May 8, 2017

min read

DHS Study Confirms Federal Agencies Need to Take Steps to Secure Mobility

thumbnail image of the study on mobile device security

The Study on Mobile Device Security published last Thursday by the Department of Homeland Security (DHS) Science and Technology Directorate and the National Institute of Standards and Technology (NIST) affirms that mobile security is critically important for our nation's cybersecurity.

Lookout is honored to have contributed to the study and our team looks forward to partnering with public and private sector allies to advance the security of our federal government.

The main takeaway from this landmark study is that despite advances, major mobile security gaps remain in the federal government. Closing these gaps as soon as possible is necessary to protect the significant amount of sensitive data and personally identifiable information (PII) held in government systems.

When I last spoke to federal security and technology leaders, I called on departments and agencies to embrace mobility, recognize that mobile is part of every agency's infrastructure, and treat it with the same priority as any other potential attack surface. The conclusions of this study closely complement those recommendations, and are reiterated below in the language of this new study.

Why the government must embrace mobility:

"Mobile devices on the market today are some of the most complex and capable computing devices ever created. Although many can now match the capabilities of desktops and are being marketed as desktop replacements, they have features and capabilities not available to any desktop."

Study on Mobile Device Security, April 2017

Mobile devices are incredibly powerful tools for delivering on the Government's mission to the American public. However, the advancement in mobile technology is a double-edged sword. As mobile devices become more powerful, they also become a more desirable target for attackers.

The major takeaway from threats like Pegasus and ViperRAT is that the era of the highly resourced attacker going after phones instead of network or desktop infrastructure has arrived. Malicious actors see mobile as a lucrative platform for gathering information about targets and regularly exploit the mobile environment for this purpose. This is true in both the private sector and the federal government.

Why the government must recognize that mobile is part of every agency's infrastructure:

"The stakes for government users are high. Government mobile devices—despite being a minor share of the overall market—represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions."

Study on Mobile Device Security, April 2017

Mobile technology has become an essential communication tool in the federal government, and mobile infrastructures have distinct operating systems that require a different security technology stack and best practices from desktop/PC endpoints.

Although many of the same risks that affect PCs also apply to mobile endpoints, mobility has introduced a new generation of risk and simply extending current PC security controls to your mobile fleet is ineffective. Government risk management needs to evolve to address mobile risks, and security professionals must architect mobile-specific security.

The government absolutely must view mobile as a priority endpoint to secure. This study is now the best place for federal departments and agencies to start their mobile security initiatives. It contains detailed information on mobile threats, vulnerabilities, and risks across mobile devices, apps, and networks.

Next steps to securing mobility across the federal government:

"Federal Departments and Agencies should, where needed, develop or enhance policies and procedures regarding Government use of mobile devices overseas based on threat intelligence and emerging attacker tactics, techniques, and procedures."

Study on Mobile Device Security, April 2017

The Study on Mobile Device Security contains best practices and extensive guidance on additional reference materials for mobility and mobile security from NIST, NCCoE, NSA, Gartner, and other industry groups. Government security and technology leaders should take steps now to implement this guidance.

However, even the best intentioned policies can only take government mobile security so far. The White House needs to require that mobile devices be secured like any other endpoint that accesses government data. The White House has met with senior people from industry on the EO to establish the American Technology Council. The administration and the ATC now need to integrate mobile into the development of cybersecurity efforts, not ignore it as administrations have done in the past.

The reason that I'm committed to increasing the urgency for federal mobile security is becuase Lookout has a unique vantage point on mobile risks and their potential to cause catastrophic data loss. We have the biggest data set of threat intelligence in mobile security - gathered from the 100 million devices, 150 global enterprises, and a growing number of federal agencies we protect - and can see how quickly mobile threats, vulnerabilities, and risks are growing in both number and sophistication.

Waiting for news headlines about the breach of a government agency via mobile is obviously not the right strategy. Federal security leaders who want to get a closer look at the potential impact of a mobile breach should contact us today.