March 1, 2012 By Wayne Hanson
This report is based on the activities of the Digital Communities program, a network of public- and private-sector IT professionals who are working to improve local governments’ delivery of public service through the use of digital technology. The program — a partnership between Government Technology and e.Republic’s Center for Digital Government — consists of task forces that meet online and in person to exchange information on important issues local government IT professionals face.
More than 1,000 government and industry members participate in Digital Communities task forces focused on digital infrastructure, law enforcement and big city/county leadership. The Digital Communities program also conducts the annual Digital Cities and Digital Counties surveys, which track technology trends and identify and promote best practices in local government.
It should come as no surprise to hear that the world has gone mobile. Over the past few years, a cornucopia of wireless devices has poured into the pockets and handbags of eager users — from Apple iPhones and iPads, to hundreds of Android-based devices, e-readers and the Microsoft Windows Phone 7.
As owners become wedded to their wireless devices for everything from communication to navigation, news, games and photography, they expect to use them for work as well. Some 87 percent of private-sector businesses already allow their employees to use personal wireless devices on the job, according to a September 2011 report by Dell KACE, most often connecting to email and calendaring applications.
Integrating wireless devices into city and county operations isn’t a new idea, as public safety, parks and recreation, building and restaurant inspection, and many other essential government functions have long employed mobile technology. The devices, however, have most often been owned and tightly managed by the jurisdiction, and issued only on an as-needed basis for government work.
But the advance of mobility and device convergence has created — according to a 2010 Forbes/Google report — “an unprecedented blurring between working and personal existence.” CNN reported last year that 63 percent of work-related mobile devices are used by employees for personal activities, and many employees also use personal smartphones for work-related tasks. This new landscape is forcing cities and counties to re-examine policies, technology and strategies related to the use of mobile devices in the public sector.
There are benefits to allowing the use of personal mobile devices for city and county work. For example, Gordon Bruce, CIO of the city and county of Honolulu, said that if correctly managed, workers’ personal mobile devices could end up replacing some of the jurisdiction’s desktop computers. “Which means we won’t have to pay for them, which means the taxpayer won’t have to pay for them,” Bruce said. “So I like that idea.”
But managing these devices is a concern, and regardless of whether they are owned by the jurisdiction or by the employee, increased mobility brings increased risk. Malware targeting these devices has grown exponentially, leading one security vendor to call 2011 the “year of mobile malware.” And according to one survey, 77 percent of U.S. cellphone users reported losing at least one such device. The dream of desktop computers bolted to the desk behind a firewall is being eclipsed by the nightmare of staffers talking, texting or Web browsing using a variety of devices on different platforms over unsecured Wi-Fi hot spots.
Most cities and counties interviewed for this special section were still developing and testing various technology and policy approaches to mitigate risk while reaping some of the benefits of mobility, flexibility and anytime/anywhere access. In most cases, nothing terrible has happened, but adoption has just begun.
Oakland County, Mich., CIO Phil Bertolini says a transition to mobile devices is inevitable, but he understands why some jurisdictions reject the idea of letting employees use their own devices for work — an approach that’s called “bring your own device” or BYOD. “They’re bogged down with 8 million other things they have to accomplish, and someone walks in with an iPad and says ‘I want to connect to our email.’ Now what am I going to do? The easy answer is to say, ‘We’re not going to do that.’”
Bertolini saw the trend building and got the county moving early with a few users in pilot projects to test the concept and debug problems while the user base was small. Currently personal devices are only allowed into the system for email or Web apps where the county has built-in security.
Similar pilots are under way in the city and county of Honolulu. “We’re using iPads, Androids, MacBooks, Mac minis, and we’re vetting them through the system to make sure they’re secure,” said Honolulu CIO Gordon Bruce. “The approach we’re going to take with them is something like: ‘Here are the procedures, here’s how you introduce it to the system, but we’re not going to support it. If it doesn’t work, it’s up to you and your carrier to determine how it’s going to work.’ That way we can get it in quickly, and then we’ll see what resources it will take over time to manage it all.”
BYOD requires a rethinking of how things have been done, said Michael Armstrong, CIO of Corpus Christi, Texas. The technology industry’s shift toward virtualized and cloud-based services will make it easier for governments to take advantage of increasingly powerful mobile devices.
Photo: Corpus Christi, Texas
“I think over the next five years, we’re going to see the way software is delivered change radically. I’ll be surprised in five years if we’re actually hosting anything here,” he said. “I think it will be lighter applications written for multiple devices, and it’s going to be a different ball game. So we have to be ready to turn 180 degrees from what we’ve been doing all our lives, and embrace something that’s probably going to be a little more chaotic.”
Corpus Christi has an established citywide wireless network and doesn’t allow privately owned devices to access the internal portion of the network. Armstrong is concerned first about security, but he’s convinced that change will come as better solutions are found for end-point security. Currently users go to the Web for email and calendars, and government information isn’t stored on the devices. “We just went to Microsoft’s cloud-based email, so they don’t even have to come into our system,” Armstrong said. “And lost or stolen phones are no longer the city’s problem.”
“BYOD is a big topic for all of us,” said Clark County, Nev., CIO Laura Fucci, in a post to a Digital Communities Collaboration site. “I’m a gadget gal with an Android phone, an iPad and various other personal devices … and a BlackBerry for the office. I’d love a single device, or to leverage the diverse and explosive offerings of the mobile market for my enterprise. However, I’m also very aware of my responsibility to ensure protection of the confidential data entrusted to me by citizens.” As a result, Clark County has so far restricted access of non-county-owned devices to virtual private network (VPN) connections and requires that the device meet all county-provided standards including firewall and anti-virus software.
While replacing retiring baby boomers was a huge issue for IT leaders a few years ago, the economic doldrums slowed retirements and new hires. But the issue is back, if a meeting of the Digital Communities CIO Task Force in late 2011 is any indication. Succession planning was a top issue for discussion, and that could indicate a need to make local government workplaces more competitive to young hires, as well as accommodate a younger, more connected public.
“Their use of technology is radically different from folks in my generation,” Armstrong said. “That’s how they live their lives, even my kids do that. They would much rather text than make a phone call. And they’re used to being connected all the time. We try to look into the future and account for those things that are going to happen for us, and some of the old monolithic control models are breaking down. We’ve been through this in the old days when PCs came into the mainframe environment, and that’s a very close parallel. I think you are always more successful if you try to embrace new technology rather than keep it out of your environment. Your customers will stay happier, and you’re going to get more work done. And I think there are ways of mitigating the risks with that.”
Ironically the drive to BYOD is also being championed in some cases by top executives — young elected officials who grew up with personal computers and cellphones and who bring their mobile devices to work in the mayor’s office, city council or county commission. As executives, their workday may extend beyond normal hours, they may need to be on call for emergencies or to stay informed. In such circumstances, integrating a personal device just makes sense, especially if the alternative is telling the boss, “No, you can’t use your iPad for work.”
“We’ve been fortunate with iPads,” said Armstrong. “The mayor has his own, our new city manager came in with his own, so this is not unknown territory for a lot of our people. All of our assistant city managers have them, and everybody who has one loves it. … Carrying an iPad, they still have access to email, some business applications and they’re wonderful for note taking.”
Modesto, Calif., is another city deploying iPads, along with Apple and Android smartphones, for tasks like managing legislative agendas.
“In the field, we’ve also outfitted a lot of our officers as well as executive staff who want to do procurement,” said CIO Bryan Sastokas. The challenge now is with public safety, he said. “We can secure devices, and we can also secure the back end. We’re working on securing the communications, so that when a drug enforcement agent goes out to do a bust … they know they are not going to have those communications hijacked.”
Currently only city-owned tablets access critical internal systems, such as agenda management, GIS mapping and procurement, said Sastokas. Smartphones — iPhone, Android and BlackBerry — are both city-owned and employee-owned, with access dependent on what services and applications the employee needs.
Late last year, Internet pioneer Vint Cerf told the Financial Times that to reduce or eliminate security problems, he’d suggest the Internet be “done over.” In the same article, a security expert said, “The fight to secure the current Internet is unwinnable.”
Photo: Vint Cerf. Photo by Wikipedia. com
In the face of unrelenting attacks, patches, upgrades and well publicized releases of confidential data, how can a jurisdiction seriously consider lashing a bunch of privately owned wireless devices — with a variety of operating systems and hosting an unknown number and variety of apps — to a government LAN?
Clark County’s Fucci said she certainly doesn’t have all the answers. “With HIPAA, [Health Insurance Portability and Accountability Act], CJIS [Criminal Justice Information Services] and personal data laws, I have not conquered data protection when our perimeter is expanded to include everyone’s personal device du jour. I am also unclear what this means with discovery requests.”
Oakland County’s Bertolini said that while much county data is public record, he is very worried about confidential data. “The areas that concern us the most are public safety and health and human services because of HIPAA. So what we’ve done in those areas, is work through policy. You don’t want them using their personal email to send that kind of data.
“Everyone has security in their data centers,” Bertolini added, “and you can spend millions on that. So everybody has a decision point: ‘This is how secure I want to be, and this is how much I’m willing to spend.’
“For example,” he said, “when we were working on our website a number of years back, they said, ‘Well you can be up 99.5 percent of the time, or you can be up 99.9 percent of the time.’ And my first question was: ‘How much is it going to cost me to go from 99.5 to 99.9?’ It was some ungodly number. So if I’m worried about eight hours a year, am I going to spend $400,000? Those are the same kind of decision points I think we are going to have with these devices. How much am I going to put in place, how much am I going to pay for it, and then how much more secure does that really make me?”
Policy gaps need plugging as well; technology can’t do it all. “We assign a laptop to somebody, and they put all their data on the laptop and then they lose it. So what’s my security there?” said Bertolini. “The question is: ‘Why did you allow them to take a laptop out with that data on it to begin with?’”
Oakland County’s electronic communications policy is short and to the point, with only seven items covering such specifics as no expectation of privacy, password protection, prohibited uses and so forth. Another short policy covers use of social networks. The policies are being updated to include use of personal devices.
Photo: Phil Bertolini, CIO, Oakland County, Mich.
Bertolini said the county has a public wireless network for attorneys to use at the courthouse, and that staff already log on to it with personal devices, so use of personal devices has been allowed but is restricted to email and password-secured apps. The next step is a VPN for use by staff mobile devices, he said.
Phoenix Chief Information Security Officer Randell Smith said the city requires that any device connecting to its network use VPN. But the city also requires access to personally owned devices that contain city information, so there have been few takers, he said.
To handle some of these issues, said Phoenix CIO Charles Thompson, the city is investigating a mobile device management platform that would help set policy on what could be accessed, what happens in case of loss or theft, etc. “Some folks were uncomfortable, saying, ‘This is my personal device, how can you limit where I can go?’” said Thompson, who at press time had taken a new job as CIO of Houston. “But if you are going to use it for city business, you are going to have to adhere to city policy. So we will end up having a city-owned device policy, and a personal-owned device policy, and a mobile device perspective when we’ve finished our work.”
Photo: Former Phoenix CIO Charles Thompson, now CIO of Houston. Photo by David Kidd
Another obstacle to BYOD that comes up repeatedly with local government is e-discovery. A city or county, for example, gets a subpoena for records related to some issue. But much of the discussion pertaining to the issue went back and forth via email on personally owned devices. What does the jurisdiction do then? While most jurisdictions reported few instances of discovery, an unprepared city or county receiving such a subpoena can find itself in serious legal trouble.
“The discovery issue is worrying me more than the privacy issue,” said Bertolini. In many cases, he said, email leaves no record unless the user saves it in the “sent” box or the recipient saves a copy. “There was a [Michigan] Supreme Court ruling recently regarding [the Freedom of Information Act], that if you release someone’s email, you have to redact all the personal email out. That’s difficult. If you apply that same theory to keeping the data, then the people who are actually performing the function have some requirements in regard to what they keep for discovery. So if I am working on a project that is going to set a county policy and I have a document that talks about that, then I either have to keep a hard copy or an electronic copy.”
Bertolini said discovery is difficult even without the added concerns of BYOD. “It’s been confusing for us, because they keep ruling in different ways as to how you have to redact data, or include data, or what’s included or is not included. Then there are tax, confidentiality and privacy laws that require certain pieces of information to be redacted. Old Social Security numbers are a perfect example. Federal law says you cannot give out people’s Social Security numbers. There are some things that are concrete but other things that are open to interpretation.”
Despite concerns about discovery, Bertolini thinks that policies requiring staff to turn in their personal devices in the event of a discovery subpoena will be counterproductive as they will discourage people from using personal devices for work. “Then you lose some of the benefits of the tool itself,” he said.
As mobile devices proliferate and innovative mobile services emerge, Gartner predicts that employees will become more like consumers, demanding a choice of devices — and enterprises will be forced to develop and support applications on a wider range of platforms than ever before.
Not surprisingly, the addition of new devices and different operating systems was seen by some as a challenge for tech support and help-desk staff. Roy Stone, a system support specialist for Long Beach, Calif., who replied via the Digital Communities Law Enforcement Information Technology Task Force, had this to say: “Even today I find a great many users who struggle with what I consider to be basic computer literacy — moving files, renaming files, finding files, creating a folder structure, adding a printer, making a printer the default, etc. This, to me, will exacerbate the already-heavy demand placed on tech-support personnel. Having more than the basic working knowledge of most desktop applications is almost a full-time job and now to add additional hardware and operating systems will likely overburden tech support personnel beyond the point of being able to deliver quality service.
“I believe BYOD is inevitable,” he added, “but so will be the addition of more tech support personnel.”
Even though BYOD users aren’t supposed to expect support from an agency help desk, it’s inevitable that support demands will increase as employees bring their own technology to work, said Steve Emanuel, former CIO of Montgomery County, Md., who was recently appointed New Jersey CIO.
“Those of us who have been doing this for a while realize you can’t get away from it. It’s no different than providing some level of assistance for work-at-home users who are using their own PCs,” he said. “We feel helping early adopters with application choices and device configuration will be a plus. Again, support will focus on ensuring there’s an understanding of the device-use implications and an added focus on security.”
Others are addressing support concerns through policy.
“We require that whoever buys iPads, gets the extended warranty,” said Armstrong, “because we don’t work on them, we don’t have those skills. I’m not sure you can even get into them. But we’ve had very few requests for training. Probably the most frustrating thing about the iPad is having to go through iTunes to get applications. Once we get to 100 units, we’re probably going to have to work out some sort of enterprise method of application delivery.”
A number of jurisdictions are considering or currently implementing a mobile device management platform to outsource many of the complexities of managing personally owned devices. These platforms can partition devices to separate personal and work activity, so ownership is less of an issue. Providers include AirWatch, MobileIron, SilverbackMDM and Zenprise.
Photo by Shutterstock.com
One frequently mentioned option is Good Technology, a California-based firm that specializes in mobile device management. [Full disclosure: Good Technology is a sponsor of the Center for Digital Government’s annual thought-leadership white paper.]
The company’s technology provides a Web-based console where administrators can enable mobile access and set associated policies, said John Herrema, senior vice president of corporate strategy for Good Technology.
Users are then provided an activation key. They visit the Android marketplace or Apple app store, download the Good Technology client to their mobile device, and enter the make and model of their devices. They enter the activation key, and the company authenticates them and sets up an encrypted path between the device and the enterprise. The solution also segments content, partitioning the user’s personal information and activities from the government side.
“We don’t want the user or other applications to be able to extract that data and put it in the personal applications or services,” Herrema said. “While the user might want to do that, it’s obviously not very good from a security officer or data loss standpoint. So within our application, we build in controls where we can block the flow of documents or attachments to other applications, we can block cut-copy-paste, so you can’t physically move the data. Unfortunately users will sometimes put credit card numbers and other personal data into an account or email message. So by closing off and controlling our solution, we encrypt our own data, using our own encryption keys, and we are able to isolate what’s happening on the business side effectively from the personal side.”
Both Android and Apple devices are susceptible to being “rooted” or “jailbroken” — a process that gives users administrator-level access to these devices, allowing them to alter system applications and settings. Solutions like Good Technology will block rooted or jailbroken devices from accessing enterprise networks and delete government data from such devices.
Although these solutions are categorized as mobile device management, they’re really managing mobile data security, said Herrema.
“For example, I could put a password on the device, but if the data — once it’s on the device — could be extracted by an API [application programming interface] and copied up to a cloud service, it doesn’t matter if I have a password on the device anymore,” he said. “You really need to think about the data and the applications and how they behave, because if the data and the applications aren’t secure, it may not matter whether you’re managing the device. These iOS and Android platforms have a lot of other applications on them, with very open frameworks and APIs for access to data, so you have to be very careful so the applications themselves and the users don’t become a problem — not so much the hacker.”
Currently the smartphone and tablet market is dominated by two platforms: Google’s Android and Apple’s iOS — making it somewhat easier for CIOs to decide where to focus their efforts.
“Right now about 70 percent of the devices we’re activating are based on the iOS platform, so that would be different flavors of the iPhone or iPad. The other 30 percent are Android devices. And we’re not seeing any notable traction for other platforms right now,” said Herrema. “We’ll have to see what happens to the Windows Phone 7 that Microsoft and Nokia are starting to roll out.”
Because mobile device management solutions segment work data and personal data, users can immediately wipe work data from a lost or stolen device — even if they wait longer before deleting personal information. “They can make a personal decision about whether they want to wipe the rest of the data, or wait until they get home, because maybe the device is under the sofa cushion,” Herrema said. “So by having that clean separation, we not only get better security, but actually better user behavior.”
Mobile device management solutions also can eliminate the need to confiscate user devices in order to deal with e-discovery.
“We don’t allow that data to leak off into other applications. So I don’t have to take the user’s device back,” he said. “I know the data couldn’t have left those business applications — and those business applications are always synchronizing their data back to my mail servers, that are sitting on premises. That’s one of the reason health care, for example, is one of our largest segments, because they have both HIPAA and e-discovery challenges.”
Desktop virtualization is another technology that will help build the case for use of personal mobile devices. Bertolini said that with cloud computing and secure passwords, the mobile device consumes the app, and doesn’t store any data on the client. That means there’s no data sitting on a personal iPad if a device is lost or stolen. There are still policy issues to address, said Bertolini, for when a user, for example, opens a Word document and saves it to the device.
At home, mobile devices can be fascinating. On the highways, they can be a dangerous distraction. According to city and county officials, integrated into government operations, mobile devices can provide productivity gains, cost savings and better service to the public. But there are some significant hurdles in both policy and technology to make effective use of them while avoiding the liabilities. As usual, the risks and rewards must be weighed. And where the rubber meets the road is return on investment.
Photo by Flickr.com/Closari
Corpus Christi tried an interesting strategy. Instead of having employees pay for personal use of government-provided phones, the city simply stopped furnishing cellphones but now provides reimbursement for business use of personal phones. “Our savings are about a quarter million dollars a year,” said Armstrong. “There was some resistance at first, but people realized they had a lot more choice in what device they could use — Apple sold a lot of iPhones that month.”
“I don’t submit a request for reimbursement for my 3G plan,” said Oakland County’s Bertolini, “because I use it for personal use and I do my email, it just makes me more productive. The other issue is, I’m much more mobile with this device. I have an iPhone as well, so when I’m somewhere, I can pop open my iPad, get into my email and answer the questions that need to be answered. I can do that any time of day, anyplace I am. And I’m using my personal 3G data plan to do that.”
Surprisingly, perhaps, using mobile devices during work hours to do personal business, play games, check Facebook, etc., did not come up as an issue. To the contrary, most people interviewed for this special report discussed their own increases in productivity, their ability to work at home, their connectivity to email, etc., as major advantages to BYOD. As Bertolini said, most jurisdictions already have a policy in place that deals with proper use of work time, which covers those bases.
And some research by iPass backs up the general sentiment. Mobile-enabled employees work an average of 240 more hours per year, according to the research, and waste about 28 minutes a day on “technology distractions” — roughly about 121 hours annually, a savings of some 120 hours. “In net,” said the report, “the average productivity gains that mobile workers reported far outweighed technology distractions.”
“The challenges are on exempt versus nonexempt employees,” said Riverside CIO Steve Reneker. “You can easily do that for your exempt employees, but when you get into the nonexempts, or those who are part of bargaining units that may require overtime, that might become a sticking point. I think that depends on each organization and bargaining unit whether they are going to be able to allow it so that employees can freely take advantage of those platforms without demanding overtime for use.”
Photo: Steve Reneker, CIO, Riverside County, Calif.
Reneker partly credits the use of mobile devices — by the public as well as city crews — with improving response to public concerns. “The biggest app we have is our 311 app,” he said. “Basically it’s a camera. The first screen that comes up is a camera, so you can take a picture of a pothole, dead animal, graffiti — any blight that might be in an area — and we’ve developed back-end integration so that it gets entered directly into our Oracle Siebel CRM platform. If it’s graffiti, we already have a back-end process where it forwards right out to a graffiti abatement crew. If it’s something — classified as ‘other,’ for example — that we don’t have back-end integration for, a 311 operator looks at it and forwards it to a department for resolution. It’s that level of responsiveness and requirements that we’re going to see more and more need for.
“From the standpoint of the employee, they gain benefits from the same applications that we roll out to the public,” Reneker said. “Even when they are on work, they can report issues that they might not otherwise do by leveraging the same devices. But being able to leverage some of the mapping components, you no longer need navigation in your vehicle, you now can leverage those devices to do those kinds of things. We’re also able to deliver more sophisticated applications internally — integration into the help desk, to manage and create help-desk tickets, so that it’s seamless to Outlook and Exchange in the back end. Those are really the primary uses we’re seeing today. But I also see that it’s going to offer more advanced capabilities for being able to link into video security for public safety purposes, once the security aspects are clearly defined and addressed.”
“These devices are low cost, for the most part, and very functional,” said Bertolini. “So if you have field workers that [go] out to see a company that’s thinking of locating a business in your area, and you’re able to take that iPad and show an aerial photograph and then be able to zoom in and look at lot dimensions, vacancy and all those different issues, that’s a pretty powerful tool. So having that data at your fingertips, and the tablet just makes it much more user-friendly.”