Government // Mobile & Wireless
Commentary
1/14/2014
10:45 AM
Tim Larkins
Tim Larkins
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

BYOD In Defense Department? Not In This Lifetime

Despite some moves toward securing mobile devices and applications, Defense Department officials do not embrace the bring-your-own-device trend.

Large bureaucracies, whether public or private, have a variety of ways to effectively avoid adopting a popular policy or practice. One way is to make that policy or practice a long-term goal while promising to keep evaluating it periodically.

That's what the Defense Department has done with its BYOD -- bring your own device -- policy.

There's no question that the department has made strides on mobility, enterprise mobile device management, and the use of commercial devices and even General Services Administration contracts. But BYOD?

Here's what Defense CIO Teri Takai said about BYOD in a February 2013 memo on commercial mobile device (CMD) implementation:

"Despite the benefits, existing DOD policies, operational constructs, and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition." The memo said that BYOD is a long-term objective and, "in conjunction with the Digital Government Strategy, DOD will continue to evaluate BYOD options."

[Beware, iPhone owners. Read iPhone Thefts Rise: Protect Yourself. ]

Based on public comments from the CIO's office since then, it's fair to say that the DOD's position hasn't changed. In other words, when it comes to BYOD, don't hold your breath. Although the department officially holds out the possibility of a future BYOD policy, I don't see it happening in reality, at least not in the foreseeable future.

Why? The risk of security breaches are simply too great and the consequences too dangerous.

Not a month after the DOD CIO's office issued its implementation plan, the Defense Department's inspector general released a tough report on security holes in the Army's use of commercial mobile devices. Investigators visited West Point and Army Corps of Engineers locations and examined Android, iOS, and other commercial mobile devices in use.

The IG found they weren't covered by mobile device management (MDM) software, and weren't subject to remote wiping. Many devices were in use, yet the Army wasn't even aware of them. Hundreds were purchased by users without authorization in a sort of self-created, unofficial BYOD program.

If the DOD is going slowly in adoption of mobility devices, it's going more slowly still in BYOD. DOD IT planners realize, as everyone should, that mobility doesn't equal BYOD. Mobile devices have special -- and by now, widely understood -- requirements for becoming secure. Two of the most important:

  • Mobile device management. The government has been rushing headlong into mobility ever since former federal CIO Vivek Kundra pushed for it back in 2009. Devices, applications, application stores, and associated pilot projects arrived at agencies before CIO shops even thought about comprehensively managing potentially thousands or tens of thousands of devices. Not until early 2013 did the GSA begin to look for government-wide contracts for MDM and mobile application management products. Without MDM in place, it's nearly impossible to have strict configuration control, a security must-have. Now the government has gotten serious about MDM. This GSA site lists vendors with FIPS 140-2 MDM and MAM products.
  • Sandboxing of applications. This involves partitioning mobile devices in ways that create virtual machines on them, so that only approved apps can access certain data sources.

Image: Wikimedia Commons
Image: Wikimedia Commons

It's not as if policies aren't in place to help implement mobility in Defense Department components. The IG report mentions DOD instructions (5010.40) covering internal control programs. There's also a memo that predates Takai's memo, dating back to early 2011. It has comprehensive instructions on protecting commercial mobile devices.

Policy is fragmented
In spite of the best efforts of the DOD CIO's office, I see the policies toward mobile devices varying widely from one defense branch to next.

DOD doesn't lack for initiatives to unify policy and practice. The Defense Information Systems Agency has been designated to provide unified technology programs across the DOD and has made some headway. For example, DISA continues to strengthen its role in the Joint Information Environment (JIE), providing 1.4 million users secure access to DOD cloud email accounts. It also created an Army-Air Force enterprise license agreement for Microsoft products.

The JIE is presumably the right place to develop and manage mobility capabilities for individual defense branches and even DOD-wide. But to put it charitably, the JIE is very much a work in progress.

DOD managers can also avail themselves of mobility guidance from the National Institute of Standards and Technology and even the Office of Management and Budget. Yet nothing in the accumulated policy and technology guidance makes a strong case for advancing BYOD as a subset of a military mobility framework, much less compels it.

Contractors seeking to work in the DOD market would be wise not to oversell the idea of enabling any and all mobile devices. Despite the promises of technology, BYOD simply won't happen in the DOD, at least not in any meaningful numbers.

I know, I know. BYOD situations have broken out in a few civilian agencies. But they have different and often less dangerous security considerations. And let's not forget about the Snowden effect that's making every agency nervous about trusted people on its network.

More likely, DOD agencies will establish a choose-your-own-device plan. (Dare I coin a new term, "CYOD"?) Employees, uniformed and civilian, will select from a list of approved devices depending on the flavor each person prefers. But the devices will be government-furnished, delivered with the agency's configuration and security controls already in place.

Tim Larkins is manager of market intelligence for immixGroup, which helps technology companies do business with the government. He can be reached at tim_larkins@immixgroup.com.

Incidents of mobile malware are way up, researchers say, and 78% of respondents worry about lost or stolen devices. But while many teams are taking mobile security more seriously, 42% still skip scanning completely, and just 39% have MDM systems in place. Find out more in the State Of Mobile Security report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
WKash
0%
100%
WKash,
User Rank: Author
1/15/2014 | 11:27:55 AM
Re: I know it is blasphemy....
GAProgrammer, thanks for speaking up. Obviously I agree -- except to say, I think the buzz comes more from mobile device management marketers, and conference panelists who have a vested interest in promoting BYOD tools, than from the tech media crowd.  (And if tech writers are evangelizing BYOD, they need to take a closer look at the ROI question.)
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Ninja
1/15/2014 | 9:15:26 AM
I know it is blasphemy....
but not every organization is a candidate for BYOD. I know the tech press loves their buzzwords and evangelize BYOD like they are making commissions, but there are plenty of reasons to never allow BYOD in everyday organizations.

For many organizations, there is no ROI. The increases in efficiency just don't justify the costs.

For others, like the DoD, security is the issue. Sure, you can remotely wipe a device - lots of BYOD solutions allow that. However, that does absolutely no good when the stolen device has already been compromised and the secure data is copied. Once it is gone, it is gone. For a company, you can sue, but that's of little consolation when your proprietary IP has been put on the black market. In the DoD case, lives could be lost due to information obtained between the time someone realizes the device is gone and the time the device is wiped.

Is it likely that someone can get the info off that quickly? Probably not. Is it possible? Definitely. In the DoD's case, if BYOD would cost a single human life, it is not worth the implementation.

I, for one, applaud the DoD for their decision.
WKash
100%
0%
WKash,
User Rank: Author
1/14/2014 | 5:25:08 PM
Why bother with BYOD?
At the end of the day, what's the big deal carrying around a government-issued and -secured smartphone along side a personal smartphone?  I'm willing to bet the cost of securing personal smartphones on a DoD network far exceeds the cost of issuing a secured, DoD-issued phone. My guess is the only reason we keep hearing about a BYOD policy in the Defense Department is because a few generals still insist there has to be a way to get their personal iPhones to work on DISA's network.

The one place a BYOD policy would be valuable is defining/clarifying the boundaries and rules of conduct governing the use of personal devices while working within DoD enclaves.

 
<<   <   Page 2 / 2
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.