BYOD resistance explained

man on mobile phone

Despite the near-ubiquity of personal smart phones, agencies are often reluctant to allow employees to use their own. (Stock image by graphiteBP)

One would think that agencies would by now be warming up to the notion of allowing employees to bring the mobile devices of their choice into their working lives – a concept commonly called “bring your own device” or BYOD – but many agencies continue to resist the idea.

Not surprisingly, some of the government organizations hesitant to adopt BYOD include parts of the Defense Department and intelligence community, where the prevalence of highly sensitive, classified data makes leaders think twice about opening up anytime, anyplace access.

“BYOD is something I think we aspire to…but for an organization of our scale, this is something that’s hard to address. We currently have upwards of 400,000 devices in the Department of Defense,” DOD Deputy CIO Rob Carey said Oct. 23 at 1105 Media’s Cybersecurity Conference in Washington. Managing so many devices and systems means that logistics, support, legalities and privacy are already hard problems to solve, without the added complexity of employee-owned devices. In addition to the obvious security concerns, BYOD also raises serious questions about how officials should handle mishaps that already have well-established protocols for government-issued tools.

“In today’s environment, we occasionally have something called a spillage,” which is when information breaches classification levels, said Debora Plunkett, information assurance director at the National Security Agency. “The procedures for dealing with it are to remove the device, and depending on where the device is in the ecosystem, sometimes you have to destroy the device. Imagine how that would work in BYOD where I’d have to say, ‘Oops, I need your phone, and you can’t have it back’? That’s a whole different scenario.”

A number of new initiatives are exploring the best ways to deal with BYOD and its inherent security concerns, including pilot projects at NSA, DOD and the Department of Homeland Security that test security across different devices. The search for ways to take advantage of the benefits of BYOD without introducing a new attack surface for adversaries is promising, the panelists said.

Although there are still areas of serious concern to be addressed — liability being a critical one, they noted — there’s no denying the power of the BYOD movement. “It’s happening across the corporate landscape, and there’s a groundswell of interest and implementation in corporate America,” Plunkett said. “Not surprisingly, if it’s proven successful in a corporate environment…it [makes its way] into the government. We have to tread very carefully. But there are cost efficiencies and flexibility…and that provides a lot of opportunities.”

According to Carey, the undertaking is much bigger than just the devices or the mobility trend.

“At the end of the day, this is really about getting to a place where someone can render a more complete decision faster or conduct a transaction in near-real time,” Carey said. “These devices are not about anything more than that.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Mon, Nov 5, 2012 makennafulwood

We have struggled with BYOD since we are a hospital and we have HIPAA security issues to deal with, and we are too small to get a large BYOD system. We started by trying to solve our biggest issue, which was doctors texting patient info to admin and other doctors. We did this by giving them Tigertext app for thier devices which is a secure texting app that is HIPAA complient. The result is that we increased the doctor/admin productivity and allowed the doctors handle more patients. I think this is a good example of what Amber was talking about when looking at trying to balance acceptance with security. There are now a lot of options out there so companies will need to do a lot of reseach to find the right applications for them.

Wed, Oct 24, 2012

BYOD is a marketing push from reps selling connectivity, I think; not something that is critical or even important for organizations to adopt. It gets sold as a right that government is withholding from its people. There's more at stake than stroking the egoes of young feds and being able to claim that a fed organization is "the best place to work" because of a BYOD policy. We have enough accidental and intentional "spillage" now without adding that last degree of convenience for those careless or ruthless enough to leak sensitive data. Sure - enough money and time might reasonably well secure personal electronics, and people can always get to data if they're intent on spilling it, but can we really afford to spend time AND MONEY in this particular budget climate to make people feel "happy" because they can read a case file on their iPhone?

Wed, Oct 24, 2012

I think some assessment of the mobility of the workforce must be made. What level of mobile, is, shall, and will be desired. The most mobile should probably now either be using a BYOD or an employer provided device, (either is just as problematic). There are solutions; what has the Digital Services Advisory Group come up with? In any case the future is now! A highly mobile workforce full of 1099 and contract workers are our economic future—the government is still rooted in an early industrial paradigm. How will the government respond to this? Given its restrained approach to all things open, (i.e. an affinity for compartmentalization), resistance to telecommuting, cloud computing, risk aversion, and results-only work environment, (God forbid)), will be forever entrenched in the cathedral, while all the action is at the bazaar.

Wed, Oct 24, 2012 Eric Green

Good article thank you. I fully agree with the Deputy CIO and Ms. Plunkett. There is a good deal of risk involved with BYOD even in the private sector that organizations turn a blind eye to. So understanding the risk, mitigating that which can be mitigated and having someone sign off on residual risk is the order of the day with BYOD......and never in a rush. Excellent paper on this in a recent BITS journal Full disclosure it is written by our Chairman from Mobile Active Defense

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group