Mobility Management

BYOD: Why managing devices is not enough

Smartphone in hand

As part of the Digital Government Strategy, agencies are embracing mobile computing and developing policies to address the emerging bring-your-own-device trend.

Developing BYOD policies is beneficial because they will help agencies reduce costs and increase productivity. But federal agencies have particular challenges when it comes to implementing BYOD: They handle data that must be protected for reasons of national security or taxpayer privacy, and they are the targets of a determined subset of attackers.

The defense industrial base and the intelligence community are obvious objectives, but any federal agency has escalated risk.

Cybersecurity incidents at federal agencies have increased 680 percent in the past six years, according to the Government Accountability Office -- and those are just the incidents we know about. That number is expected to increase as more personal mobile devices connect to agency networks and applications.

Given that malware and stolen identities are primary avenues of attack, here are some steps that agencies can take to ensure that their BYOD policies are as effective as possible.

1. Understand the malware risk. It is increasingly difficult to avoid malware. Users can unwittingly pick up drive-by downloads through common activities such as clicking on shortened URLs in Twitter, doing an image search or even clicking on an infected ad in a trusted site.

Furthermore, personal systems typically lack the malware defenses of managed systems. The risk of acquiring malware increases for devices, such as iPads, that are shared among family members. And because smart phones are on the rise, attackers are writing more malware for mobile apps.

2. Be aware of the identity problem. Often, the purpose of a malware program is to gain log-in credentials. That means agencies have to worry about malware on any device that employees or contractors use because their credentials are at risk of being compromised.

Common Access Card authentication is not enough to protect systems from stolen identities and malware. For instance, Man-in-the-browser Trojan horses on a legitimate user's device can hijack an authenticated session using CAC cards. In addition, attackers are targeting the certificate authorities, such as EMC’s RSA, to effectively gain the keys to the kingdom.

3. Focus on applications. The BYOD discussion typically focuses on managing devices. But the larger threat for agencies is to their applications and data because inconspicuous malware on personal devices -- mobile and otherwise -- can let attackers gain access to federal systems.

There are steps that every agency can and should take immediately to address the growing risk to sensitive applications and data. As always in the security field, a layered defense is the best strategy.

* Help protect your employees against malware. If possible, give your employees malware protection for home computers and personal laptop PCs that they use to access government applications.

* Analyze incoming connections for malware. Use real-time technologies to examine incoming connections to sensitive systems for signs of malware manipulating the session. This will alert you to potential attacks or other malware that could compromise a session.

* Add device identification. By adding device identification technologies to sensitive applications (including email), you can find devices that do not match a legitimate user -- for example, those that hide their true location or are known to be infected with malware.

For even better coverage, make sure those defenses can share information with one another and with a global network of known threats and malicious systems.

About the Author

Andreas Baumhof is the chief technology officer of ThreatMetrix.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Tue, May 28, 2013 Masvetti DC

Lets see what everyone thinks of VA's BYOD. With all of the issues facing the VA with IG investigations of corruption, Baker sneaking out in the middle of the night, Bob Howard's sexual relationship with his underling, employees unaccountability and I assume missing, SES and GS14's and 15's padding resumes to get these high paying jobs and not knowing a thing about IT and lets not forget how most of these leaders go into thse positions in the first place. My cousin was the CIO, Albinson so I should be the Deputy CIO too. So BYOD, do you really think these managers have a clue on how to ge that working.. I would say no. They are too busying trying to figure out why a GS15 who should of past FACPPM training years ago can't do it now. Better yet, why that same GS15 is really good long term friends with a SES and why that GS15 has been a program manager and the COR of a $50mil contract when she has never been certified as a COR. Welcome to OIT and the continued 250 reorgs since 2004. Same crappy managers retiring with huge salaries at GS15 step 10 and they no nothing of IT.

Mon, Apr 29, 2013

I think this article is focusing on the wrong risks or at least being very myopic. Sure, malware is an issue but that's not unique to BYOD. Any company-issued device (whether it's iOS or Blackberry, etc.) can be infected with malware somehow. Data leakage, co-mingling of sensitive company data and personal data, and not having control of your data is the real problem. Not to mention how BYOD enables employees to steal or mishandle information for any variety of reasons including disgruntlement, maliciousness, or to corporate espionage which cannot be tracked if the information would already be permitted on the device.

Mon, Apr 29, 2013

"Developing BYOD policies is beneficial because they will help agencies reduce costs and increase productivity." Ah the myth that the govt can spend less money while increasing productivity. As long as they take the steps outlined, they can mitigate the risks. Of course these steps will cost a lot of money in labor and hardware/software. Run that part by me again that said we can reduce costs whil increasing productivity.....right, as long as we spend a lot to do!!

Mon, Apr 29, 2013 Beltway Billy

The Govt has good user authenication - CAC & PIV... but horrible when it comes to authenicating device (e.g. TPM for laptops; soft certs for all devices, many possible characteristics for all devices) and autheniticating apps / software. Unfortunately, there's not a great deal of COTS available in this area.

Mon, Apr 29, 2013 Beltway Billy

Your article mis-directs..... Malware is big problem on Android & Windows, less on MacOS, Linux and Blackberry, but absent on IOS. There is no anti-virus on iOS because the model simply doesn't allow it.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group