Cloud and BYOD Security Concerns Make Military and Intelligence Agencies Hesitate

If the shift to cloud computing and the adoption of BYOD policies seem like an inevitability in the corporate world, they are anything but in the military and intelligence communities.

In a panel discussion Tuesday at a government IT conference, Debora Plunkett, information assurance director at the National Security Agency, joked that she would break out into hives at the mere mention of the term "BYOD."

But just as private-sector employees have been clamoring for authorization to bring their iPhones, Androids and other devices into the workplace, federal workers--including those who deal with classified information--have been voicing similar requests.

"We have a--not unexpected at all--a large client set who are just craving for the ability to do the things at work that they do at home. It's not rocket science," Plunkett said. "It's really happening across the corporate landscape. That's where it originated and there is a groundswell of interest and actual implementation in corporate America and the corporate world. And, not surprisingly, what has been proven successful in a corporate environment drives our requirements for the same capabilities in government."

BYOD Productivity Brings NSA Concerns

And she acknowledged that opening the doors to a new crop of ever-more sophisticated devices could translate into a more productive and efficient workforce, just as many private-sector CIOs have concluded.

"But what comes with those opportunities are some significant challenges, and I live in that space on a daily basis," Plunkett said. "It really starts with an understanding that there really are adversaries out there who have every intent to gain access to the secrets that we try to protect. And who have every intent of disrupting our ability to conduct the business of government. And who have every intent of reducing our confidence in the information that resides in the information systems that we trust. So our responsibility then is to raise that bar from a security perspective while still enabling the business of government to go on, and to go on in a way that allows us to use state-of-the-art technologies and tools and techniques, but being every mindful to the right of the adversary who is out there."

IT officials at the Pentagon are experiencing a similar friction.

"It's very simple: 'I want one device.' I don't think it's any more complicated than that," Robert Carey, principal deputy CIO at the Department of Defense, said of the growing demand for BYOD policies. "Balancing ease of use and security is always the dynamic. Security is the antithesis of convenience."

By its sheer scale, the DoD is a uniquely challenging IT environment. Carey has been leading recent efforts to consolidate and standardize the DoD's far-flung computing environment while also working to bolster the security of its enterprise architecture. At present, the department runs about 10,000 distinct systems, maintains 1,500 data centers and upwards of 65,000 servers.

But in the mobile arena, the DoD is a fairly homogenous environment.

"We have very few devices at the DoD. We are pretty much a BlackBerry house," Carey said.

BlackBerry CIO on Mobile Security, BYOD and the Modern CIO Role

Blackberry Scores in Government Work

Carey noted that the Pentagon is currently running multiple pilot programs to test various devices from other manufacturers, and working with vendors to harden mobile operating systems to meet DoD security requirements. But he held RIM, the maker of the BlackBerry, apart from other device makers for its focus on enterprise-grade security from the outset, while Apple, Android and other operating systems began with a consumer-centric approach, and have only been beefing up security in response to concerns from corporate and government customers.

"We have to manage this very carefully as we move into the future and make sure that these are not additional attack surfaces," Carey said. "I don't know that we'll quite get to a pure BYOD environment."

Plunkett also posed a practical challenge that agencies like the NSA have to deal with concerning what's known as "spillage," when a set of information from one level of clearance is made available at a lower classification domain. The normal response at the NSA is to remove the device involved from the network, which sometimes means destroying it.

In a BYOD environment, would that mean confiscating and potentially destroying an employee's personal phone? "That's a whole new scenario, isn't it?" Plunkett said.

IT managers in the military and intelligence communities are similarly cautious in their approach to cloud computing. While the Obama administration has issued directives calling for agencies across the government to put the cloud at the forefront of their technology agenda, the issue is complicated when sensitive or classified information is in play.

Plunkett and Carey were both dismissive of public-cloud deployments for all but that information which is publicly available without restriction. The DoD is currently focused on private, internal clouds that it builds in-house, applying stringent security standards and skirting the thorny issues that arise in the drafting of contracts with private vendors.

"You've got to make some pretty big decisions up front," Carey said. "You have to understand, A: your information, and B: is it suitable and germane to go into a public or private cloud."

In any case when an agency is working with an outside vendor to aid with a cloud deployment, federal personnel must ensure that their private-sector partners have a "crisp understanding of the security requirements," Plunkett said, emphasizing the importance of including the specific security stipulations spelled out in the government's FedRAMP program in the contract.

Government Seeks Guidance on Cloud-Brokerage Services

"To the extent that we can get industry understanding and comfortable with the requirements that we have, and then get them committed to making changes in their products, that really not only raises the bar from our requirements, but raises the bar really for the world, because these are now commercial commodity products," she said. "They're going to become available for everyone."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about government in CIO's Government Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesNational Security AgencynsabusinessManagement Topics | GovernmentDepartment of Defensecloud computinginternetBYODManagement TopicsDoDsecurityCloud

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place