Managing the risk posed by smartphones in government

It is no secret that cyber vulnerabilities are among the most dangerous threats to U.S. national security. Over the past decade, various new policies and programs and billions of dollars have been directed at strengthening cybersecurity for the federal government. Despite these efforts, rogue actors and criminal networks have found ways to access government technology assets and steal sensitive data.

The problem is exacerbated by the advent of bring-your-own-device (BYOD) policies across the government. To that end, more strict guidelines need to be set in place to thoroughly manage the risks posed by the shift to BYOD.  

{mosads}Some agencies have already implemented BYOD programs including the General Services Administration, the Equal Employment Opportunity Commission, and the Merit Systems Protection Board. To support and prepare for these efforts, the White House Digital Services Advisory Group, in conjunction with the CIO Council, offered guidelines for agencies that decide to pursue BYOD. The guidance is intended to “reduce costs, increase program productivity and effectiveness, adapt to a changing workforce, and improve user experience.”

So far, agencies such as the Department of Defense (DoD) have granted approval of the Blackberry, Windows, and iPhone operating systems for BYOD programs.  However, DoD hesitated to fully adopt the Android platform and placed some restrictions on its usage because of its open-source approach. This resulted in hackers writing malware on the platform and also gave rise to concerns about the Google Play App store’s lenient submission policies. 

Employees who use their own phones to connect to government networks for convenience, ease of use, and enhanced productivity may not be aware of these threats, which pose significant risks to agency data and to their personal information. Unknowingly, these devices can become entry points for hackers and criminals infiltrating government networks or stealing sensitive data.

What can the government do to minimize the threat posed by this type of vulnerability? The FBI uses a model worth considering, although for another type of potentially dangerous type of device – firearms.  The Bureau operates a strict program for agents who want to use their personally-owned weapons on the job.  Agents may purchase their own firearm and use it on official business as long as it appears on the FBI-approved weapon list, and are required to take an annual exam to test whether they qualify to use the handgun.  If the agent fails, training classes are available to help improve his or her skills until meeting the required level.  Lastly, agents must follow the “cardinal rules” of firearm safety at all times; these rules are published in official FBI policy documents. 

Similarly, agencies can set standards for mobile devices connected to government networks. For instance, at a minimum, all devices should be FIPS-140-2 compliant.  The same White House Digital Services Advisory Group guidelines suggest three security considerations: 

1)   “Information security (operating system compromise due to malware, device misuse, and information spillover risks);

2)   Operations security (personal devices may divulge information about a user when conducting specific activities in certain environments); and

3)   Transmission security (protections to mitigate transmission interception).”

Similar to the FBI’s approach, an agency can determine which platforms and devices are the best fits by balancing its security and privacy needs with individual preferences for specific technologies. Applying set criteria to mobile devices will help define the most secure options for federal employees’ use.

In addition, the approved devices should be “tested” when they are connected to government networks to ensure they meet security standards. Agencies could also test employees’ knowledge of cybersecurity policies when signing up for BYOD programs, ensuring that users are aware of the potential threat they introduce to government networks through their mobile devices.

The implementation of such an approach would need to be phased-in due to limited government resources, legal concerns about appropriate usage, and permitted applications on devices connected to government networks. Ultimately, addressing these challenges in the context of an “approved devices list” will make significant strides in improving BYOD program effectiveness and securing government technology assets.

Anderson is an expert at SafeGov.org, an online IT forum dedicated to promoting safe and secure online solutions for educational institutions. Before joining the Civitas team, she served as the acting assistant secretary for Policy and Planning and deputy assistant secretary for Planning and Evaluation at the U.S. Department of Veterans Affairs in the Obama administration.