No BYOD at NSA, says Plunkett

Also no SME-PED, she promises
Tools

The mobile device revolution has reached the intelligence community, but it mainly won't extend to bring-your-own-device, Debora Plunkett, head of National Security Agency's information assurance directorate, told a industry audience July 20.

The NSA, Plunkett told an AFCEA-DC conference on defense mobile technology adoption, has underway two mobile device pilots--one for unclassified information, the other for classified.

"I personally can't envision a time in the classified space that we'll be able to bring-your-own-device," Plunkett said.

The device that NSA ends up adopting for work use will consist entirely of commercial technology, Plunkett also told the audience. Individual commercial components likely will have security vulnerabilities, she said, but a "composition" of multiple commercial parts together will allow the NSA to mitigate the majority of those vulnerabilities.

The agency, she also said, is determined not to repeat the mistakes of the SME-PED, a Defense Department mobile device that can receive and transmit data classified up to and including top secret.

The SME-PED (it stands for Secure Mobile Environment Portable Electronic Device) was conceived during the mid-part of the last decade "and would have been a phenomenal idea at the time it was delivered, had something called the iPhone not been introduced in the meantime," Plunkett said.

"It became the poster child, instead, for what we don't want to do," she added.

The device that the NSA wants will be user friendly and intuitive just as commercial devices are, Plunkett said.

However, the agency will also eschew permitting data to be downloaded onto the devices in favor of virtualized or thin-client environments, she said. "Let's store data in the cloud, such that when the device is lost, we simply disconnect it from the cloud."

Were the NSA able to start from scratch in building any piece of technology, she also said, it would use hardware encryption rather than software, assuming no other considerations were in play. But, since things are not starting from scratch, the NSA over the past 2 weeks has "identified what we believe are acceptable mitigations to take, in the context of using software certs, she said.

For more:
- go to the conference webpage

Related Articles:
NIST: Agencies should use MDM software
DoD releases comprehensive mobile strategy
Mobile security can't ignore device, say panelists