While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
President Trump’s reluctance to give up his personal smartphone following his inauguration is well documented. It’s also understandable. The highly modified, top secret, certified smartphone that “goes with the office” is so secure it won’t run apps. Former President Barack Obama compared it to a toddler’s phone — no texts, no photos, and he could only make calls from a restricted contact list.
While the president’s phone is a unique case, the widening divide between most commercial smartphones and the devices issued to federal employees is a problem. Outdated devices hobbled by restrictive security measures are a staple in organizations that deal with sensitive information. Nowhere is this clearer than at the Pentagon.
Allowing Defense Department employees to use their personal devices for work — if they meet minimum security standards and are equipped with additional security functions — would be cheaper, easier to manage and lead to better technology outcomes.
The current corporate-owned business-only (COBO) model not only delays device turnover (lagging seriously behind commercial release cycles) but also emphasizes strict control over how employees use their smartphones. Existing policies assume devices pose an inherent risk to the network. This philosophy limits interaction between smartphones and DOD information, often reducing capable devices to an email platform.
While concerns about security are valid, advances in mobile technology make the trade-off between functionality and security outdated and unnecessary. Cutting-edge mobile processors paired with sophisticated sensors and expanding data storage options (especially those that enable continuous multifactor authentication and virtualization) raise the baseline and render past risk assessments irrelevant.
Today, the COBO approach prevents the Pentagon from fully leveraging the benefits of workforce mobility, which include increased productivity, efficiency, and employee satisfaction. Agencies that don’t keep up with mobile technology will not only end up paying more for inferior technological outcomes, but will also face challenges in recruiting a millennial workforce and struggle to rein in shadow IT.
A bring-your-own-device (BYOD) program would put highly capable, modern devices in the hands of DOD employees now and embed the means to upgrade mobile technology at the speed of commercial development into policy. Incrementally adapting DOD technology better prepares the department for future trends such as the move to cloud computing and wireless infrastructure.
BYOD could also ease the way for a broader modernization initiative to address aging IT infrastructure. For example, continuous multifactor authentication offered on smartphones could provide a more secure alternative to identification and key infrastructure credentials, alleviating the need for common access cards and readers. Widespread use of virtualization could could lead to centralized DOD storage on more secure department-managed or cloud-based servers.
Some within the government support BYOD — but that approach is still far from common practice. DOD is the ideal agency to speed up widespread adoption. For starters, the department should lead for this simple reason: to create better technology outcomes for its users. Additionally, a BYOD solution approved by the National Security Agency and the Defense Information Systems Agency, deployed on DOD networks and permitted by DOD contracting policies, could serve as a de facto standard for other agencies and allow them to reap the benefits of BYOD.
Ultimately, advances in policy — not technology — will determine the extent to which the government uses BYOD strategies. The future is already here and it is mobile. Only two questions remain: how long agencies will apply legacy thinking to current technology and at what cost.