DHS should take lead securing mobile device ecosystem, says internal report

AP17031073987088.jpg

In this Feb. 17, 2016 file photo an iPhone is seen in Washington. The FBI is defending its decision to withhold information on how it unlocked an iPhone used by one of the San Bernardino, California, shooters. The Justice Department in January 2017 released heavily redacted records in response to a Freedom of Information Act lawsuit from The Associated Press and other media organizations. (AP Photo/Carolyn Kaster, File)

A mandated report on threats to the federal government’s mobile device ecosystem has concluded a substantially different set of protections is necessary, but the security of mobile computing is improving thanks to mobile operating system vendors and federal organizations implementing enterprise mobility management systems.

Prepared by the Department of Homeland Security Science and Technology Directorate in consultation with the National Institute of Standards and Technology, “The Study on Mobile Device Security” submitted to Congress notes that “the enhanced capabilities that mobile devices provide, the ubiquity and diversity of mobile applications and the typical use of the devices outside the agency’s traditional network boundaries” pose challenges. 

Nation states, organized crime, hackers and common thieves can subject federal government mobile users to banking fraud, social engineering, ransomware, location tracking, eavesdropping, identity theft and theft of services or sensitive data. In addition, federal smartphones and tablets, despite representing a seemingly insignificant market share of the nearly 5 billion unique mobile network subscribers worldwide, may be targeted specifically as a means to access databases holding personally identifiable information on millions of Americans. 

The report looks at the greatest threats, mitigations and defenses to categories including the mobile device technology stacks, mobile applications, networks, device physical access and enterprise mobile services and infrastructure. 

It goes into the current vectors of attack and gaps in defenses for communication paths, analyzing emerging threats and best practices collected from NIST, other government agencies, nongovernment organizations and private industry and making recommendations for assessing and addressing risks posed by unaddressed weaknesses in U.S. networks.

It’s noted that increased government participation in developing domestic and international standards for a baseline level of security for federal mobility and application vetting processes is beneficial, though DHS has no legal authority to require mobile carriers to assess security risks and provide information on mobile network infrastructure. 

With this in mind, the report proposes the Federal Information Security Modernization Act (FISMA) and the DHS Continuous Diagnostics and Mitigation (CDM) Program should be enhanced to address securing mobile devices. And new research and development and cooperative arrangements should be dedicated to defensive security, threat information sharing and vulnerabilities mitigation.

In addition, agencies and initiatives should continue critical research programs and pursue policy development to address inconsistencies in advanced defensive security tools and methods when citizen information services are brought into the field and outside the enterprise networks and data centers protections.

The entire study can be found on DHS.gov