Agencies find various ways to tackle the BYOD challenge. (Getty Images/iStockphoto)
As federal agencies continue to struggle to find secure ways to integrate into their workplace the mobile devices employees demand, the debate over best approaches endures.
Whether it’s a carefully crafted policy for personal devices or standard operating procedures that involve a sledgehammer to an iPhone, beliefs about the best ways to handle mobile security vary by organization.
Increasingly, decision-makers are calling to look beyond the device. Often that means implementation of comprehensive mobile device management programs that feature remote-controlled access, or in-depth strategies for securing the data rather than the device doing the accessing, or a number of other solutions surfacing in the commercial sector. But perhaps the key to successful federal workplace mobility is a better understanding of the bigger picture — how all the different pieces fit together.
Get more insight into the changing world of cybersecurity at a free breakfast event on June 11, titled “The Next Chapter in Cybersecurity.” With DHS’s John Streufert providing a keynote address, the event focuses on CDM and ICAM. Click here to register.
“Agencies may have their own policies on mobile and the environment we’re in now, and they’ll do our best … but this problem is much bigger than a mobile device,” said Phyllis Schneck, deputy under secretary for cybersecurity in the Homeland Security Department’s National Protection and Programs Directorate. “It’s more about what we understand about the things that we’re sending and how we make them part of our overall ecosystem.”
Related : DoD seeking ways around mobility hurdles
The “ecosystem” concept isn’t new for security, but it is taking on renewed popularity for federal cybersecurity executives on the public-speaking circuit. It seems to be especially apt when it comes to mobility, which can be a wild card in any well-secured enterprise, introducing a world of new threats and vulnerabilities into networks.
If federal cybersecurity really was a physical ecosystem — like the Florida Everglades, or closer to home, the Potomac River system — mobility would be the invasive pythons in the Sunshine State swampland, or the invasive snakehead “frankenfish” frequently caught in the waters near Washington. Except mobility is decidedly more helpful.
Back in the digital world, the idea of an entire mobile ecosystem is more of an analogy — but it’s also a top priority at the Defense Department, as Defense Information Systems Agency Director Lt. Gen. Ronnie Hawkins recently noted about his agency.
“This whole concept of an ecosystem is building capabilities, features and control points that we manage that mitigate the risk from the end points, and that also give us the ability to provision services and the information-sharing and all the other things that will make mobile devices a robust portion of the architecture,” said Mark Orndorff, DISA program executive officer for information assurance and network operations. “It’s really bigger than just security.”
Getting better control over mobile network security means more than just locking down data and closely managing access controls, although those things are both important. At a higher-level view, comprehensive mobile security first means having a thorough understanding throughout the organization — not just in the board room, the C-suite or the IT department.
“If you ask about the biggest threat to cybersecurity … you expect to hear something exotic, some foreign country, but it’s not. It’s the lack of understanding, our lack of control,” Schneck said. “Our Internet, with the way it was built and the way we use our mobile devices, takes all of this traffic and sends it where ever the sender wants. So what we have is a lack of understanding at all levels of what it really takes to get traffic there, what it takes to protect traffic getting there, and all the way through our supply chain.”
As mobility drives an increasingly interconnected network environment throughout the federal government, the improvement in understanding needs to go beyond just within a given agency. That’s where the growing need for information-sharing comes into play, officials insist.
“Very much a part of that is that awareness that we all need to be sharing on what’s happening to whom and when in a way that’s privacy-protected. Then we can start to block bad things from getting to the target no matter what the device is or looks like,” Schneck said. “Someday this is going to get easier. And the sooner we start to work together to understand our supply chain and what it takes for each of us to make this ecosystem work well together, that’s the day our adversaries quit dancing in the streets. It goes far beyond mobile.”