The Department of Homeland Security (DHS) has submitted a report to Congress detailing current and emerging threats to the federal government’s use of mobile devices. The report recommended security improvements within the “mobile device ecosystem.”
DHS’s Science and Technology Directorate (S&T) led the study in coordination with the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCE) with support from the Department of Defense and General Services Administration.
Mandated by the Cybersecurity Act of 2015, the Study on Mobile Device Security “relied on significant input from mobile industry vendors, carriers, service providers and academic researchers,” DHS said in its announcement.
“The Study on Mobile Device Security found threats to the mobile device ecosystem are growing, but also that the security of mobile computing is improving,” said Acting Under Secretary for Science and Technology Dr. Robert Griffin. “It outlines several important recommendations to strengthen security that will help the federal government keep pace with current and emerging threats.”
Along with S&T, several DHS components contributed to the mobile device security study:
- The Management Directorate Office of the Chief Information Security Officer;
- The National Protection and Programs Directorate (NPPD);
- The NPPD Office of Emergency Communications;
- The National Cybersecurity and Communications Integration Center, National Coordinating Center for Communications;
- NPPD United States Computer Emergency Readiness Team (US-CERT); and the
- Office of Cybersecurity and Communications Network Security Deployment.
DHS said, the improvement in security can be attributed to significant safeguards implemented by mobile operating system vendors and federal departments and agencies implementing enterprise mobility management systems to manage their mobile devices and applications. Meanwhile, the areas that need improvement will provide the opportunity for the federal government, industry and the research community to work together to solve the gaps in mobile device defenses.”
DHS said, “The study found that the threats to the federal government’s use of mobile devices — smartphones and tablet computers running mobile operating systems — exist across all elements of the mobile ecosystem. These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures.”
Continuing, DHS noted that, “Threats to mobile devices range from those perpetrated by nation-states, organized crime or hackers to loss or theft of mobile phones. Additionally, threats that target consumers — such as social engineering, ransomware, banking fraud, eavesdropping, identity theft and theft of services or sensitive data — also impact federal government users, according to the study.”
“Further,” DHS said, “Federal government mobile device users may be targeted with additional threats simply because they are public-sector employees. Lastly, the study warns Federal government mobile devices could become an avenue to attack back-end computer systems containing the data of millions of Americans and sensitive information related to Federal government functions.”
The study put forth a series of recommendations to enhance federal government mobile device security. Key recommendations include:
- Adapt a framework for mobile device security based on existing standard and best practices;
- Enhance Federal Information Security Modernization Act (FISMA) metrics to focus on securing mobile devices, applications and network infrastructure;
- Include mobility within the Continuous Diagnostics and Mitigation program to address the security of mobile devices and applications with capabilities that are on par with other network devices (e.g., workstations and servers);
- Continue the DHS S&T applied research program in Mobile Application Security to enable the secure use of mobile applications for government use;
- Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities, including ways to handle Common Vulnerabilities and Exposures generation;
- Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include protection and defense against mobile threats;
- Develop cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats (e.g., SS7/Diameter vulnerabilities, rogue IMSI catchers) and, if necessary, extend the legal authorities of the DHS National Protection and Programs Directorate to achieve these objectives;
- Create a new defensive security research program to address vulnerabilities in mobile network infrastructure and increase security and resilience; and
- Increase active participation by the federal government in key mobile-related standards bodies and industry associations.
Develop policies and procedures regarding US government use of mobile devices overseas based on threat intelligence and emerging attacker tactics, techniques, and procedures.
DHS said it “has a responsibility to not only secure the means of communication used by departments and agencies, but to safeguard the nation against emerging threats in both the physical and cyber domains. Mobile technology is essential to the United States not just for government use, but also for the security and integrity of communications for businesses and citizens. DHS’s mission is to ensure a homeland that is safe, secure and resilient. This report outlines steps by which DHS could further these objectives against the proliferation of threats against mobile technologies and infrastructures.”
“The report reflects many of the key security recommendations that Lookout sees as critically important for our nation’s cybersecurity,” Lookout Vice President Bob Stevens told Homeland Security Today.
“Top among them is the need for a unique approach to mobile security due to the federal government’s increased use of mobile devices for accessing sensitive digital data,” Stevens said. “Mobile technology has become an essential element of communication in the federal government, and mobile infrastructures have distinctive operating systems, requiring different security protocol than desktop architectures.”
According to the report, “a new program in advanced defensive security tools and methods for addressing mobile vulnerabilities” is needed to foster mobile threat information sharing,” Stevens said, noting, “This program will need to handle Common Vulnerabilities and Exposures (CVE) for mobile and span from initial research to tactical implementation.”
“When it comes to mobile security and threat detection,” Stevens said, “the report notes there is a significant lack of information sharing when it comes to mobile security tools and techniques. Lookout is prepared to work with the federal government and fellow industry partners to increase the share of information of mobile vulnerabilities.”
The report stated that in order, "To foster mobile threat information sharing, DHS should develop a new program in advanced defensive security tools and methods for addressing mobile malware and vulnerabilities that spans applied research through operations, including new ways to handle Common Vulnerabilities and Exposures (CVE) generation for mobile. If initiated, DHS should coordinate this program with existing efforts within DoD. Finally, DHS should assess mobile network infrastructure vulnerabilities."
"Despite the efforts of the government and the commercial sector to address the increasing threat landscape with app vetting and threat intelligence tools and services, gaps remain, including … Lack of robust information sharing of threat intelligence and integration with security tools and techniques."
"Findingsfrom review and analysis of the draft Mobile Threat Catalogue, RFI responses and one-on-one interviews include threats identified as high-priority, whether due to limitations in or lack of defensive mechanisms or because of the constantly evolving threat landscape and pace of technology change," the report stated. "The findings also include recommendations for enhanced information sharing, implementation of standards and best practices, and the need for the government to provide industry a unified view of its security objectives and requirements. The study’s analysis of threats identified the need for people, process, and technology defenses to address mobile security threats, and highlighted gaps in current policies, processes, and technologies that need to be updated or developed."
"Issues and areas of concern identified by industry [is] closer government-industry collaboration on information sharing on vulnerabilities and threat intelligence."
In addition, "Mobile Applications … Lack of robust information sharing of threat intelligence and integration with security tools and techniques."
The study said NCC is working with the FCC, Communications Information Sharing and Analysis Center (COMM-ISAC) and other government and non-government organizations to assess the national security and other risks associated with these vulnerabilities, "as well as to mitigate these risks. NCC also is aware that in response to the published research, GSMA has developed SS7 security recommendations mobile carriers can implement to partially mitigate these risks and prevent such attacks."
Finally, with regard to information-sharing, the report said, "Potential areas for additional research or partnerships within DHS include … Establishing a new program for applied research to operations in advanced defensive security tools and methods for addressing mobile malware and vulnerabilities, including new ways to handle CVE generation for mobile and mobile threat information sharing, e.g., Structured Threat Information eXpression (STIX), and Trusted Automated Exchange of Indicator Information (TAXII). DHS should coordinate this initiative with existing efforts within" the Department of Defense.
Stevens said, “Based on the report, despite significant advances in mobile security, gaps remain that will command additional effort by the government to reduce the risk of using mobile. Lookout believes the administration needs to take immediate steps to make mobile security a priority in order to keep government and citizen information safe.”