DOD Network Security Scrambles to Catch Up With Employees’ Unauthorized Mobile-Device Use
SILICON VALLEY -- The Defense Department is puzzling over how to get ahead of unauthorized internal use of mobile devices, a cybersecurity official said. Department policy seeks to tightly control what hardware employees use, but “I think some bring-your-own-device stuff is happening anyway,” conceded Richard Hale, DOD’s deputy chief information officer for identity and information assurance. The department hasn’t figured out how to deal with the threat, he acknowledged at the IT Security Entrepreneurs’ Forum at Stanford University. “We hope to start experimenting based on some virtualization ideas over the next year,” Hale said late Wednesday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
DOD employees “want to use mobile on everything,” Hale said. So “one of the things you're dealing with is the explosion of apps,” he said, and “we are trying to figure out is how we can run these things safely.” But “we will see a lot more mobile devices for nonclassified use in the federal government in the next couple of months,” as long as they meet security standards that have been put out, Hale said.
"I just can’t envision a time when we could have a bring-your-own-device policy on the national security system side,” said Debora Plunkett, information assurance director at the department’s National Security Agency. Finding a secure smartphone and tablet remains a high priority for the NSA, she said. “We're making good progress,” Plunkett said. “A lot of work remains to be done. … I'm looking to implement an end-to-end commercial solution to secure my data."
With every digital trend outside the old firewall “you create new opportunities for bad guys, so you have to think like bad guys,” Hale said. He said his department is “lucky: We have people who think like bad guys” and “help us discover the vulnerabilities.” But they need help from “safe automation” software yet to be found, Hale said.
Plunkett solicited the development of advanced analytics and processing software from the audience. It’s needed to turn a deluge of data into an avenue to discover who has committed a cyberattack, what information was taken and whether the agency “can still operate safely” with the systems compromised, she said. “Resiliency is a really big challenge and opportunity to us.” And “we want to be able to use all that in real time, by the way,” Plunkett said. Hale agreed more broadly that “dependable mission execution in the face of people trying to do bad things” is a central aim of DOD. The “Internet of things,” in which “everything is getting connected to everything else” through sensors, is a big recent preoccupation for cybersecurity at the department, he said.