BYOD: Bring Your Own Disaster?
As appealing as bringing personal devices to work may be, the downsides are hard to ignore.
The government's tool for re-securing a compromised iPhone.
Q: What's the government process for wiping an iPhone after a security leak?
A: Pound it with a hammer.
Managing mobile devices and their risks, instituting security measures on par with more traditional desktops and laptops, determining what tool to use when things go wrong – these are all commonly cited hurdles to BYOD in federal agencies. But there are so many others that accompany those concerns that it sometimes becomes difficult to imagine it's actually going to happen.
Of course, it's happening already, on a certain level. There are pilot programs. There are options, such as bolting $200 Common Access Card "sleds" onto the device for authentication purposes so Defense Department employees can take their smart phones to work.
But neither of those is the true BYOD policy that personnel in the digital era want: the freedom to use one familiar device to do it all, work and personal, without worries about "leakage" or having all your vacation photos smashed into oblivion.
"If you look at it from a financial standpoint, sure, it's the cost of the device," said Maj. Linus Barloon, chief of cyber operations division in the J3 directorate and cyberspace officer in the Air Force's White House Communications Agency. "But when you look at the man-hours associated with cleaning up a spill for a regular device, and now toss in a smart device – it's just easier to stay away from bring-your-own-device, issue the user one of your own devices such that you can [install] the governmental controls."
It is not just the devices, either. The data itself and the policies that govern BYOD present just as much, if not more, of a problem, officials said July 24 at MeriTalk's cybersecurity brainstorm event in Washington. The discussion there represented a snapshot of a conversation that is playing out across agencies and departments.
"There are more implications to BYOD than to cybersecurity," said Joe Johnson, managed mobility program manager at the General Services Administration. "Some of that has to do with legal, some of that has to do with employee unions – who pays for the devices, are they getting reimbursed? What are the legal implications of data that could be lost? It's a Pandora's box that I don't think anybody has really figured out yet. It's probably easier to think of BYOD from a security policy point of view than it is with the broader policy implications that extend beyond security policy itself."