Government // Mobile & Wireless
Commentary
1/14/2014
10:45 AM
Tim Larkins
Tim Larkins
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

BYOD In Defense Department? Not In This Lifetime

Despite some moves toward securing mobile devices and applications, Defense Department officials do not embrace the bring-your-own-device trend.

Large bureaucracies, whether public or private, have a variety of ways to effectively avoid adopting a popular policy or practice. One way is to make that policy or practice a long-term goal while promising to keep evaluating it periodically.

That's what the Defense Department has done with its BYOD -- bring your own device -- policy.

There's no question that the department has made strides on mobility, enterprise mobile device management, and the use of commercial devices and even General Services Administration contracts. But BYOD?

Here's what Defense CIO Teri Takai said about BYOD in a February 2013 memo on commercial mobile device (CMD) implementation:

"Despite the benefits, existing DOD policies, operational constructs, and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition." The memo said that BYOD is a long-term objective and, "in conjunction with the Digital Government Strategy, DOD will continue to evaluate BYOD options."

[Beware, iPhone owners. Read iPhone Thefts Rise: Protect Yourself. ]

Based on public comments from the CIO's office since then, it's fair to say that the DOD's position hasn't changed. In other words, when it comes to BYOD, don't hold your breath. Although the department officially holds out the possibility of a future BYOD policy, I don't see it happening in reality, at least not in the foreseeable future.

Why? The risk of security breaches are simply too great and the consequences too dangerous.

Not a month after the DOD CIO's office issued its implementation plan, the Defense Department's inspector general released a tough report on security holes in the Army's use of commercial mobile devices. Investigators visited West Point and Army Corps of Engineers locations and examined Android, iOS, and other commercial mobile devices in use.

The IG found they weren't covered by mobile device management (MDM) software, and weren't subject to remote wiping. Many devices were in use, yet the Army wasn't even aware of them. Hundreds were purchased by users without authorization in a sort of self-created, unofficial BYOD program.

If the DOD is going slowly in adoption of mobility devices, it's going more slowly still in BYOD. DOD IT planners realize, as everyone should, that mobility doesn't equal BYOD. Mobile devices have special -- and by now, widely understood -- requirements for becoming secure. Two of the most important:

  • Mobile device management. The government has been rushing headlong into mobility ever since former federal CIO Vivek Kundra pushed for it back in 2009. Devices, applications, application stores, and associated pilot projects arrived at agencies before CIO shops even thought about comprehensively managing potentially thousands or tens of thousands of devices. Not until early 2013 did the GSA begin to look for government-wide contracts for MDM and mobile application management products. Without MDM in place, it's nearly impossible to have strict configuration control, a security must-have. Now the government has gotten serious about MDM. This GSA site lists vendors with FIPS 140-2 MDM and MAM products.
  • Sandboxing of applications. This involves partitioning mobile devices in ways that create virtual machines on them, so that only approved apps can access certain data sources.

Image: Wikimedia Commons
Image: Wikimedia Commons

It's not as if policies aren't in place to help implement mobility in Defense Department components. The IG report mentions DOD instructions (5010.40) covering internal control programs. There's also a memo that predates Takai's memo, dating back to early 2011. It has comprehensive instructions on protecting commercial mobile devices.

Policy is fragmented
In spite of the best efforts of the DOD CIO's office, I see the policies toward mobile devices varying widely from one defense branch to next.

DOD doesn't lack for initiatives to unify policy and practice. The Defense Information Systems Agency has been designated to provide unified technology programs across the DOD and has made some headway. For example, DISA continues to strengthen its role in the Joint Information Environment (JIE), providing 1.4 million users secure access to DOD cloud email accounts. It also created an Army-Air Force enterprise license agreement for Microsoft products.

The JIE is presumably the right place to develop and manage mobility capabilities for individual defense branches and even DOD-wide. But to put it charitably, the JIE is very much a work in progress.

DOD managers can also avail themselves of mobility guidance from the National Institute of Standards and Technology and even the Office of Management and Budget. Yet nothing in the accumulated policy and technology guidance makes a strong case for advancing BYOD as a subset of a military mobility framework, much less compels it.

Contractors seeking to work in the DOD market would be wise not to oversell the idea of enabling any and all mobile devices. Despite the promises of technology, BYOD simply won't happen in the DOD, at least not in any meaningful numbers.

I know, I know. BYOD situations have broken out in a few civilian agencies. But they have different and often less dangerous security considerations. And let's not forget about the Snowden effect that's making every agency nervous about trusted people on its network.

More likely, DOD agencies will establish a choose-your-own-device plan. (Dare I coin a new term, "CYOD"?) Employees, uniformed and civilian, will select from a list of approved devices depending on the flavor each person prefers. But the devices will be government-furnished, delivered with the agency's configuration and security controls already in place.

Tim Larkins is manager of market intelligence for immixGroup, which helps technology companies do business with the government. He can be reached at tim_larkins@immixgroup.com.

Incidents of mobile malware are way up, researchers say, and 78% of respondents worry about lost or stolen devices. But while many teams are taking mobile security more seriously, 42% still skip scanning completely, and just 39% have MDM systems in place. Find out more in the State Of Mobile Security report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
WKash
50%
50%
WKash,
User Rank: Author
3/24/2014 | 10:42:52 PM
Re: Not quite accurate
Alison, you're right, the costs are high, in part because there's really the cost of supporting two approaches: Govt./Corp. Furnished Equipment and BYOD.  The BYOD approach is supposed to save money in essentially eliminating the equipment costs, but the hidden costs remain.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
3/31/2014 | 11:24:47 AM
Re: Not quite accurate
What many users don't realize is the risk they are taking when they use personal devices for work. It's really important for organizations to educate employees about the related governance and legal implications: For example, you could lose your phone or tablet if you're subpoenaed, and any embarassing personal pix intermingled with work docs will now be in lawyers' and/or law enforcement's hands. 
Jeff Pike
50%
50%
Jeff Pike,
User Rank: Apprentice
5/7/2014 | 10:20:27 AM
Inevitable trend?
Interesting take on the BYOD argument - from my perspective, there are numerous examples where technology trends have started in the social environment before moving into civil industry and then migrating into the military. Mobile apps – just one great example of a development which has been driven by consumers – are starting to have an important impact on aerospace and defense as part of several government initiatives worldwide.

Taking mobility one step further, it's interesting to see how the BYOD trend may take hold in defense in the future. Is it unacceptable for security and data control reasons, or just another inevitable trend that defense needs to embrace for the future?

I agree that many defense departments or military institutions may shy away from such a trend due to security issues, data concerns and coordination problems and therefore it's unlikely that this will take hold in defense in the short term.

Defense departments are already talking BYOD and how such policies can be implemented effectively. Take the Australian Department of Defence, for example, which has already created a BYOD plan called 'corporate owner and personally enabled' (COPE), which will be supported by a Defense app store. And Dr. Guy Bunker, renowned network defense specialist and author of ENISA's key report on cloud computing, says that BYOD is "here to stay" as a strategy for enhancing military IT usability.

So I believe the answer is yes – BYOD is likely to happen in defense, but the route for doing needs to be progressive and selective in order to ensure optimal security.
<<   <   Page 2 / 2
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.