WASHINGTON — As the Obama administration moves to implement a broad-ranging mobile computing initiative throughout the government, agency CIOs need to integrate forward-looking policies to ensure that mobile devices and the data and applications that reside on them are insulated from both internal and external threats from the outset, according to a security expert.
“It’s a really important aspect, and it needs to be done early on. It needs to be done in a way when you’re developing your policies, [they] are going to drive the security requirements,” Tony DeLaGrange, senior security consultant with Secure Ideas, said at a conference here following the release of the White House’s Digital Government Strategy. “Let’s make sure that only the applications I want on there are on the device.”
[Most Recent Government IT Stories]
The new White House plan tasks agencies with converting their troves of data into formats that are readily accessible to the public, and remaking the central online hub for government information, Data.gov, as a “data and API catalog” that pulls data from agency sites. By synching individual government sites with the central federal repository, that effort will aim to ensure that there is “no wrong door for accessing government data,” federal CIO Steven VanRoekel wrote in a blog post announcing the new initiative.
“At its core, the strategy takes a coordinated, information- and customer-centric approach to changing how the government works and delivers services to the American people,” VanRoekel said. “Designing for openness from the start — making open data the default for government IT systems and embracing the use of web APIs — enables us to more easily deliver information and services through multiple channels, including mobile, and engage the public and America’s entrepreneurs as partners in building a better government.”
Additionally, the Digital Government Strategy directs agency CIOs to optimize their public-facing data for a new crop of smartphones, tablets and other mobile devices. That includes setting a new default standard of open data and Web APIs for government information.
“Over the next 12 months, you will start to see an important shift across the federal government,” VanRoekel said. “Agencies will increasingly open up their valuable data to the public and set up developer pages to give external developers tools to build new services.”
The blueprint also calls for the formation of a new centralized advisory group to eliminate information silos between agencies and preside over the “shift to a shared-platform culture.” A recent report on the use of Web technology across the federal government found 150 distinct implementations of 42 separate systems to create and publish Web content, distributed through the use of some 250 hosting providers.
“We will do all of this while reworking the federal government’s own use of mobile — saving taxpayer dollars and providing better service by bringing consistency to the way we buy and build for an increasingly mobile workforce,” VanRoekel said.
DeLaGrange said he was encouraged that the new plan acknowledges the unique security risks that come with an increasingly mobile workforce, which include threat vectors related to both the applications and data stored on the devices, as well as vulnerabilities in their connections — both cellular and Wi-Fi networks — and, of course, the wildcard challenges associated with end users.
“Users are a struggle,” he mused, advising both government agencies and enterprises to develop a mobile awareness initiative to educate their workforce about mobile security threats, including guidelines for appropriate data sharing and policies stipulating what sorts of applications can be installed on the devices.
“We need to make sure that we enforce the security settings on these devices in such a way that users can’t turn them off,” he said.
At the same time, DeLaGrange warned against the instinctive reaction common to security workers when bringing new devices or applications behind the firewall to disable potentially useful features in the name of protecting the network from as many vulnerabilities as possible. That approach, though noble in its motivation, too often puts the security team at odds with business groups and end users, who tend to view such restrictive security policies as running counter to their own productivity.
“This is where you need a balance [between] that risk and reward,” DeLaGrange said, counseling a closer collaboration between security and business units.
The White House plan notes the distinctive security challenges the mobile devices introduce, including the ease with which they can be lost and the potentially unsecure network connections they often tap into.
“These problems are not new, as the introduction of laptops into the workforce led to security and data breaches as employees took their electronic devices mobile,” the White House strategy states. “However, the new class of smaller, lighter smartphones and media tablets has elevated exposure to this risk.”
In that spirit, the strategy directs the departments of defense and homeland security to work with the National Institute of Standards and Technology to develop a baseline security framework for mobile computing in government over the next 12 months. In the interim, the directive contains “milestone actions” for NIST, the Federal CIO Council and other entities to advance the secure implementation of mobile technology across the government.
The White House plan builds on previous initiatives the administration has put in motion to modernize federal IT and open government data both to the general public and the developer community, including Data.gov, but also comes with an acknowledgement that the government has considerable work ahead of it.
“For far too long, the American people have been forced to navigate a labyrinth of information across different government programs in order to find the services they need,” President Obama wrote in a government-wide memo announcing the strategy. “In addition, at a time when Americans increasingly pay bills and buy tickets on mobile devices, government services often are not optimized for smartphones or tablets, assuming the services are even available online.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.