Air Force thinks it’s cracked the code on BYOD

For almost as long as smartphones have existed, defense IT leaders have wondered aloud whether they’d ever be able to securely implement a bring-your-own-device (BYOD) approach to military networks. The Air Force thinks it’s finally found a way.

The Air Force’s program comes with a slight caveat: it’s actually called Bring Your Own Approved Device (BYOAD); airmen won’t be able to connect just any old phone to DoD networks. But Air Force approval is tied directly to the National Information Assurance Partnership’s product compliance list, so the most commonly sold devices from the biggest manufacturers — including Apple, Samsung, Google, and others — are covered.

Air Force officials first published a policy update authorizing the program in February, but the remote work demands created by COVID-19 kicked it into high gear, said Eric Lubeck, the cyber capabilities chief at Air Combat Command.

Advertisement

“The need to telework across the force drove capability growth for our program and others out there,” he said Wednesday during the annual AFITC conference, held virtually this year. “The ability to access information from anywhere at any time is pivotal to success in the Air Force in how we would like to communicate in the future, and BYOAD is one of many things that we’re doing to enhance that ability for our end users.”

For now, the BYOAD software is only running on a single demonstration device. But Lubeck said it’s been through extensive testing, and officials are now at the point where they’re ready to put it through its paces it with a large base of users, once they gain approval from U.S. Cyber Command.

As far as capabilities go, the initial mandate from the Air Force CIO’s office was that users on personal devices be able to access the full range of tools the Air Force provides as part of its Office 365 environment, and be able to digitally sign emails and documents via PKI certificates stored on their phones. The Air Force plans to use the Defense Information Systems Agency’s existing Purebred program to install and manage those certificates.

“Those capabilities have been tested. There’s a few bugs that we’re working out to ensure that everyone will get that capability on day one of our initial operating capability, and we’re to the point now that we’re ready to get additional feedback,” he said. “We really want to get this capability in the hands of the airmen to continue to enhance and improve the capabilities over the long term.”

Air Force officials didn’t immediately respond to questions about the timeline for the BYOAD program and when it might be rolled out to a larger base of users. But Lubeck said the service is eager to deploy it to the “total force” — uniformed members, civilians and contractors. Each employee will be allowed to enroll up to three separate mobile devices

Contractors are likely to be last in line, partly because of legal complications associated with the fact that each contract is different. The Air Force will also need to sort out legal issues surrounding service members taking their personal phones across international boundaries, since data privacy and search and seizure laws vary widely from country to country.

“The judge advocate community has been working with us on the programmatic side to roll out this capability to ensure that we could mitigate any risks that would be inherent in taking a personal device over a border and having a customs agent from another country take a look at the device and say, ‘Hey, I wonder what this is,” Lubeck said. “[In those cases], we’ll suspend access and then reinstate access when someone is at a place where we’re more comfortable rolling out the capability.”

Whenever it’s rolled out to the total force, enrollment in the BYOAD program will be voluntary, and the February policy makes clear that Air Force leaders aren’t allowed to use it as a way to save money by requiring airmen to use their own devices in place of government-owned ones.

But if employees do opt in to the program, they’ll need to sign a user agreement and agree to take certain security precautions, including keeping their phones patched with the latest security updates. They’ll also have to agree to install Air Force mobile management software designed to keep government data separate from personal data.

“We don’t care what websites you visit, we don’t care what apps you have on your personal phone,” Lubeck said. “But if you were to go to a site that downloaded malicious things on your phone, or you downloaded an app that had the ability to steal credentials off your phone, we as an Air Force would be concerned about those types of things. That’s what the security tools provide: the ability to securely manage that separation between what’s on the personal side of the phone and what’s on the government side of the phone.”

In the case of serious security incidents, the Air Force does reserve the right to require users to temporarily hand their devices over to authorities as part of an investigation. But Lubeck said it’s unlikely the service would ever need to destroy a personal device, even in the most dire circumstances.

“We’ve put things in place so that a user device should never have to be wiped. We tried to manage all of our things at the application level,” he said. “The goal is all of our applications are housed either in a government cloud, or they’re locked down to where we could wipe all of the data and access to those applications without impacting the personal side of the phone. If something bad happened, we would restrict access to the app, remove the app, reinstall access to the app, and all the things that we’re concerned about, if done correctly, are no longer there.”