BYOD resistance explained

One would think that agencies would by now be warming up to the notion of allowing employees to bring the mobile devices of their choice into their working lives – a concept commonly called “bring your own device” or BYOD – but many agencies continue to resist the idea.

Not surprisingly, some of the government organizations hesitant to adopt BYOD include parts of the Defense Department and intelligence community, where the prevalence of highly sensitive, classified data makes leaders think twice about opening up anytime, anyplace access.

“BYOD is something I think we aspire to…but for an organization of our scale, this is something that’s hard to address. We currently have upwards of 400,000 devices in the Department of Defense,” DOD Deputy CIO Rob Carey said Oct. 23 at 1105 Media’s Cybersecurity Conference in Washington. Managing so many devices and systems means that logistics, support, legalities and privacy are already hard problems to solve, without the added complexity of employee-owned devices. In addition to the obvious security concerns, BYOD also raises serious questions about how officials should handle mishaps that already have well-established protocols for government-issued tools.

“In today’s environment, we occasionally have something called a spillage,” which is when information breaches classification levels, said Debora Plunkett, information assurance director at the National Security Agency. “The procedures for dealing with it are to remove the device, and depending on where the device is in the ecosystem, sometimes you have to destroy the device. Imagine how that would work in BYOD where I’d have to say, ‘Oops, I need your phone, and you can’t have it back’? That’s a whole different scenario.”

A number of new initiatives are exploring the best ways to deal with BYOD and its inherent security concerns, including pilot projects at NSA, DOD and the Department of Homeland Security that test security across different devices. The search for ways to take advantage of the benefits of BYOD without introducing a new attack surface for adversaries is promising, the panelists said.

Although there are still areas of serious concern to be addressed — liability being a critical one, they noted — there’s no denying the power of the BYOD movement. “It’s happening across the corporate landscape, and there’s a groundswell of interest and implementation in corporate America,” Plunkett said. “Not surprisingly, if it’s proven successful in a corporate environment…it [makes its way] into the government. We have to tread very carefully. But there are cost efficiencies and flexibility…and that provides a lot of opportunities.”

According to Carey, the undertaking is much bigger than just the devices or the mobility trend.

“At the end of the day, this is really about getting to a place where someone can render a more complete decision faster or conduct a transaction in near-real time,” Carey said. “These devices are not about anything more than that.”