State wants employees to use personal smartphones

LANSING – Michigan wants its government to be more mobile and cloud-based, but wants its employees to supply the tools of the trade.

This fall, the state Department of Technology, Management & Budget launched a "bring your own device," or BYOD, program for state workers. Rather than using a state-issued smartphone or tablet, employees can use their own device, loaded with an app that DTMB officials said allows employees to securely access work email, calendars, certain files and other functions remotely. The program is and likely will remain voluntary, said Tiziana Galeazzi, DTMB's senior executive assistant to the director and head of the BYOD rollout.

Officials said the BYOD program offers more flexibility, efficiency and productivity in state government and, while the state reimburses employees for data plans, saves taxpayer dollars because the government doesn't have to manage its own fleet of devices.

But the state's BYOD program — part of a broader digital strategy outlined in September — is being rolled out amid heightened concerns about cyber threats.

Over just the past several weeks, for example, hackers derailed the theatrical release of the film "The Interview," briefly shut down the Sony PlayStation and Microsoft Xbox video game systems, and caused a roughly 25-minute outage of the Michigan state government website.

"There's just example after example after example of things that are supposed to be secure and they turn out not to be," said Ray Holman, legislative liaison for the United Auto Workers Local 6000, Michigan's largest state-worker union. "And you're not talking about a car rental agency, here, you're talking about state government and there's lots of information we work with that people want to have access to."

DTMB spokesman Caleb Buhs said the state is "very comfortable" with the software's security, and noted the app — called MaaS360 and developed by the Blue Bell, Pa.-based Fiberlink Communications — has been widely used: General Motors Co., the U.S. Interior and Commerce departments and the federal Government Services Administration, and other state agencies such as the Nevada Department of Transportation use MaaS360, according to the app's website.

So far, 50 DTMB employees are part of the BYOD program and enjoying it, Galeazzi said Tuesday. The state hopes to replace 90 percent of all state-owned tablets and smartphones with employee devices by fall 2018.

The state pays a total of $25.50 per month per device for the MaaS360 app, Galeazzi said, including a surcharge for added security features. She said the state reimburses employees in the BYOD program $34.50 per month for data and $11.50 for telephone services.

That's cheaper than if the state maintained its own devices and data plans, Galeazzi said, but she didn't know the total amount the state would save if it hit its 90-percent goal.

She said DTMB's internal surveys and broader surveys about corporate BYOD programs showed employees enjoyed them and found them helpful, and she said such programs make the state more attractive to younger workers.

But Holman said "a glaring issue" is whether or not the state provides employees "the tools necessary to do their jobs." He pointed to glitch-ridden software in the Department of Human Services as an example of past problems.

And Holman and others said they were concerned about security, both of the state servers and workers' personal information.

"We have to give a serious look at a lot of different trends that will create more efficiencies in state government to save taxpayer dollars," said Ken Moore, president of the Michigan State Employees Association. However, he said the program "does create a large concern … that something (employees) might be processing in the field might later be compromised."

He said MSEA's own network had been recently infiltrated.

But Galeazzi said DTMB had "done a lot of testing" and found the app to be secure. Buhs noted that Michigan has actively addressed cybersecurity. And he said the state had used the MaaS360 software for years on state-owned devices without problems. State spending records available online show DTMB has paid Fiberlink $617,170 since the 2012-13 fiscal year.

MaaS360 "completely partitions" the state servers from the device, Galeazzi said, so employees couldn't even copy text from a document outside the app and paste it into a file in the app. That containment protects the state servers from employees' phones and employees' phones from the server.

That's a smart way to manage some of the cybersecurity risks of BYOD programs, the tech site ZDNet wrote in a 2013 feature on the topic. But hacks aren't the only risks: People lose smartphones, not desktop computers hardwired into a network at their desks. Disgruntled employees might disseminate private information.

And employees can engage in unsafe behavior.

In August, for example, an employee at the Anderson House Office Building likely had his personal iPad — which he sometimes used to check work email — hacked after he stopped paying for a pornographic video chat service, according to a Michigan State Police investigative report obtained by the State Journal through the Freedom of Information Act.

The employee, whose identity was redacted in the report, received a threatening email from someone claiming to be the husband of the woman the employee chatted with. The email included personal information about the employee — including his daughter's name and a reference to him working for the government — that the employee said he never provided to the chat service.

Buhs said neither legislators nor their aides can access state servers. Cathy Hunter, director of information systems for the state House, said in an email that House networks can't be changed remotely from employees' personal devices. Tim Bowlin, the House business director, said the Legislature uses internal network security and Internet filters and uses the built-in security features of its Microsoft Outlook email system to keep its networks safe.

Holman said his union already advises employees to use separate devices for personal and work-related activities because "when you start mixing the two together, you can start finding yourself in trouble."