If you work at the Education Department, you can have your personal and work e-mail on the same smartphone. Not so at the Environmental Protection Agency, where employees can’t put personal e-mail on agency-issued phones.
President Obama drools over his daughters’ iPhones but has long been restricted to a supersecure BlackBerry. At the Interior Department, top staffers are routinely issued iPhones.
Then there’s Hillary Rodham Clinton, who followed her own path as secretary of state, with private e-mail on a home-based server and one BlackBerry for both statecraft and yoga routines. Clinton said she adhered to the rules in place at the time.
The U.S. government is struggling to tame a technological free-for-all for its 2.7 million civilian employees and their myriad phones, tablets and other devices. What has emerged is a patchwork quilt of rules and practices that vary from agency to agency, all of which leave room for interpretation.
And it’s only going to get trickier. A new generation of workers now has better mobile devices than agencies’ clunky options and is pushing for more access and quicker connections. But that means greater security risks.
“You have a lot of people who want to use their own device,” said Daniel Castro, vice president of the Information Technology & Innovation Foundation, a Washington-based think tank. “You have people bringing in their iPhones because they didn’t want to use a BlackBerry.”
The newer devices make it easier to mix e-mails for business and pleasure.
When Clinton was secretary of state, from 2009 to early 2013, the State Department’s security restrictions barred having two e-mail accounts on a government phone. White House press secretary Josh Earnest said it wasn’t until January 2012 that some White House staffers could put work e-mail on their own devices.
Analysts say it’s often those at the top of the pyramid who think they can shun the rules.
Gary Gensler, the former chairman of the Commodity Futures Trading Commission, used private e-mail when working from home. The former head of the EPA, Lisa Jackson, sent e-mails using the alias Richard Windsor. And an inspector general’s report said Rafael Moure-Eraso, chairman of the Chemical Safety Board, improperly used a private e-mail for government work in 2013. He says he has corrected the practice.
“If they decide the rules don’t apply to them, and you can’t install security, you can’t monitor and even track what they do, then you’ve created a blind spot,” said Bob Hansmann, director of product security for Austin, Tex.-based Websense. “You can’t defend what you cannot see.”
The EPA says that Jackson’s secondary e-mail was sanctioned by the national archivist and that her predecessors followed similar procedures.
Denise Krepp can’t understand how Clinton was allowed to run her own e-mail server, with her own private e-mail, mixing work and personal e-mails on a single device that didn’t automatically save the records into the archives.
That was strictly against the rules when Krepp worked at the Maritime Administration during the Obama administration, where she was the general counsel in charge of enforcing the e-mail policy. She carried two phones, one issued by the agency and one that she owned.
“I was constantly giving the lecture of be careful what you are putting in e-mail. It’s going to be kept,” she said. “I’m puzzled by this — very, very puzzled.”
In addition to the issue of preserving the historical record, freelancing on e-mail raises security concerns.
“The federal government is a huge target because of who they are,” said Richard Bejtlich, chief security strategist for FireEye, a cybersecurity firm. “They are big, and they have hundreds of thousands of targets.”
In the fiscal year that ended Sept. 30, the government logged 67,196 cybersecurity incidents at federal agencies, according to the Office of Management and Budget. The incidents ranged from lost laptops to the discovery of malicious software. The total was up 16 percent from the prior year — a surge the government attributes partly to enhanced detection capability.
The Government Accountability Office has warned about the growing security risks associated with mobile devices, noting in 2012 that attacks of malware had increased to 40,000 from 14,000 in just a year.
The federal departments with the strictest rules are the Pentagon and intelligence agencies, where as part of routine security employees and visitors must turn off all mobile devices and deposit them in designated locked boxes before entering many offices and meeting rooms.
FBI agents are issued phones for communication so the bureau can reach them when needed, according to spokesman Paul Bresson. Many carry two devices, one for work and one for personal matters. Agents aren’t supposed to handle any sensitive material on their work or personal mobile devices.
Among the agencies most at risk is the State Department. Last month, U.S. and private security specialists were still trying to expel hackers from the unclassified portion of the State Department’s e-mail system, two officials said. The problem persisted at least three months after the hackers were discovered because the intruders’ techniques kept shifting, said the officials, who spoke on the condition of anonymity because the inquiry is classified.