As the federal government moves to widespread implementation of mobile device policies, the most attractive and cost effective approach appears to be personnel using their own personal devices to do their jobs.
But while BYOD policies make economic sense, the devil is in the details. This is especially important for the Defense Department and other federal organizations responsible for handling sensitive and classified data.
The implications of federal sector BYOD policies were discussed by top government officials at the Defense and Security Mobile Technologies Symposium in Washington, D.C. on July 20.
The Army is the lead agency in the DOD’s mobile device efforts. The service is working to put mobile devices in the hands of all of its active duty personnel. But when this is achieved, it will still leave out some 1.5 million Army National Guard, reserve and civilian users who won’t be issued government devices, said Lt. Col. Matthew Dossman, USA, emerging technologies chief in the Army CIO’s office. One way to achieve this is to use virtualization technology to allow people to bring their own devices. Authentication remains a challenge, but one way to allow users to access DOD networks with their own devices would be to install a CAC card reader or scanning sleeve onto a handheld.
At the very least, it will allow users to access email and calendar functions from their devices. From there, the goal is to build up services and capabilities to best extend services to these personnel. Cost will be a challenge because the CAC readers will have to be inexpensive. The Army needs to work out ways to inexpensively provide user authentication for BYOD devices. “If I’m not going to give you a $200 dollar phone, I’m not going to give you a $300 CAC reader,” Dossman said.
The Marine Corps is working on its own mobile device programs. Like the rest of the DOD, protecting data while it resides on a device and while it is in transit is a critical part of these efforts, said Ray Letteer, the service’s chief of cyber security. But while supplying personnel with mobile devices is very important, the Marine Corps must focus on meeting its operational needs and not get distracted by “shiny object syndrome,” he said.
One successful mobile effort has been the use of iPad tablet computers on aircraft and in command centers. The tablets are loaded with maps and manuals and their Bluetooth wireless systems are shut off for security. However, the Marine Corps is now looking into ways for users to turn the iPad’s wireless systems on and off to allow them to transmit targeting data, Letteer said.
But to properly manage its mobile device efforts, the Marine Corps is using a formal testing process that looks into areas such as coding and buffering to ensure compatibility and security, Letteer said. He added that one challenge is to get beyond traditional DOD thinking and accept some risk in using commercial devices. The necessity is to test and lock down approved models and designs of devices, he said.
Another branch of the DOD facing BYOD issues is the Air National Guard. Although it won’t happen in the short term, the ANG is looking at a BYOD approach to equip all of its personnel with mobile devices, said Lt. Col. Anmy Torres, USAF, chief of the Air National Guard’s Cyber Plans and Sustainment Branch. One challenge is that Air Guard units are not as large as their active duty counterparts and unless the unit is called up, not all of them are on site at any given time, she said.
Security for BYOD devices is critical, but it cannot be so stringent that Guard personnel cannot work with other DOD, state and local personnel during events such as natural disasters, Torres said.
Air National Guard personnel also need to be able to deploy on short notice. The ANG is working with Air Combat Command to leverage the Air Force’s mobile capabilities and infrastructure, Torres said. The ANG must first work out and implement security policies for BYOD devices before a major rollout can occur, she added.
Unlike the DOD, at the Transportation Security Administration, the discussion is not about the devices its personnel will use. This is because a small number of TSA personnel already use a card reader sleeve for their personal devices, said Chris Allen, senior technical advisor in the TSA’s Office of Information Technology. Instead, he noted that the concern is what layer in the Department of Homeland Security’s architecture they will authenticate to. Once a user is in the right layer based on their security clearances, this is where the data must be labeled and tagged correctly, he said.
However, because this is still a very small pilot, the TSA is building an experimental authentication layer to support the program, Allen said. The TSA has a very large public-face to its networks. This is important because during an emergency, the agency must be able to communicate with and share its data with a variety of federal, state and local organizations.
The pilot is about 24 months away from a large agency-wide deployment, Allen said. The current pilot consists of 250 smart phones and tablet computers tied into the experimental infrastructure. The TSA is working on the network as it prepares to roll it out, he said.