Like many federal leaders today, Donald Kachman spends a lot of time thinking about security for the growing number of mobile devices in his agency.
And he’s coming up with solutions.
As the mobile device steward for the Department of Veterans Affairs, Kachman’s efforts have in part led to nearly eliminating electronic security breaches across the agency via laptops, desktops and mobile devices.
The reason: 99% of all electronic material is now encrypted.
Kachman has launched encryption technology and instituted a number of other requirements, including complex passwords and a mandate that employees report lost or stolen devices within an hour after they’ve been discovered missing.
“There is very exciting technology out there. It will change the way we do business,” Kachman, director of Mobile and Security Assurance at the VA, told Breaking Gov.
Kachman said the VA’s mobile devices are used for a wide range of the agency’s services from doctors efficiently delivering care and collecting patient information at VA hospitals to VA staffers checking the status of veterans at homeless shelters.
But today’s success isn’t stopping Kachman. He’s looking ahead to the next generation of threats. He’s integrating mobile devices into the VA and building out the agency’s mobile infrastructure with fortified firewalls to ward off future attacks.
“The technology is changing rapidly and with that, so do the risks and capabilities. By having a dedicated mobile program, it makes keeping abreast of the newest threats and new capabilities of the devices easier to further the agency’s mission,” he said.
There are currently 20,000 mobile devices in use at the VA, including BlackBerries, iPhones, iPads and a very small number of Androids that have security embedded in the last year to prevent an intrusion. The VA plans to ratchet that number up to 100,000 devices in the next several years but first the it must acquire an enterprise wide, cloud-based mobile device management system.
But security problems persist. The biggest headache: People lose their devices. They may leave them in a taxi, at a café or the gym, Ahmed Datoo, chief marking officer at Zenprise, the California-based mobile management system, told Breaking Gov.
About 5 to 10% of all laptops are lost every year nationwide and 15 to 25% of mobile devices, he said. Although there are no specific numbers across government, the national numbers of equipment losses are a warning signal for every sector – government and private industry alike.
“Truthfully, I will say there is always going to be a way around security-related issues,” Datoo said. “You can put security on devices that address 99 percent of issues, but there will always be loopholes in everything.”
As the technology matures, Kachman said, the VA will add more functionality to its mobile devices and new security safeguards as the technology becomes available. The goal is to cut costs by phasing out other devices now in use, including desktops and laptops.
His rules for handling the new age of mobility can provide a good template for other agencies:
- When a VA device is lost, a user has one hour to report the missing device to the information security team. The data can be wiped off the device by the team and reinstated if the device is recovered.
- Every device must be encrypted.
- Use the software feature that prevents a screen from being copied, photographed or forwarded.
- Make sure a complex password is used that includes letters, numbers and symbols. Make sure it’s changed every three months.
- Adequate training is essential. The VA requires every employee to go through refresher training every year, and if they run over the one-year deadline to schedule training, they are locked out of the system.
“Most people have good intentions but make mistakes,” said Gregg Martin, director of Mobile Security for Kansas-based Fishnet Security.
From Kachman’s perspective, the mobile revolution is a great idea, giving government a faster way to deliver services. But use it carefully and don’t just buy the latest new fad on the market, he advises agencies.
“There are many great applications for these mobile devices, but each agency should look to see what functions the device can perform and when it’s implementing and look at reducing the total number of devices per user, rather than increasing,” Kachman said.