Why Pentagon banning personal devices won’t improve data security

Today’s proliferation of connected devices and apps that collect data outside of user control creates a perfect storm for nation states to leverage seemingly innocent technologies to gain national security or economic advantage. A near real-time data tracked and mapped by a fitness app has publicized the location of some known and possibly secret military stations around the world.

In response to this and other threats to government’s sensitive information, Defense Secretary Jim Mattis is now considering a ban on personal cell phones at the Pentagon. The White House has already prohibited personal devices inside the West Wing.

While this extreme response is the most natural reaction by everyone when they first face this challenge, blocking technology has never worked. Having witnessed similar attempts across different industries over the years — from banking to technology to security, a blanket ban is practically impossible to enforce. It is particularly daunting today when, as Supreme Court Justices John Roberts and Sonia Sotomayor agreed, cell phones have become an appendage to their owners, a part of human anatomy.

{mosads}The more interesting and challenging reason though why blocking won’t have a desired effect on security of sensitive information lies in the nature of technology running on all of our devices — professional or personal, approved or not.

Most applications we use to run our organizations are built on collecting and processing our data. The entire business model is rooted in companies being able to access, analyze, and most often monetize collected information. That is true for free apps, including social media and messaging, and it is true for the majority of paid apps as well.

So why does this matter for security? As we know from the headlines, almost daily data breaches are a norm now. The best and most resourced tech teams struggle to protect their systems that contain large swaths of our information. So what better way for criminal attackers or nation states to target our sensitive data than going right to the source — the technology we use to share that information: email, slack channels, social media, and now fitness tracking apps?

As technology evolves, new risks are introduced in common applications, almost always unbeknownst to organizations and people using it. The reason is secure software is incredibly hard to build and most mainstream technologies are not designed to be secure, but rather to enable access to information. So keeping military and government secrets has become a lot more complicated and now is the time for a different approach.

The good news is this problem is not new, although, of course, the scale is very different. What Mattis is concerned about is exactly the same issue Fortune 500 enterprises have been working to balance — unmanaged technology applications in the workplace filled with trade secrets and corporate IP.

In over 20 years in cybersecurity, the only approach that has worked requires an always-evolving security policy balanced with the operational and personnel needs.

We need to give our people the right tools, without any backdoors and built to protect data. We also need to understand that having those in critical positions and with access to sensitive information do business on email or any app designed to make data accessible rather than secure means risks. With that in mind, critical information and communications should never touch these “unmanaged” systems and applications.

Finally, technologies that we pay for must offer data protection and a promise not to mine our data, and when they fail to fulfill their promises, companies should be held accountable. As an avid user of fitness tracking apps myself, I have sharp expectations that when I pay for the service and have no desire to build a social network around my exercise or share my information, the company will ensure my data is secure and not accessible to anyone but me.

These risks will only continue to grow and the fact that the secretary of Defense is considering a no cell phone policy shows just how hard information security has become. But it also shows that no matter what policy is adopted today, it has to continue to evolve with technology to account for new risks and new opportunities to protect critical data.

Joel Wallenstrom is president and CEO of secure communications platform Wickr, previously co-founder and executive for leading security research company iSEC Partners, responsible for finding and mitigating high-profile cyber security vulnerabilities.