about sovereign cloud. As argued in an ASPI report titled ‘Whose cloud is it, anyway?, data residency alone does not equal sovereignty. Control depends on visibility, authority and the capacity to adapt architectures as risk evolves. The same logic now applies to secure mobility.

A hardened phone does not guarantee a hardened system.

Once data leaves the device it traverses complex infrastructure: carrier networks, cloud management planes, identity services and cross-jurisdictional routing frameworks that may be subject to competing legal authorities.

Modern mobile ecosystems are layered and interdependent, involving cellular backhaul —the core carrier networks that carry mobile traffic between towers and the wider internet—wi-fi, satellite links, identity providers, update channels and remote management services.

Sophisticated state adversaries do not need to defeat a secure enclave if they can harvest metadata, compromise key management systems, exploit lawful access pathways or conduct long-term traffic analysis. The strategic contest increasingly sits in these seams.

NATO’s approval answers the device question. It does not, by itself, resolve the network question.

If classified workflows are to operate over commercial mobility platforms, the network needs to be treated as part of the security boundary, not as a neutral pipe.

That brings cryptography to the fore.

Public key infrastructure has underpinned secure communications for decades. But its reliance on persistent identities, certificate hierarchies and long-lived trust anchors deserves renewed scrutiny in an era of large-scale data collection and strategic patience by adversaries.

Traffic captured today may be decrypted tomorrow. Quantum computing sharpens that concern, but it is not the sole driver.

Cryptographic agility is therefore not just a technical feature; it is a policy requirement.

One emerging direction is volatile cryptography—architectures that prioritise short-lived session keys created for individual communication sessions, forward secrecy, and rapid key rotation, wherein encryption keys are regularly replaced to reduce the effects of compromise.

The emphasis shifts from algorithm strength alone to key lifecycle discipline, involving generation, rotation, storage and destruction of key material.

In a mobility context, this matters enormously. If classified traffic moves over heterogeneous infrastructure, including commercial networks and shared cloud environments, the architecture needs to assume that the underlying transport may be observed, intercepted or stored.

Systems should treat the network as untrusted by default.

In such a model, confidentiality and integrity are enforced cryptographically end to end, above the transport layer.

This does not diminish the importance of trusted infrastructure. Domestic carriers, secure data centres and robust regulatory frameworks still matter. But sovereignty needs to also increasingly be defined in terms of cryptographic control, key authority and update governance—not solely physical location.

Commercial platforms update weekly. Operating systems patch continuously. Cellular standards evolve rapidly. Defence accreditation cycles often move at institutional speed.

If NATO’s decision is to have real operational impact, allied nations will need to rethink how they accredit both hardware and architectures.

Continuous assurance models may prove more realistic than static certification regimes in a mobile environment.

There is also a sovereignty dimension that should not be ignored.

Approving a commercial mobile phone for classified use is pragmatic and overdue. It signals confidence in modern security engineering and rejects the false choice between innovation and protection.

But it is only the first layer.

The phone may now be trusted under defined conditions. The harder task is ensuring that the pathways beneath it, the networks it relies on and the cryptographic governance frameworks that protect its traffic are equally resilient.

If we secure the phone but neglect the transport and key lifecycle, we risk building a mobility model that looks modern but fails under pressure.

NATO’s decision should therefore be treated as a forcing function: a prompt to modernise allied thinking on network trust, cryptographic agility and sovereignty before adversaries test the system at scale.

Author

Jason Van der Schyff is a fellow with ASPI’s Cyber, Technology and Security program. His research focuses on sovereign industrial capability, secure hardware, and the resilience of critical technology supply chains. James Corera is director of ASPI’s Cyber, Technology and Security Program.

 

Image: Franck/Unsplash.

 

AI contributed no ideas to this article—Jason Van der Schyff and James Corera.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2026