New Federal Mobile IT Strategy Must Address Security

"It's a really important aspect, and it needs to be done early on. It needs to be done in a way when you're developing your policies, [they] are going to drive the security requirements," Tony DeLaGrange, senior security consultant with Secure Ideas, said at a conference here following the release of the White House's Digital Government Strategy. "Let's make sure that only the applications I want on there are on the device."

[ Most Recent Government IT Stories ]

The new White House plan tasks agencies with converting their troves of data into formats that are readily accessible to the public, and remaking the central online hub for government information,, as a "data and API catalog" that pulls data from agency sites. By synching individual government sites with the central federal repository, that effort will aim to ensure that there is "no wrong door for accessing government data," federal CIO Steven VanRoekel wrote in a blog post announcing the new initiative.

"At its core, the strategy takes a coordinated, information- and customer-centric approach to changing how the government works and delivers services to the American people," VanRoekel said. "Designing for openness from the start -- making open data the default for government IT systems and embracing the use of web APIs -- enables us to more easily deliver information and services through multiple channels, including mobile, and engage the public and America's entrepreneurs as partners in building a better government."

Additionally, the Digital Government Strategy directs agency CIOs to optimize their public-facing data for a new crop of smartphones, tablets and other mobile devices. That includes setting a new default standard of open data and Web APIs for government information.

"Over the next 12 months, you will start to see an important shift across the federal government," VanRoekel said. "Agencies will increasingly open up their valuable data to the public and set up developer pages to give external developers tools to build new services."

The blueprint also calls for the formation of a new centralized advisory group to eliminate information silos between agencies and preside over the "shift to a shared-platform culture." A recent report on the use of Web technology across the federal government found 150 distinct implementations of 42 separate systems to create and publish Web content, distributed through the use of some 250 hosting providers.

"We will do all of this while reworking the federal government's own use of mobile -- saving taxpayer dollars and providing better service by bringing consistency to the way we buy and build for an increasingly mobile workforce," VanRoekel said.

DeLaGrange said he was encouraged that the new plan acknowledges the unique security risks that come with an increasingly mobile workforce, which include threat vectors related to both the applications and data stored on the devices, as well as vulnerabilities in their connections -- both cellular and Wi-Fi networks -- and, of course, the wildcard challenges associated with end users.

"Users are a struggle," he mused, advising both government agencies and enterprises to develop a mobile awareness initiative to educate their workforce about mobile security threats, including guidelines for appropriate data sharing and policies stipulating what sorts of applications can be installed on the devices.

"We need to make sure that we enforce the security settings on these devices in such a way that users can't turn them off," he said.

At the same time, DeLaGrange warned against the instinctive reaction common to security workers when bringing new devices or applications behind the firewall to disable potentially useful features in the name of protecting the network from as many vulnerabilities as possible. That approach, though noble in its motivation, too often puts the security team at odds with business groups and end users, who tend to view such restrictive security policies as running counter to their own productivity.

"This is where you need a balance [between] that risk and reward," DeLaGrange said, counseling a closer collaboration between security and business units.

The White House plan notes the distinctive security challenges the mobile devices introduce, including the ease with which they can be lost and the potentially unsecure network connections they often tap into.

"These problems are not new, as the introduction of laptops into the workforce led to security and data breaches as employees took their electronic devices mobile," the White House strategy states. "However, the new class of smaller, lighter smartphones and media tablets has elevated exposure to this risk."

In that spirit, the strategy directs the departments of defense and homeland security to work with the National Institute of Standards and Technology to develop a baseline security framework for mobile computing in government over the next 12 months. In the interim, the directive contains "milestone actions" for NIST, the Federal CIO Council and other entities to advance the secure implementation of mobile technology across the government.

The White House plan builds on previous initiatives the administration has put in motion to modernize federal IT and open government data both to the general public and the developer community, including, but also comes with an acknowledgement that the government has considerable work ahead of it.

"For far too long, the American people have been forced to navigate a labyrinth of information across different government programs in order to find the services they need," President Obama wrote in a government-wide memo announcing the strategy. "In addition, at a time when Americans increasingly pay bills and buy tickets on mobile devices, government services often are not optimized for smartphones or tablets, assuming the services are even available online."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about government in CIO's Government Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts