Why BYOD Can’t Answer the Call for Secure Mobile
As many as 74 percent of private sector employers allow employees to access company systems using their personal phones, computers and tablets. But the U.S. government is, at best, a reluctant supporter of the trend. And Federal information chiefs are growing less enthusiastic.
BYOD – or “bring your own device” – is popular – not just as a way to save money, but also because it’s seen as boosting productivity and morale.
But caught up with concerns over information security and nagging questions about how much control agencies can exercise over employees’ devices, government IT managers remain unconvinced. Should they reimburse employees who use private data plans to do government work? Does allowing employees to access work email from personal devices expose agencies to overtime charges when workers check email while commuting, or at night and on weekends?
“There are a lot of gray areas,” said Tom Simmons, public sector vice president at Citrix Systems.
Most agencies impose rules limiting the use of personal devices. But that doesn’t mean those rules are being followed.
A survey by the mobile security firm Lookout Inc. reveals that nearly 40 percent of government employees ignore agency rules and use their personal devices for government work anyway. The August report on the Lookout survey findings is called “Feds: You have a BYOD program whether you like it or not.”
Some 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have no impact on their behavior, the report said. And 7 percent admit to rooted or jail-broken devices they bring to or use at work. The majority of these employees have access to work email and work document on those devices.
The takeaway: Even when agencies prohibit the use of personal smartphones, tablets and laptops for government work, “the rules have little to no impact,” Lookout concludes.
Technology to the Rescue?
There are ways to secure those personal devices. But they require compromise on both the workers’ and the government’s part. Workers have to agree to a certain amount of inconvenience, and they have to let the government put software on their phone that may raise concerns about privacy. The government, on the other hand, may have to be willing to control its normal appetites when it comes to how it uses that access.
The two ways mobile devices can be secured for government or employer use are:
- Devices access government programs and data through a virtual cloud interface, so no official data is ever stored on the personal device
- Walled garden or sandbox. Devices must be configured with a secure partition that separates personal and agency business. Only applications and activities that have been approved by the agency are permitted in the secure partition
Both improve security. But both can also limit the usefulness of the mobile device. Virtualization provides access to only agency-approved software and functions, and the walled garden includes relatively few applications approved by Federal agencies for use in secure partitions.
It’s Not the Device. It’s the User
Agency IT managers also worry about security missteps by employees who want to use their own mobile devices. Individuals don’t necessarily follow all the proper rules and procedures for keeping their devices safe.
Take password updates. “I can mandate how many times you must change your password on a device I own – I can say you can’t log on” unless you change, said Kevin Desouza of the Brookings Institution, and the co-author of a recent report on mobile computing in the government. “But I can’t do that for your own phone or tablet.”
Or what about “when people use devices for information they’re not supposed to, such as taking highly sensitive information home,” or storing sensitive information on smartphones or tablets, which then get lost or stolen.
“The amount of control is obviously lower if individuals are allowed to bring their own devices,” Desouza said.
Many employers require employees to allow them to remotely wipe a device if it has access to their networks. That way, if the device is stolen, any data that might be on it will be erased from memory. Users, on the other hand, worry that an employer might take advantage of that access. So trust – on both sides of the agreement – is essential.
Then there are the questions about the use of social media and the division of an individual’s personal and official opinions and positions. Simmons, of Citrix, raises the issue of agencies wishing restrict what users can and can’t do on a personal device. What happens when an employee uses a BYOD device to email, tweet or access something an agency finds objectionable?
“Is that coming from the government persona or the personal persona?” Simmons asked. “There are a lot of gray areas.”
DHS Seeks Solutions
Recognizing that “gaps in mobile security” are “major barriers to expanding the use of mobile technology,” the Department of Homeland Security is trying to pave a way forward.
DHS has launched a Mobile Device Security initiative to support research and development of mobile security solutions. The department is investing in research by companies and universities that ranges from developing software that learns users’ behavior and issues a warning when it senses an unauthorized user, to creating “unique and unclonable” identification keys. Technology demonstrations are expected to begin in 2016.
But until mobile devices are made more secure, DHS says, mobile computing is dangerous territory. “A 2013 report indicated that 38 percent of smartphone users have been victims of cyber crime,” the agency says. And a 2014 survey found “3.5 million unique malware and high-risk apps” aimed at mobile devices.
“The transformational power of mobile technology hinges on the ability to secure this technology,” DHS explains in a one-page brief about its program.
Uncertainty about security is driving many IT chiefs to steer clear of enabling too many employees. Forrester Research analysts say 40 percent of government technology decision-makers surveyed in a recent study “said BYOD is not on their tech agenda, and another 30 percent responded that it’s a low priority.”
While 19 percent of government IT decision makers said developing a BYOD plan was critical in 2012, now that figure is only about 11 percent.
Defense Is Skeptical
The Defense Department (DoD) is high among those fence-sitters. DoD had planned a pilot program that would have allowed up to 10,000 employees to begin using their own smartphones and tablets this summer to access unclassified information. But the pilot was postponed until fall – or later.
Moreover, expectations for the pilot have been scaled back. Rather than usher in widespread BYOD use, DoD Chief Information Officer Terry Halvorsen told a mobility industry conference in July that BYOD use by the military will be allowed – but limited.
“I do think in the DoD there will be some places we can use bring your own device,” Halvorsen said. “[But] I do not think that it is going to be the majority of our operations, just because of the complexities of trying to manage” device security.
More likely, he said, DoD will acquire a limited number of mobile devices and issue them to a limited number of employees, he said.
Mobility program managers at the Defense Information Systems Agency, the Army, and in the office of the Pentagon’s chief information officer all declined to comment for this article.
Three researchers at the Brookings Institution examined the strategic plans that Federal agencies prepare each year and discovered that only one – the Department of Veterans Affairs – mentions BYOD. VA says it will develop strategies for BYOD “to support the increasingly mobile workforces and veteran population.”
Dismayed, the Brookings researchers wrote, “No other Federal agencies appear to even recognize the value of BYOD to government. While some government entities might face data security challenges associated with BYOD [e.g., DoD agencies], we would expect the majority of Federal agencies to describe clear BYOD strategies.”
Brookings said government agencies could cut spending on mobile hardware and service plans and rely on users to provide that power – and at the same time increase employee productivity. Failure to embrace BYOD, the researchers said, means “money is being left on the table.”
How much money? “That’s the million-dollar question,” said Desouza, one of the scholars who co-wrote the report. “To the best of my knowledge, nobody has done that analysis.”
But looking at it from a different angle, BYOD could cost more than it saves. Will agencies ultimately have to pay for employees’ personal data plans? A California court recently ruled employers who require employees to use their personal devices may be liable for data charges. Similarly, adding more remote users would mean adding more Trusted Internet Connections to Federal networks. That was a concern of former Federal Chief Information Officer Steven VanRoekel, who cautioned in 2012 that agency networks might not be able to handle an influx of BYOD users without extensive upgrades.
On the other hand, Van Roekel also recognized that BYOD would enable workers to use the devices they prefer, enabling “better integration of their personal and work lives … [and] the flexibility to work in a way that optimizes their productivity.”
Simmons, the Citrix vice president, said that’s accepted wisdom in the private sector.
“The lion’s share of employees [want] the ability to work at times and locations that are convenient for them.” Whether they’re waiting for a child’s soccer practice to end or standing in line at the DMV, most employees want to be able to check work email and tackle other work-related chores, he said.
“A lot of mundane tasks can be done” during what would otherwise be wasted time, Desouza agreed. And that means “a higher amount of cognitive ability can be spent on work in the office,” which translates into greater productivity, he said.
Simmons put it another way. BYOD is a key “benefit to those who feel an obligation to get work done. They want the flexibility to get it done anywhere,” Simmons said. On the other hand, he acknowledged, there are also workers who will say “you pay me for 40 hours a week; I’m not giving 40½.”
And that’s the idea. No one is mandating BYOD – at least not yet. “I have yet to hear of anybody that has mandated that people do it – even in the private sector,” Desouza said.
Even if government interest in BYOD has generally dimmed, there are some potential bright spots. Forrester reports that the government IT managers it surveyed envision BYOD for “selected users, such as administrative employees, emergency responders, and temporary personnel.”
The Census Bureau, meanwhile, is testing whether it can let tens of thousands of temporary census takers use apps on their personal smartphones instead of paper forms for door-to-door census reporting.
BYOD will have its day in government, Forrester predicts: “Next-generation government employees will demand BYOD.” As baby boomers retire, “digital natives” will replace them, and having “grown up using personal devices,” they will expect to be able to do so at work.
William Matthews is a veteran defense and technology journalist. He has worked as a senior writer with Defense News, Army Times, FCW, and other publications.