Will new commercial mobile encryption affect BYOD policy?

While law enforcement is up in arms about new default data encryption on Apple iOS and Google Android devices, experts say the policy could have some benefits for federal mobility as well.

Apple and Google are banking that consumers will want increased security for data stored on their devices. The default encryption policy means codes that unlock phones are known only to the users who set them, and can't be cracked using garden-variety cryptographic attacks. The companies can't share unlock codes with law enforcement, because they do not know them.

According to FBI Director James Comey, this is potentially disastrous for public safety. In a speech last week, he warned of potentially dire consequences for law enforcement from the encryption of data stored on devices, or data at rest. Comey worries the FBI won't be able to access sought-after data, even with a legal warrant or other authorization, because the companies are not maintaining a back door for law enforcement.

The flip side is that a lost or stolen device will not yield up its secrets -- an important feature for federal employees and other users who trade in confidential, non-public or secret information.

The Mobile Security Reference Architecture (MSRA), the CIO Council's handbook for mobility management, lists encryption for data at rest as a key security feature. David Carroll, chief federal architect at cybersecurity firm FireEye, led the team that wrote the MSRA when he was at the Department of Homeland Security. Carroll told FCW in an email interview that "in general, integrated and device implemented encryption is a benefit to users for protecting data at rest from compromise and making it difficult for malware to run due to the required access to the containers and [encryption] keys."

There are a few "buts" here, Carroll noted. There is the potential problem of lost data, which can be magnified when a fed is using a personal device connected to an agency network. "Agreements for [bring your own device polices] will have to cover restoration of access to government owned data on the device if they are used for government use," Carroll told FCW.

There will also need to be a significant degree of trust. The way encryption works, making a unique and virtually unbreakable key out of an access code and hardware embedded in the device means it would be "difficult for federal network administrators to escrow or keep a secure copy of the keys so that access can be restored to the data if the employee isn't able, or the device isn't accessible independent of the owner or user," Carroll said.

For data that cannot be replaced, or access that "must have continuity beyond the employee," default encryption could pose problems, Carroll said. He also warned that the most advanced, persistent cyber adversaries will find a way through default encryption.

The MSRA provides for administrators to maintain "remote wipe" capabilities for high-risk federal enterprises, such as those that require mobile devices to store secret and top-secret information. Agencies with "minimal risk tolerance" are advised against allowing employees to connect their own devices to networks in order to maintain control over data, and over applications and hardware function. In other words, there's not so much BYOD at the NSA and CIA.

So while default encryption could be a boon for BYOD users, there are potential exceptions. "If Apple and Google are encrypting the phone – that's an added layer of security for the space my data is sitting in, from a federal perspective," said Linus Barloon II, senior cyber security engineer with Virginia Tech Applied Research Corporation and formerly cyber operations division chief for White House communications, where he was responsible for securing the devices of military users. But there are potential gray areas for employee-owned devices, in the event a federal employee is the subject of a criminal investigation or being probed as an insider threat. Barloon, who wants law enforcement to be able to legally access encrypted data, notes that federal users are already subject to monitoring "when they login to the government side of the phone," and do not have the same expectations of privacy as ordinary users.

Carroll said he expects native encryption to catch on in the federal workplace, and that it can be implemented in a well-managed BYOD program without limiting access and control by federal administrators over agency data and applications. Mobile devices can be compartmentalized into containers, with control over some being administered remotely. "While the native encryption protects the device in general from loss of confidentiality, the access to the container can be separated for many device and mobile operating systems implementations," Carroll said.

While he's no longer a fed and no longer involved with the CIO Council, Carroll said he does not think default encryption will require a policy rethink or big changes to the MSRA. "In general this is why the security decision framework and reference model exists," he said. "These tools help make those decisions when technology changes or mission needs change."