On May 4, the Department of Homeland Security (DHS) submitted a report to Congress that details current and emerging threats to the federal government’s use of mobile devices and recommends security improvements within the mobile device ecosystem. The DHS Science and Technology Directorate (S&T) led the study in coordination with the National Institute of Standards and Technology and its National Cybersecurity Center of Excellence.
Mandated by the Cybersecurity Act of 2015, the “Study on Mobile Device Security” relied on significant input from mobile industry vendors, carriers, service providers and academic researchers.
“The Study on Mobile Device Security has found that threats to the mobile device ecosystem are growing, but also that the security of mobile computing is improving,” said Dr. Robert Griffin, under secretary (acting) for science and technology. “It outlines several important recommendations to strengthen security that will help the federal government keep pace with current and emerging threats.”
The improvement in security can be attributed to significant safeguards implemented by mobile operating system vendors and federal departments and agencies implementing enterprise mobility management systems to manage their mobile devices and applications. Meanwhile, the areas that need improvement will provide the opportunity for the federal government, industry and the research community to work together to solve the gaps in mobile device defenses.
The study found that the threats to the federal government’s use of mobile devices — smartphones and tablet computers running mobile operating systems — exist across all elements of the mobile ecosystem. These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures.
Threats to mobile devices range from those perpetrated by nation-states, organized crime or hackers to loss or theft of mobile phones. Additionally, threats that target consumers — such as social engineering, ransomware, banking fraud, eavesdropping, identity theft, and theft of services or sensitive data — also impact federal government users, according to the study.
Further, federal government mobile device users may be targeted with additional threats simply because they are public-sector employees. Lastly, the study warns that federal government mobile devices could become an avenue to attack back-end computer systems containing the data of millions of Americans and sensitive information related to federal government functions.
The study, which also drew support from the Department of Defense and General Services Administration, presents a series of recommendations to enhance federal government mobile device security. Key recommendations include:
- Adopt a framework for mobile device security based on existing standards and best practices.
- Enhance Federal Information Security Modernization Act (FISMA) metrics to focus on securing mobile devices, applications and network infrastructure.
- Include mobility within the Continuous Diagnostics and Mitigation program to address the security of mobile devices and applications with capabilities that are on par with other network devices (e.g., workstations and servers).
- Continue the DHS S&T applied research program in Mobile Application Security to enable the secure use of mobile applications for government use.
- Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities, including ways to handle Common Vulnerabilities and Exposures generation.
- Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include protection and defense against mobile threats.
- Develop cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats (e.g., SS7/Diameter vulnerabilities, rogue IMSI catchers) and, if necessary, extend the legal authorities of the DHS National Protection and Programs Directorate to achieve these objectives.
- Create a new defensive security research program to address vulnerabilities in mobile network infrastructure and increase security and resilience.
- Increase active participation by the federal government in key mobile-related standards bodies and industry associations.
- Develop policies and procedures regarding U.S. government use of mobile devices overseas based on threat intelligence and emerging attacker tactics, techniques, and procedures.