The challenges of bringing your own classified device

The intelligence community is working out whether it can allow staff to use their own devices for work.

"We pick up our phone, we join a bank, we look at our finances, we move money around, we take pictures of the check, we deposit the check, and we're comfortable with that -- the security level that the bank provides us. So why not build the same environment?" said Brig. Gen. Jeth Rey, the director for command, control, communications and computer systems (J6) for U.S. Central Command.

Rey, who was speaking at the virtual Intelligence and National Security Summit Sept.17, said CENTCOM is looking at the containerization of personal data, transport agnostic platforms, data-centric connections and biometric credentials to grant access even down to the document.

Greg Smithberger, the National Security Agency's CIO and director for the capabilities directorate, recently supported the BYOD approach with the right security parameters, but he emphasized the need for proper security measures that make top-secret telework impossible.

"A lot of thought has to go into it, but it's viable with the right security architecture," Smithberger said, citing two-factor authentication and use of a virtual desktop that's limited to how it can "interact with the outside world and stay off the corporate network."

However, there are also serious civil liberty concerns around personal data on personal devices that have to be considered, Smithberger said. "It's all about getting the right concept of layered defenses that can be imposed upon that personal device without any possibility of getting access to [users’] personal information," he said. The challenge is "making sure that the government is not monitoring or getting access to private information of individuals which we have no right to see or to monitor."

The ongoing coronavirus pandemic has increased the need to consider BYOD, in tandem with the rise in telework, in the intelligence community.

Doug Cossa, the deputy CIO for the Defense Intelligence Agency, said that while he's not sure what percentage of the workforce will continue working from home, the agency is "architecting for an enduring level of telework."

Cossa said that telework will likely be more permanent for business operation functions, including human resources, data management, contracting, finance and training. (The latter was shifted from a classified to an unclassified network during COVID-19 response, he said.)

But when it comes to permanently allowing work mobility and flexibility, Cossa said, DIA will have to look at facilities management and onboarding employees.

New employees have traditionally been given “a fixed workstation in a fixed location," which isn't always needed, he said. DIA is looking at whether employees can use tablets and laptops from various locations in an agency building or “perhaps even go wireless and work from anywhere in one of our facilities or multi facilities," or even outside the intelligence community.

This article was first posted to FCW, a Defense Systems partner site.