“We are just finishing up a working group with Defense Information Systems Agency and Apple. We are looking at iPhones. We are currently using Samsung and there are a lot of challenges with Samsung and Android. We are looking at how can we better utilize the design from an engineering perspective,” Spinks said at the recent mobile summit sponsored by the Advanced Technology Academic Research Center (ATARC). “My eyes are just glossing over at how much the engineers are really forward thinking about some of the things we at the Department of Defense don’t really have all the answers for and sometimes we are not even thinking about those challenges.”
Spinks said through the pilot her office will develop recommendations for the commandant.
“Those recommendations address not only metrics like discovering what’s on the network, why that’s important to security as well as cost. We are incurring all kinds of budget cuts so it’s not about what the money we have is doing for us, it’s how we are spending it and that return on investment is getting us to where we need to be with the right amount of risk that we are willing to accept,” she said. “It’s a two-pronged approach that turns into advocacy for more funding to focus on mobility and figuring out security versus throwing a bunch of tools at a problem, and looking at automation.”
And those challenges continue to grow especially as more and more Marines, and DoD service members as a whole, rely on smartphones and tablets. It’s unclear how many devices DoD has in all, but if the excitement over the Defense Information Systems Agency’s Purebred mobile certification system, which reached 100,000 devices earlier this summer, is any sort of sign, then the use of mobile devices will only increase over the next few years.
Spinks said the Marines are struggling to understand exactly how many devices are on their networks given how many different networks they manage. But she said through data center and network consolidation effort there is more light being shined on the dark parts of the network.
Spinks said one of the biggest challenges the Marines face is maintaining a persistent connection while in an austere or degraded environment.
“Right now we have [a] pilot that’s going on … with an application that is widely used and we’ve had challenges with things such as identity and access management, capturing profiles from the business side into this degraded environment without losing the authenticity or privacy/security piece,” she said. “Another challenge is just getting the thing to work. We get over the hurdles of identity, domain name controllers and all those challenges, and then it doesn’t work. From a combatant command perspective, some of those challenges are easily met with impatience. While we like to concentrate with technical complexities as our challenges, one large piece is getting over the expectation and being realistic that this is something we can figure out.”
‘Wrong trajectory’ in mobile strategy stifles Marines’ BYOD ambitions
Gema Howell, an IT Security Engineer at the National Institute of Standards and Technology and co-chairwoman of the federal mobility group, said the agency is trying to take those best practices of DoD and civilian agencies and combine them with industry’s security needs.
“We worked with industry to get some commercially available tools in-house to put the standards to work. What we did initially was we went through as risk assessment process and used their methodology to take the threats and privacy concerns and bundled that with meeting the government’s standards and showed how you can mitigate specific threats within your own enterprise or organization,” Howell said at the ATARC event. “We recently put that out. It walks through the process of what we did, how you can do that in your own organization and then we have a follow-up document that goes through something similar, but from a bring-your-own device standpoint. In that practice guide, we will demonstrate how you use the cybersecurity framework.”
NIST has been focusing more on privacy aspects of its cybersecurity guidelines. It is adding an entire section about privacy in its latest revision of its seminal cybersecurity special publication 800-53.
Howell said with the mobility publication after talking with the vendors about their different privacy capabilities and how they deal with data, and added new requirements into the practical guidelines.