Former officials say the ban could trade a marginal security improvement for a much tougher working environment.
The Trump administration’s move to ban personal electronic devices from the White House will likely have dubious security benefits and could dissuade people from taking jobs there, according to a former federal chief information officer.
The ban could be necessary or prudent if the White House is responding to a specific and highly serious threat that is unknown to the general public, former federal CIO Steven VanRoekel told Nextgov, echoing other former officials and mobile advocates.
In the absence of such information about a credible threat, however, VanRoekel speculated the decision might be aimed less at improving security and more at making it difficult for staff to leak internal discussions to the media or send whistleblower complaints to Congress.
White House Press Secretary Sarah Huckabee Sanders announced the personal device ban in a statement early Thursday, citing “the security and integrity of the technology systems at the White House,” which she said was a “top priority for the Trump administration.”
The ban was in the works for six months and implementation was delayed to ensure government-issued devices and all their applications could fully comply with federal recordkeeping laws, Huckabee Sanders said during her daily press briefing later Thursday.
The White House did not respond by 4 p.m. to a Nextgov query about whether intelligence agencies or the Homeland Security Department, the civilian government’s lead cybersecurity agency, weighed in on the ban.
The ban, which starts next week, will apply to both employees’ and visitors’ phones, according to Huckabee Sanders’ statement. White House staff will still be able to conduct business on their government-issued devices, she said.
Such building-wide personal device bans are common at some military facilities, such as Fort Meade, which houses the National Security Agency, Cyber Command and the Defense Information Systems Agency. The White House ban may be the first such ban in the civilian government, however.
The White House and other government buildings are equipped with specialized rooms known as secure compartmented information facilities, or SCIFs, where electronic devices are banned and officials can freely discuss classified information without fear of prying ears or eyes.
Balancing Security and Convenience
The White House ban will prevent the intelligence services of adversary nations including China and Russia from using malware implanted in employees’ and visitors’ personal devices to listen in on White House conversations or to snap surreptitious photos of White House meetings.
The inconvenience the ban will cause likely outweighs the security benefits, though, VanRoekel said.
“I’d fear that taking away tech devices like this would actually stifle young people and people who are very reliant on this stuff from wanting to work in the federal government,” VanRoekel said. “‘Are computers next?’ is what they’ll be wondering.”
In addition to being barred from discussing classified information outside of SCIFs, White House employees are typically required to leave both personal and government-issued phones outside of meetings where sensitive but unclassified information might be discussed, VanRoekel said.
For example, no phones were allowed inside then-White House Chief of Staff Denis McDonough’s office while VanRoekel worked at the White House, he said.
For that reason, reports that White House Chief of Staff John Kelly’s personal cellphone was breached in late 2016 and might have been compromised for nearly a year doesn’t validate the ban, VanRoekel said.
“That’s just life,” he said, noting that top White House personnel are bound to be prime targets for adversary hackers. “Every meeting the chief of staff is in is one where you should leave your device in a box somewhere outside the office.”
While a foreign intelligence service could glean some useful information from listening in on unclassified conversations employees have at their desks or in the hallways, VanRoekel said, he thinks the marginal security benefits are outweighed by the inconvenience to the staff.
“You could take that notion of [sensitive discussions in] the hallway and extend it to the restaurant or the bar or the home,” he said. “But we’ve built an infrastructure where this stuff can only be discussed in certain situations and if you’re not in those situations you don’t discuss it and we took that super seriously.”
A Different Approach to Personal Devices Under Obama
During VanRoekel’s tenure in 2012, he helped spearhead a bring your own device, or BYOD, policy that was both implemented at the White House and presented as a template to other agencies.
Under the White House policy, staff who wanted to use their personal devices rather than work-issued BlackBerrys had those devices outfitted with a secure digital container that housed all of their work tools, said Brook Colangelo, who was White House CIO at the time.
Once employees had logged into the work portion of their phone, they were effectively in a separate device that was firewalled from the personal device and secured by the government, he said. White House officials could remotely disable the government portion of the device if the employee quit or was fired.
The three main goals for the policy were to maintain the security of government information, abide by recordkeeping laws that require staff to preserve all official records and to improve work-life balance for staff who worked long hours, Colangelo said.
Not flipping between government and personal devices made it easier for staff to keep on top of family obligations while working grueling White House hours that often drag late into nights and weekends, Colangelo said. That also made staff more efficient, he said.
The Trump administration personal device ban might be reasonable based on undisclosed security concerns, Colangelo said, but the administration should be prepared for a tradeoff with efficiency and work-life balance.
“The White House is a really challenging place and you’re dealing with a myriad of complex cybersecurity challenges,” he said. “One has to weigh all of that and try to figure out productivity and work-life balance while protecting the government and the office of the president.”
In lieu of a complete ban on personal devices, the White House might have considered some other measures, such as requiring employees who use personal devices to allow the government to periodically scan those devices for malware, said Tom Suder, founder of the Advanced Technology Academic Research Center and a longtime advocate for broadening the use of mobile devices in government.
Suder doesn’t oppose the ban if it’s necessary for security but hopes the government explored alternatives, he said.
Once the ban takes effect, Suder said, he hopes the White House will ensure employees are able to easily call and text family members who they need to stay in touch with during work hours or during nights and weekends at work.
“You have to have some accommodations for outside communication if you’re going to do this or people aren’t going to want to work there,” he said.