'Bring your own' devices pose challenges for government
By JOHN FRITZE and The Baltimore Sun
Feb 22, 2013 | 2:57 PM
Mika J. Cross, a human resources manager for the U.S. Department of Agriculture, sometimes uses a laptop issued by the agency. But she is far more likely to check email or collaborate with colleagues on one of her two personal computers.
As someone who frequently works from home, she finds using her own technology more convenient.
"It allows for greater flexibility," said the 39-year-old Waldorf woman, who oversees a program that helps employees balance work and personal commitments. "I'm able to pick up and work, no matter where I am."
While federal agencies are encouraging workers to telecommute, the use of personal laptops, smart phones and tablets for work is raising questions about the security of government data. As mobile technology becomes ubiquitous, managers are scrambling, with scant guidance, to draft "bring your own device" — or BYOD — policies.
The challenges are many. With cyber attacks on the rise, federal officials are wrestling with how to lock down information if a phone is hacked or stolen. Lawyers are looking into how to keep personal and government data on a laptop separate in the event of an audit, subpoena or Freedom of Information Act request. Financial officers are considering whether to reimburse workers for their personal phone plans.
With minimal direction from the Office of Management and Budget, federal agencies have largely been left on their own to sort it out.
Just more than half of federal employees who use a smartphone for work are using their own devices, according to a recent survey by an advocacy group called Mobile Work Exchange. But a third of those employees don't protect their devices with passwords. And more than 60 percent said their agency doesn't have a security policy in place.
The government does not track personal device usage.
"Security and privacy are the biggest challenges," said Cindy Auten, general manager of the group, which is funded by public and private organizations, including several technology companies. "There's a real interest from federal employees who want to use the devices that they're most comfortable with."
TheGovernment Accountability Office found last year that the number of security breaches involving sensitive government data increased nearly eightfold from 2006 to 2011. And there have been high-profile cases of laptops with sensitive data being stolen, such as the 2006 theft of a Veterans Affairs computer in Aspen Hill that contained personal information on millions of veterans.
But technology experts say the increased use of mobile devices to perform federal work is inevitable and beneficial, particularly as agencies push telecommuting.
Of 2.2 million federal workers nationwide, nearly 685,000 are eligible to do at least some of their job from home.Of those, 168,558 reported telecommuting at some point in September 2011, up from about 114,000 in 2010.
Rep. John Sarbanes is author of a 2010 law that expanded federal telework. He said agency leaders could develop mobile device policies as part of broader telework plans called for in the law.
"Mobile devices and remote computing are components of the professional world that are here to stay," the Baltimore County Democrat said in a statement. "The government needs modern IT security policies, and developing a comprehensive federal telework plan is one way to ensure that happens."
The USDA has secure systems in place to allow employees to use their own computers — namely, a virtual desktop that stores sensitive information on the agency's servers rather than the personal computer itself.
But Cross said the agency does not yet permit employees to use personal smartphones to check e-mail.
"The government is certainly moving toward being more flexible in order to support its mobile workforce," she said, "but it takes time to do that securely."
Encouraging the use ofpersonal devices can also be a cost saver, supporters say, because it slows down the rate at which government-issued technology must be replaced.
In one example, the Alcohol and Tobacco Tax and Trade Bureau — part of the Treasury Department — trimmed $1.2 million from its $2 million computer budget last year by having employees use their own devices.
The OMB issued broad guidance on the issue in August in a report that detailed three government agencies that had implemented bring-your-own-device policies.
The Gaithersburg-based National Institute of Standards and Technology has drafted guidelines for securing all mobile devices, whether government-issued or personal.
"When this was initially floated two years ago … many reacted as if it was an impossible thing to do," said Adam Sedgewick, asenior information technology policy advisor for the NIST.
"Today, we're seeing greater expectations that BYOD is something that the government needs to consider, while developing related security guidance."
Private companies are wrestling with the same challenges of balancing security with convenience, Sedgewick said. Many industries have voluntarily adopted the NIST's guidance for their own systems.
The federal government is also looking to states as managers draft plans to deal with personal devices. Officials in Delaware unveiled a bring-your-own-device policy two years ago that the OMB and others say demonstrated the challenges and opportunities agencies may face as they adopt their own.
More than 1,000 state workers have opted to use their own devices under that policy, said Bill Hickox, chief operating officer for Delaware's Department of Technology and Information. Users agree to several layers of security on their personal phones — including giving their employer the ability to wipe the device remotely — and receive $40 a month to reimburse them for personal voice and data plans.
The pilot program saved more than $100,000 in technology costs, Hickox said. But enrollment slowed as wireless companies began limiting the amount of data users can access on a phone in any given month.
The state has decided to keep the program voluntary.
Hickox said officials developed the security policy because they recognized the inevitability of state employees incorporating personal technology into their work routine.
"Instead of saying, 'No, you're not allowed to do it,' we recognized that people are going to try to do it," Hickox said. "They're already doing it today."