The Marine Corps’ motivation to let Marines and civilian workers use their own smartphones and tablet computers on the service’s network comes from one main factor: cost savings.
Rob Anderson, the chief of the Vision and Strategy Division in the Marine Corps Command, Control, Communication and Computers (C4) office, said the convenience and efficiency reasons are fine and good. But Anderson said reducing the monthly data and voice fees for even 50 percent of the current employees using BlackBerrys could mean as much as $5 million that the Marines could transfer to readiness, and operations and maintenance accounts.
Anderson said these employees would move away from a government-furnished device and move to a bring-your-own-device (BYOD) set up.
“For the same $5 million, we could put another 85,000 devices on the network,” he said, after speaking at the MobileFeds conference in Washington March 7. “We have 11,083 BlackBerrys on the network today. The entire approach to this is saving dollars.”
Anderson said the service is developing a framework and is close to launching a pilot program to bring the Marines closer to BYOD.
“The solutions for commercial mobile devices are focused around two different approaches,” he said. “One is the Hypervisor One technology, which ViaSat and Sprint are providing us seven devices to test. Those devices are multi-personality, truly segmented operating systems that will ensure the integrity of the personal side and the organizational side.”
The technology would let the Marines control the organizational side of the device, ensuring no data resides on it. If it’s lost, the services would have the ability to wipe the government’s portion of the device clean.
“The other solutions we have are from Verizon and AT&T. Verizon and AT&T are providing the sandbox solution. Verizon is providing us Divide and AT&T is providing Toggle. Those are sandbox solutions that are AS-256 byte encrypted and FIPS 140-2 tact 2 containers,” he said. “Now a lot of people stipulated that you can hack these sandboxes and that’s part of our penetration testing. So as we move into our beta test and we have devices to test — the penetration testing, the security and data at rest and so forth — the solution that is secure is the one that will go forward. So, if all three solutions work completely and we deem that the risk is acceptable — this is on an unclassified network, sensitive but unclassified For Official Use Only work — and we satisfy and mitigate that risk, then we will go forward.”
Small pilot to start
Anderson said the Marines plan to test out the phones with 20 users to validate the data is secure in transit and at rest.
“It’s the user experience on these devices. We will capture the data on the organizational containers, how well they work, what were the help desk interactions, was it as easy as the individual doing something at home on their own devices,” he said. “Those individuals get a BlackBerry today but will use these test devices for four months.”
Anderson said the Marines will assess the pilot, and if all goes well, move to a larger pilot of about 500 users. He said the goal is to move to a BYOD environment by early 2015.
The concept to BYOD will rely on a new framework for the Marines. Anderson said a major part of this effort is to create a personal corporate environment.
Anderson said, under this approach, users can bring their personal device on the unclassified network but must abide by specific security, legal and organizational parameters.
“There’s an organizational instance that resides on the phone that the organization, i.e. the Marine Corps, would manage. By doing that, you would eliminate some legal concerns that our counsel has, primarily the violation of the Fourth and Fifth Amendments of the Constitution,” he said. “We have to be able to prove beyond a shadow of a doubt that the Marine Corps cannot be held liable for the invasion of privacy or have the government affect their employees in a negative way.”
The Marines are testing the Hypervisor One, Toggle and Divide applications from the vendors to prove to the lawyers that the employees’ rights are protected.
Laptop on a stick
A secondary effort the Marine Corps is embarking on is around BYOD for laptops. Anderson said laptops provide a similar opportunity to save money as smartphone and tablet devices do.
He said the Marines already own the technology—about 150,000 enterprise client access licenses from Microsoft—to containerize and protect the laptops. The idea would be to put client access software on a certified USB stick that the employee could plug into the laptop and work off a secure instance that makes the laptop a vessel to communicate with the network.
Anderson said moving to this secure USB stick will take a bit longer than the BYOD approach, but he’s hopeful to prove to senior officials that both approaches make sense.
In the meantime, Anderson said his office is conducting a survey of Marines and civilian employees about BYOD.
“The government has to pay for something. We are not going to put [the security cost] on an individual. But would an individual be willing to spend their money on their own voice and data plan in order to gain access to the personal organization data?” he said. “That’s the key indicator. That’s really the pulse we are trying to get. How many people in the Marine Corps would really do this? It will be interesting to see what happens with it.”
He said the survey asks about pay grade and rank, and then the Marines will be able to identify trends across different sections of the Marines.