Lack of emphasis on secure teleworking is a national security risk.

Commercial mobile devices without proper protections are creating risks to our National Security.

AWS Builder Community Hub

Security Magazine 05132020 _Blog Image


Today, due to COVID-19, hundreds of thousands of Department of Defense (DoD) and Intelligence Community (IC) workers are now working on confidential documents and having confidential meetings while leveraging smartphones and other commercial mobile devices. These same devices are inherently risky due to the relative ease with which they can be exploited for espionage by bad actors using the cameras and microphones to capture confidential information.

Confidential information is the lowest classification level of information obtained and used by government and is defined as information that would “damage” national security if publicly disclosed.

The idea that leaked confidential information risks national security is acknowledged in security policy guidance banning the use of commercial mobile devices, but only at the office, unless the cameras and microphones are physically disabled. Putting smartphones in lock boxes when working in or visiting a DoD or IC office has become almost routine.

Lock boxes aren’t a complete solution, however. When not in the office and actually mobile, the “hope and a prayer” risk mitigation has been in effect. This was accepted because telework was not widely adopted.

Both the DoD and IC have historically resisted investing in and expanding teleworking and smartphone solutions for military and civil servants – choosing instead to keep unclassified (but still confidential) information and higher classifications almost exclusively confined to physically secure workspaces.

And while it is true that a small population of senior leaders have physically secure spaces – spaces with Secret level accreditation – at home, they are a tiny minority. Even fewer have a SCIF – a Top Secret space.

This is primarily because of the requirement to run hardened and encrypted physical network infrastructure into their homes, and to have a room that meets the physical security requirements, which includes: hardened smartphones, physical office spaces behind heavy doors, huge locks and safes.

Today, the rest of the population who work on Secret and Top Secret information have no option but to travel to their physically secure work environments – even with the coronavirus pandemic and shelter-in-place restrictions in effect.

So why was pre-COVID-19 teleworking so limited? The simple answer is the DoD and IC have been unable to keep up with the ever-changing mobile landscape or invest in exploring and adopting secure solutions. It was often seen as too hard and not a necessity. Leaders would just accept working from the office and locking up those risky smartphones.

But leadership in these organizations as well as other agencies and departments across the Federal government are learning now that the lack of emphasis on secure teleworking options comes at a high price in a time of crisis.

Smartphones that were banned at the office are now critical enablers and are being issued to everyone. Security has been tossed aside as the focus is on enabling the home office to keep the government workforce up and running.

This is a huge risk. Confidential information is being exposed all over the place. As reported by NextGov on April 13, “Some of the new measures, mostly aimed at enabling the workforce to stay home, have also yielded fresh intel about malicious cyber actors exploiting the situation ….”

The DoD and IC should use this crisis as an opportunity to accept the reality that managed and controlled mobile devices can be used – with proper limitations and mitigations – as vital tools for mission success.

Going forward, the DoD and IC workforces must be enabled to continue mission execution with access to technology providing information-sharing, communication and access to mission-critical applications in every environment – in the secure spaces of government facilities, at home and on the move.

*** This is a Security Bloggers Network syndicated blog from Be Aware authored by Michael Campbell. Read the original post at: