Cloud Hosting

After years of proposing Bring Your Own Device strategies, the U.S. Army has embarked on Phase III ... [+] of its BYOD Pilot.

The U.S. Army is testing a mobile device application that would let its Soldiers and DoD civilians access the Army Cloud using their personal cellphones or laptops. But theres some confusion about the app and the extent to which it will be used.

For context, its worth explaining that the Army and other services have enabled service members and DoD civilians to work remotely via Government Furnished Equipment (GFE) for over 15 years. The once ubiquitous BlackBerry phones that Soldiers, Airmen, Sailors and Marines carried for years exemplified remote work.

Uncle Sam paid for and supplied these devices and users were/are expected to conduct only official business on them, with the resulting phone in each hand a common sight among service people and government officials physically segregating their professional and personal communications. But a lot has changed in the last decade.

The Army and other branches followed and began to embrace the commercial technology evolution that has brought us digital cloud storage and software-as-a-service (SaaS). For the Army, and the rest of the world, that embrace became a bear hug when COVID-19 hit in 2020.

At the height of the Pandemic the Pentagon turned to a commercial solution for the vastly expanded telework work it believed was necessary to continue to function, enabling Microsoft MSFT Office 365 mobile capability for the military/civilian workforce. The capability was well received but in the span of less than a year DoD recognized it wasnt particularly secure. In June, 2021 Office 365 mobile capability was turned off.

To work remotely and access the cloud, users reverted to their GFE. As they did so, the folks running the DoD cloud enterprise were already asking the question - Do they have to use government funded devices?

Bring Your Own Device

With Microsoft Office 365 connectivity disabled, the DoD CIO and the respective service CIOs established separate pilot programs to assess the potential for military personnel and civilians to work remotely using their own cellphones and laptops. The Pentagon refers to this strategy and to the separate service pilots as Bring Your Own Device or BYOD.

The Army, Navy and Air Force each have their own BYOD Pilots though the Armys Pilot - now in Phase III - is likely the most mature. The goal of BYOD the Army says is to extend the convenience of teleworking on just one device to Soldiers and Army civilians. Essentially, its another app on your phone. A service member can walk out of the Pentagon or off-base, go to the store and still be connected to official business via his or her personal device.

BYOD may also save the service considerable money Army CIO, Dr. Raj Iyer says.

Army CIO Dr. Raj Iyer says its BYOD Pilot is demonstrating the convenience and potential cost ... [+] savings of having Army personnel use their own devices for official business.

We know that there are savings to be had. If you look at the total cost of ownership of government furnished cellphones and how much we pay for data services from the telecom providers, theres an opportunity to reduce those costs by switching to BYOD.

How much potential savings from dropping GFEs/data could be realized is one of a number of issues relating to BYOD over which there has been some confusion. Chief among these has been what kind of work it will enable users to do.

Lieutenant General John B. Morrison, the Armys Deputy Chief of Staff for Command, Control, Communications, Cyber Operations and Networks (G-6), emphasizes that BYOD is largely for administrative work. Technically, it is cleared to carry up to Impact Level 5 (IL 5) information including unclassified and controlled unclassified information the Army says. It is not for use for classified work, communications or data sharing.

Moreover, the Army BYOD Pilot is limited to the strategic administrative level, typically for in-garrison users within the U.S. However, the G-6 is working through use cases outside the continental U.S. LTG Morrison says so personnel in Europe, Africa or South Korea may theoretically be using their own devices through BYOD one day.

Deputy Chief of Staff, G-6 Lt. Gen. John B. Morrison, Jr. emphasizes that the Army's BYOD Pilot is ... [+] evolving and will go forward based on its productivity, security and a cost-driven business case.

While General Morrison says there has been no discussion of using the Bring Your Own Device approach in tactical scenarios at this time, he does not rule out the possibility. That would surely raise additional security concerns and Morrison adds, Were very mindful of the capability some of our adversaries have to use cellphones to do direction-finding and identification.

But for now, BYOD is a tool that replaces the GFEs mostly carried by those at the Army leadership level Morrison says. That includes a fair number of people. Phase III of the pilot will extend to 20,000 users.

Dr. Iyer says it can fully scale to over 20,000 users including National Guardsmen and Reservists whom the Army has also included in the Pilot. If, as LTG Morrison says, the Army will use Phase III to look at other use cases BYOD may have to expand beyond the above number.

The user population brings the BYOD proposition back to cost. If the Army can eliminate the need to provide 20,000 devices, it could probably save come coin. But this proposition has some wrinkles.

For one, both Gen. Morrison and Dr. Iyer stress that the Pilot (and ultimately a program) are strictly voluntary. However if the user base is smaller than anticipated, the cost of acquiring the commercial license for the BYOD app and maintaining its link to the Army cloud may outweigh the savings from handing out fewer phones.

The participation of Guardsmen (both Army and Air Force) and Reservists introduces another nuance to the cost equation. In addition to LTG Morrison and Dr. Iyer, I spoke with Kenneth C. McNeill, CIO at the National Guard Bureau who affirmed that Phase II BYOD testing with Guard Soldiers and Airmen went quite well.

He points out that only a relative handful of Guardsmen (and Reservists) actually have GFEs. To communicate and conduct official business, they have to go to an Armory or other post. When they respond to hurricanes, floods or [provide] whatever support theyre asked to, McNeill said, this will give them the capability to stay connected, pre and post mobilizing.

But since Guardsmen and Reservists who volunteer to use their own phones currently have no GFEs, their participation effectively represents no saving. The convenience may be welcome but Morrison acknowledges, We will do due diligence on whether it fiscally makes sense to move this forward.

Some in the cybersecurity community have already been asking whether moving forward with BYOD makes sense. While Army BYOD is not a classified system, penetrating it would still yield potential insights for U.S. adversaries like China which has derived real benefit over the last three decades from open-source intel, let-alone controlled information.

The Army is cognizant of this and with security foremost in mind, it has given BYOD a Halo.

A Security Halo

The key to BYOD is the ability to securely connect users personal devices to the Armys enterprise cloud environment. Known as cArmy, the services cloud currently offers shared services in the Amazon AMZN Web Services (AWS) and Microsoft Azure clouds at IL 2, 4 and 5.

To enable BYOD the Army turned to Hypori, a Virginia-based SaaS firm which has developed Halo cloud-access software. Halo renders applications and data that reside inside the cArmy cloud on a users device as pixels.

These virtual images allow users to interact and work within cArmy, without any actual transfer of data. Raj Iyer describes Halo-enabled phones as dumb display units which show representations of email, scheduling, spreadsheets or other applications hosted by cArmy. None of it resides on the users device.

This approach largely shifts security from the device to the cloud itself. It allows the service to focus its efforts on defending a single point - cArmy - rather than a collection of phones or laptops. The Army controls access to the cloud (right down to physical access to its servers) and constantly monitors the environment.

Hypori's Halo cloud software connects mobile devices to applications in the cloud via a pixel ... [+] presentation. No data is actually transferred to or from the edge device.

If an anomaly pops up inside cArmy, the Armys Enterprise Cloud Management Agency tells me that it is confident it can rapidly detect and identify an intrusion and defend the BYOD environment. Halo-enabled BYOD has been repeatedly red-teamed Iyer says, passing these evaluations with flying colors and outperforming the solutions the Navy and Air Force have chosen.

Despite their high level of confidence in Halo, both Iyer and General Morrison acknowledge that one can never-say-never in cybersecurity matters. The same centralization in the cloud allows U.S. adversaries to focus their own resources on a single target - cArmy.

While no data rests on the device, the vulnerabilities that always exist at the intersection between hardware, software and the internet remain as does the threat of what the Army cannot control. That stretches from the industrial architecture underpinning the cloud and cloud vendors (Amazon, Microsoft) to the risk of insider exploits.

One of the most notable cloud breaches was publicly acknowledged last May when news broke that in 2019 a former AWS employee exploited her knowledge of cloud server vulnerabilities at Capital One COF and more than 30 other companies to steal the personal information of over 100 million people, including names, dates-of-birth, and social security numbers. The possibility of such an insider breach of BYOD or other cloud systems rings as real to the Army as the name, Bradley Manning.

Even though the Army BYOD is currently intended for non-classified work, LTG Morrison stresses that, Weve baked cybersecurity in early and often and well do it again if we go live and do continual assessments to ensure that we adequately secure the capability were providing.

What was interesting to us about Halo was that we could implement it on devices that were unmanaged, Dr. Iyer says.

Other BYOD solutions come with a Mobile Device Management (MDM) approach which requires the environment (cloud) owner to take control of the device, typically to ensure security and compliance issues. For users, MDM raises privacy concerns which might prove a significant obstacle to adoption. But there is no MDM with Halo. The Army does not control the users device and cannot see beyond its own cloud boundary.

Before BYOD, one of the things we consistently heard from our users was that they didnt want their cellphones to be monitored or wiped if there was any potential [data] spillage, Iyer acknowledges.

The Army G-6 is confident enough in the privacy and security of Halo that I was told that there would be no obstacle to users having it on their phones - right next to Tinder, Reddit, or even TikTok.

Convenience or Burden?

As noted, adoption will be key to BYOD. General Morrison notes that the cost savings it may help the Army realize are up there in terms of importance with the productivity gains and security expected with BYOD. Its success in delivering on this trio of elements will determine a path beyond the current Pilot.

We will do due diligence on whether it fiscally makes sense to move this forward, Morrison affirms.

Users may ultimately have to weigh the convenience of using their own devices for official business with the cost. Some observers have already questioned whether BYOD simply shifts the burden of ownership of appropriate devices with sufficient data plans, identity security, and personal accountability from the government to the individual.

Having the right phone may or may not be a hurdle. In fact, my discussions with the G-6, General Morrison, Dr. Iyer and Hypori illustrated some cloudiness on the issue.

According to the G-6 there will be a list of approved devices which would not include phones no longer supported by their original equipment manufacturers like older Android and Apple versions. An iPhone 6, for example, wouldnt be acceptable. (Nor presumably, would a Huawei phone.) A signed user agreement for BYOD would also require that device owners maintain the latest security updates to remain eligible to work via the app.

However, Raj Iyer differed with the strict notion of approved devices, telling me that a user could bring just about anything to BYOD. Because it is an unmanaged solution, there are no specific requirements for what cellphone you bring. God forbid if you have a BlackBerry somewhere, that might work too.

I was later told Dr. Iyer was joking about the BlackBerry but the impression is that almost anything goes. To be sure I checked with Hypori CEO, Jared Shepard.

Shepard re-emphasized that Hypori Halo is a zero-trust platform which assumes that all edge devices are compromised. By design, it does not allow interaction of data from the protected environment with the device.

But he added, As a Security best practice we recommend that only devices that are still supported [updated and patched] by the manufacturers be allowed. This allows a tremendous amount of flexibility for devices new and old [many 4-6yrs old or more]. Currently iPhone 6 and 7 are still supported by Apple.

We will learn how this capability reacts to different kinds of phones that are out there, Morrison concludes.

As with other aspects of BYOD, the Army will have to have consistent messaging on its user requirements. These include identity. According to Iyer, BYOD employs multi-factor authentication (MFA, passwords augmented by scanning a fingerprint or entering a code received by phone for example).

However, the user identification system employed may also limit devices that can be used with BYOD. For example, Cisco Systems Duo MFA device requirements include a Secure Startup mode and a Cisco-approved operating system (Android 7 or higher) among other things.

Dr. Iyer points out that the Armys enterprise IT management system not only identifies but tracks BYOD phone locations. If a phone operating in Washington DC pops up three hours later in China, somethings obviously wrong. Devices will generally have to indicate active use inside the U.S. While the Army wont have access to personal data, dropping a GFE device wont allow users to go un-tracked.

Iyer says he has seen tremendous excitement about BYOD on social media, suggesting a population eager to embrace the scheme. But given its rollout largely to a group of more senior Army and civilian users, there may be less enthusiasm for yoking ones personal device (and consumer data plan) to BYOD than for a broader cross-section of the Army.

Indeed, one senior Army National Guard officer with a background in cybersecurity told me that while he thinks BYOD may be a useful convenience in the future, hed likely stick with his GFE. Since BYOD is strictly voluntary, potentially eligible users could elect to stay with their government furnished phones prompting a question as to whether personnel who decline to participate might worry about the career implications of taking a pass on BYOD.

This is not going to be viewed favorably or unfavorably, Dr. Iyer assures. I believe that the majority of our users will want it.

Kenneth McNeill thinks people will eventually get comfortable with the idea and says theres already a sizeable group of Guardsmen and Reservists volunteering. General Morrison characterizes early adopters as BYOD champions, people who are helping craft the tactics, techniques and procedures for its use. As Phase III progresses the Army will evaluate its expanded mix of users, continually reassessing the Pilot and iterating the app. How BYOD will ultimately take shape isnt known yet Morrison acknowledges.

Were being very pragmatic, he stresses. That includes putting BYOD through several legal reviews. Army personnel and DoD civilians will have the last word, ultimately making it clear to the service whether theyre comfortable enough with the privacy, security, cost and convenience of personal devices as a gateway to the Army cloud to bring their own.

More:
A Plan to Let Soldiers Interact with the Army Cloud Using Their Own Devices Got a Bit Clouded - Forbes