Should government agencies allow their employees to “bring their own device” (BYOD) to work, or not?
This seems like a reasonable question. In fact, it is not really a question at all. With a few exceptions, government agencies really have no choice in the matter. Government employees will bring their devices to work with them; and if they are told they cannot, they will complain and look for sneaky ways to circumvent the policy. BYOD is a fact, not a choice.
The key BYOD question for government agencies is how much taxpayer money they are going to waste buying duplicative mobile hardware for their employees because they cannot figure out how to deploy secure, cloud-enabled software configurations on the hardware their employees will buy for themselves.
Public officials are like everyone else. They don’t want clunky hardware or balky software. They want a single device that is familiar, powerful, and already an integral part of their lives. Government agencies rarely give them one. So, understandably, they want to bring their own device to work and connect it to the official networks they need routine access to. BYOD has the potential to increase employees’ productivity and job satisfaction – a rare feat – and to reduce the number of devices they need to carry around.
The central problem with BYOD, of course, is security. Conventional wisdom holds that tracking and controlling access to enterprise data with uncontrolled personal devices is too difficult and therefore too insecure. At the moment, this conventional wisdom is correct. The security problems with mobile devices are legion. User identification and authentication is usually single-factor (passwords); and the form factor of mobile devices, in addition to working against two-factor authentication, generally works against strong passwords as well. Mobile devices have too many different operating systems and far too many applications, many of uncertain provenance, and all requiring constant patches. The wireless networks utilized by mobile devices are widely distributed, decentralized, and almost universally provided by third parties (e.g., Verizon, T-Mobile, etc.). Employees are not just inadequately trained in proper computer hygiene; they are also not uniformly trustworthy. Their compliance with enterprise-wide security policies is hard enough to monitor at a fixed workstation on and connected exclusively to a centrally controlled wired network; on a mobile device, monitoring all employees’ compliance with enterprise-wide security policies is virtually impossible.
The key caveat to all these security problems with BYOD is, of course, “at this moment.” None of these current security problems with BYOD are technologically insuperable. The critical roadblock at the momentis the instinctive conflation of cyber security with iron-fisted control over hardware issuance in the minds of chief information officers and security mavens worldwide. Once control over hardware issuance is conceptually decoupled from cyber security, the conversation can shift to where it really belongs, which is BYOD standard-setting at the software and mobile-network level.
With respect to these standards, there are two key points.
First, technology developers and vendors, like everyone else, respond to incentives; if there is clear demand from the market for secure software configurations for a BYOD workplace, suppliers will respond over time. If there is no clear demand, suppliers will not respond and the BYOD workplace will remain unacceptably insecure. Prohibiting employees from bringing their own devices to work is thus a fool’s errand in two respects. Not only will employees resist and circumvent the ban; but prohibitionist BYOD policies will create disincentives and delay suppliers from eventually offering the software and network configurations needed to make the BYOD workplace acceptably secure.
We can already see how a nascent market for BYOD security is taking shape. A few Federal agencies have begun to permit BYOD for their employees. As a condition, however, they require the employees permit the agency to install mobile device management software on the employee’s device. The software can limit what that device can do on the network, enforce password protocols, and even allows the agency’s IT department to do a “remote wipe” should the device be lost or stolen. It also establishes protocols that limit the access of employee-owned devices to a secure subzone of the total agency network. To be sure this market is immature, but it offers promising solutions that should be encouraged and not disincentivized.
Second, the objective for BYOD security should not be perfect security but instead security that is no worse than the security provided at the enterprises’ fixed workstations on its centrally controlled wired network. This is perhaps an uncomfortable starting point for most CIOs, since it is an express recognition of the weaknesses in the security of the physical workspaces they putatively control. But it is unreasonable and counterproductive to hold BYOD mobile security to higher standards than is required at physically controlled, fixed workstations. In practical terms, this means that a central pillar of an enterprise-level BYOD security strategy will be virtualization, both at the network level (via the creation of virtual private networks that merely tunnel through wireless networks provided by third parties) and at the mobile-device level (i.e., the configuration of mobile device hardware and software to permit the simultaneous functioning of more than one operating system). One can envision mobile configurations that prohibit processes that access government data from operating on the mobile device itself. Instead they will allow the mobile device to access (after authentication) a more secure system that runs processes and accesses data, without storing the data on the device.
The U.S. government has multiple interests and multiple responsibilities as BYOD sweeps through workplaces around the world. One U.S. government interest is as a very large employee – indeed, the single largest employer in the United States. BYOD is at least theoretically an opportunity for the U.S. government to both save money and make U.S. government employees happier and more productive. But BYOD is also a threat to the integrity and privacy of vast troves of U.S. government data, not to mention the data of millions of U.S. companies and persons. Thus the second, and more important, interest and responsibility of the U.S. government is to articulate clear standards for baseline BYOD configurations. Once it does this, the U.S. should lead by example – essentially showing the courage of its own convictions by authorizing U.S. employees in most government agencies to bring their own devices to work and to use them as the physical portal for official functions performed in a virtualized, secure mobile environment.
Richard Falkenrath is the former New York City Police Department Deputy Commissioner for Counterterrorism (2006-2010) and Deputy Homeland Security Advisor to the President (2002-2004). He is currently a principal at The Chertoff Group, a global security advisory firm, which advises clients on cybersecurity.
