WASHINGTON — If you work at the U.S. Education Department, you can have your Gmail and work email on the same smartphone. Not so at the Environmental Protection Agency, where employees can’t put personal email on agency-issued phones.

President Obama drools over his daughters’ iPhones, but has long been restricted to a super-secure BlackBerry. Over at the Interior Department, top staffers are routinely issued iPhones.

Then there’s Hillary Clinton who followed her own path as secretary of state, with a private email on a home-based server and one BlackBerry for both statecraft and yoga routines. Clinton said she adhered to the rules in place at the time.

The U.S. government is struggling to tame a technological free-for-all for its 2.7 million civilian employees and their myriad phones, tablets and other devices. What’s emerged is a patchwork quilt of rules and practices that vary from agency to agency, all of which leave room for interpretation.

And it’s only going to get trickier. A new generation of workers now have better mobile devices than their agencies’ clunky options, and are pushing for more access and quicker connections. But that means greater security risks.

“You have a lot of people who want to use their own device,” said Daniel Castro, vice president of the Information Technology & Innovation Foundation, a Washington-based think tank. “You have people bringing in their iPhones because they didn’t want to use a BlackBerry.”

Advertisement

When Clinton was secretary of state from 2009 to early 2013, the State Department’s security restrictions barred having two email accounts on a government phone.

Analysts say it’s often those at the top of the pyramid who feel they can shun the rules. While the State Department counseled embassy employees not to use personal emails for government business, for example, Clinton was using her own email account.

Gary Gensler, the former chairman of the Commodity Futures Trading Commission, used a private email when working from home. And the former head of the EPA, Lisa Jackson, sent emails using the alias Richard.Windsor@epa.gov. And an inspector’s general report said Rafael Moure-Eraso, chairman of the Chemical Safety Board, improperly used a private email for government work in 2013. He says he has corrected the practice.

“If they decide the rules don’t apply to them, and you can’t install security, you can’t monitor and even track what they do, then you’ve created a blind spot,” said Bob Hansmann, director of product security for Austin, Texas-based Websense Inc. “You can’t defend what you cannot see.”

In addition to preserving the historical record, freelancing on email raises security concerns.

“The federal government is a huge target because of who they are,” said Richard Bejtlich, chief security strategist for FireEye, a cyber security firm. “They are big and they have hundreds of thousands of targets.”

The federal departments with the strictest rules are the Pentagon and intelligence agencies, where employees and visitors must turn off all mobile devices and deposit them in designated locked boxes before entering many offices and meeting rooms as part of routine security.

Among the agencies most at risk is the State Department. Last month, U.S. and private security specialists were still trying to expel unidentified hackers from the unclassified portion of the U.S. State Department’s email system, two officials said. The problem persisted at least three months after the hackers were first discovered because the intruders’ techniques keep shifting.

“The State Department’s email system has been compromised for months. It’s highly likely that it’s been compromised since forever,” Clay Johnson, a former presidential innovation fellow, wrote in a commentary published on Medium. Clinton’s “personal email was probably far more secure than her state.gov email account.”


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.