Mobile work is about more than secure laptops

Concerns about workers telecommuting with personal laptops and smartphones don't end with those systems' comparatively lax security, officials said Tuesday.

There also are a host of policy questions that need to be answered in case security problems do emerge, either because of a malicious cyberattack or because the device simply goes haywire with government data in it.

If the teleworker had been using a government-furnished laptop when that happened, the agency would take possession of it and either fix it or scrape out any sensitive data and junk or recycle it, said Sean Donelan, a network security project manager at the Homeland Security Department.

If the employee was using a personal device, though, does that mean the agency has to buy it from him before they take it, Donelan asked. At what price? Once agency IT or security staff get ahold of the laptop, how great an obligation do they have to ensure they don't look at any of the employee's personal data? What if seeing some personal data is unavoidable? And if a teleworker's personal laptop crashes does that mean he's on personal time?

Answers to those questions will likely vary across agencies, Donelan said, but ought to be dealt with upfront.

Donelan was speaking on a panel about federal mobile work and security sponsored by the Telework Exchange, an industry group. Congress passed legislation in 2010 that significantly expanded opportunities for federal telework and the White House has been busy ensuring the new crop of federal teleworkers doesn't create a new crop of security breaches.

One way to minimize problems is limiting teleworkers to government-provided laptops and smartphones that agency IT staff can vouch for and easily take possession of if there's a problem, said Ron Ross, a senior computer scientist with the National Institute of Standards and Technology, which publishes security guidelines for federal telework.

A government laptop can often be the same computer the employee uses in a docking station at work and can be outfitted with secure remote access to the vast majority of applications the teleworker will need, Ross said.

That clean and clear scenario may work for regular telecommuters, but won't cover the entire spectrum, said Susie Adams, chief technology adviser to Microsoft's government division. An employee may plan on coming into the office, for instance, but then be shut out for days or weeks by a water main break or a snowstorm. An employee might also be traveling in places with limited wireless Internet and have to use a kiosk computer to do some work, she said.

Most federal customers have told Adams they're comfortable with employees accessing email on any device along with collaboration tools, such as instant messaging. Agencies become increasingly less comfortable as applications become more complicated and as it becomes more difficult for them to remotely wipe government data, she said.

One trap agencies fall into, she said, is presuming they won't be telework ready until employees can securely use every application they use in their desk job from any location. That's far too high a bar to set for basic continuity of operations during a snowstorm, she said.