The Chief Information Officer (CIO) of the US Army, Dr Raj Iyer, has welcomed the arrival of “Bring Your Own Device” (BYOD) in the Army, saying that he had made his first Teams call on his own device using a setup that entailed use of the Hypori Halo application hosted in the cARMY cloud – the Army’s enterprise cloud environment that currently offers shared services in the Amazon Web Services and Microsoft Azure clouds.
The US Army – like others across the national security estate on both the US and UK sides of the pond – has long struggled with locked-down and sometimes ageing government-furnished laptops and other IT equipment that delivers an end-user experience so frustratingly slow and clunky that it can drive users to despair. The ability to BYOD offers the hope of faster speeds and better user experience (UX) on soldiers’ own devices.
(During the pandemic the US Department of Defense launched the “Commercial Virtual Remote” (CVR) environment to accommodate remote work. This rapidly became the largest Microsoft Teams deployment in the world and welcomed by end-users for bringing department-wide enterprise collaboration tools to DOD. It was sunset in 2021 amid security concerns and reportedly only ever intended as a stop-gap measure however.)
Army BYOD: 20,000 now, more later…
“Army BYOD is here! I made my first Teams call using my personal phone today with the wonderful Lily Zeleke, Deputy DOD CIO who has been a great partner enabling Army success. The call was flawless with no degradation in video quality even though the Hypori Halo app is streaming pixels from the cARMY cloud to the mobile device” said Dr Iyer on LinkedIn, emphasising: “It’s been almost 18 months since the DOD sunset CVR leaving our users without BYOD capability. This Army implementation is the most secure solution in the market today”.
“Over the next few days I will continue to test and provide updates on how well it’s working" he added in the social post.
The US Army initiated a Phase 3 pilot to evaluate Hypori Halo for scale as a zero-trust BYOD solution for the Army, Army National Guard and the Army Reserve in May of this year. US Army CIO Dr Iyer confirmed to The Stack that his BYOD use this week was still part of that Phase 3 pilot: “We will have about 20,000 users as part of this phase for about six months and then move into full deployment mid next year” he said.
Speaking with us in January of this year, the US Army CIO said: “One of the things I was very careful about right from the get-go was to make sure if we were going to ask our users to bring their personal devices we address any privacy concerns that they had. Most of the BYOD-type solutions require the organisation to monitor your personal device; they have to put some kind of agent on your device that tracks what you’re doing to be able to remotely wipe your device. And in some cases if there’s some kind of a classified spillage, there was always a potential that the government would actually confiscate your device,” he said.
“We think this is a game changer. It’s commercially available technology; we have done some assessments of the cybersecurity posture, and it’s really good. So we just need to continue to make sure we harden it and make sure it works for us” Dr Iyer added in January. After robust Army Red Teaming and with it now on his own device, confidence levels are clearly high at the top that an answer to the perennial BYOD issue might be in sight.
(That's if the ROI can be made to make sense across a very large organisation indeed: Dr Iyer, hired as the first civilian CIO of the Army, has a mandate to take more of an enterprise approach to procurement across an estate that spans 2,370 systems and applications running on-premises; 40,000+ different analytics products; 1.4 million users; 150 system interfaces for the Army’s 72,000-strong digital workforce; $1.5 billion in annual hardware costs and nearly double that for software, according to one slide seen by The Stack.)
Join your peers following The Stack on LinkedIn
Hypori is touting cost savings of 5X over Government Furnished Equipment but not everyone in the Army gets that anyway. (Reservists, for example, can need to go to an armory to access communications equipment.) The agentless application is available for Android, iOS or Windows 10 devices. The app can integrate with existing DOD software and Microsoft Intune for advanced O365 identity management. It includes options for geofencing.
The company’s whitepapers are – to our eyes at The Stack – a little over indexed on the noise to signal ratio.
We sought out CEO Jared Shepard (himself an Army veteran who worked as Lead Technical Planner for III Corps and helped architect the U.S.-built DoD Iraqi network infrastructure) to answer some questions, including how the application performance could be “independent of device limitations”, what cryptography it uses and why the company played down the need for “remote lock” in one whitepaper (“unnecessary - no data on the device”) then promises the ability to do just that in a Q&A answering the question of what happens when a device is lost (a key security concern.) He came back crisply and helpfully.
He told us: “Hypori streams a fully independent operating system from the cloud to the edge device. The OS is isolated in a secure environment running in a cloud environment [cARMY in this case] and has the ability to deliver the power of cloud (compute, network, storage, reliability, etc) to the edge. It isn’t running within the form factor of a mobile device, instead it runs on servers, with datacenter speed and bandwidth.”
Tackling the privacy and device loss question he said: “We have no visibility or control of the edge device, we can not dive into the device, delete or otherwise adversely impact the users BYOD device. If the device is lost or compromised, we simply invalidate the device’s secure key to our gateway and the device can no longer access the enterprise. As there is no data at rest or in transit, the device now presents no risk to the enterprise.”
Shepard added: “By only streaming rolling encrypted ‘change pixels’ to the edge, the users experience is far more bandwidth and battery efficient/consistent and never presenting a full ‘screen scrape’ from the server to the edge device. Asynchronously, Hypori Halo collects, hashes and encrypts user telemetry (think touch, type, swipe, click) and transports (over TCP using TLS) the telemetry back into the secure, isolated environment where it is then translated into an user action, just as it would if you had the same mobile application on your Smartphone, Tablet, or PC. Some of the unique technology of Hypori Halo is by giving the streaming OS the sense that it is native on the edge device and therefore the OS believes it is interacting directly with the hardware, not with middleware or software. This prevents many attacks and treats every accessing edge device as an ‘aggressor’ platform, never exposing raw data to the edge, or to the transport mechanism.”
The application currently uses FIPS 140-2 encryption library and is “moving soon” to FIPS 140-3 he told us.
Others across the DOD running their own BYOD pilots will be watching with interest. The pilot is strictly voluntary and beancounters everywhere will be looking closely at buy-in from soldiers, whether the cost of acquiring licenses from Hypori at scale makes sense versus handing out government equipment and how performance holds us. For many though, it's a glimmer of light and a welcome opportunity to do work on a familiar, fast bit of consumer hardware with minimal additional issues associated with signing up.