DHS Says New Security Approach Is Needed for Mobile Devices and Networks
The world has gone mobile, and that worries the Department of Homeland Security.
DHS says it lacks the authority to fully secure wireless networks and mobile devices like smartphones and tablets, which can be used as a pathway to attack government IT systems and hack sensitive data.
In an April report mandated by Congress, “Study on Mobile Device Security,” DHS concludes that mobile cybersecurity threats “require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures.”
The DHS recommends that several steps be taken to address mobile security gaps, including standards for reporting and information sharing on cybersecurity threats. The report also says the agency should coordinate mobility adoption across the government. Mobile devices should be assessed as part of DHS’s evaluation of mobile network infrastructure vulnerabilities.
Assessing the Mobile Security Threat
According to data the report cites from mobile industry association GSMA, there were 4.7 billion unique mobile subscribers globally in 2015, a figure that is expected to rise to 5.6 billion by 2020, or 70 percent of the world’s population.
The federal government cannot influence the market with its purchasing power, meaning it must do so via its legislative and regulatory authority, and that “special care must be taken in the use of these devices because the default level of security is optimized for consumer ease of use, which is not appropriate for federal employees.”
“The stakes for government users are high,” the DHS states. “Government mobile devices — despite being a minor share of the overall market — represent an avenue to attack back-end systems containing data on millions of Americans, in addition to sensitive information relevant to government functions.”
Systems managed by DHS, the Office of Personnel Management, the Defense, Treasury, Veterans Affairs, and Health and Human Services Departments “hold significant amounts of sensitive but unclassed information, whose compromise could adversely impact the organization’s operations, assets or individuals.”
Additionally, databases controlled by these agencies can “hold tremendous amounts of personally identifiable information (PII) that could potentially be used to compromise citizen financial wellbeing, privacy or identity.”
Malicious actors ranging from nation states to criminal organizations can train their fire at federal mobile assets, the report notes.
“The threats to government users of mobile devices include the same threats that target consumers, e.g., call interception and monitoring, user location tracking, attackers seeking financial gain through banking fraud, social engineering, ransomware, identity theft, or theft of the device, services, or any sensitive data,” the report notes. “This puts at risk not just mobile device users, but the carriers themselves as well as other infrastructure providers. Government users may be subject to additional threats simply because they are government employees.”
The threat vectors include the mobile device technology stack (mobile operating systems and lower level device components); mobile applications; mobile networks (e.g., cellular, Wi-Fi, Bluetooth) and services provided by network operators; device physical access; and enterprise mobile services and infrastructure, including mobile device management, enterprise mobile app stores and mobile application management.
Responding to Mobile Vulnerabilities
DHS recommends a new framework for mobile device security based on existing standards to ensure a baseline level of security for government mobility, “while providing the flexibility to address the mission needs, risk profiles, and use cases” of agencies.
Such a framework would, at a minimum, include mobile application security, enterprise mobility management, mobile device security and cellular network security, the report says.
Adoption of baseline standards — such as those defined in National Information Assurance Partnership (NIAP) mobile Protection Profiles, the European Union Agency for Network and Information Security and others — can enhance security.
Mobile apps purchased or developed by the government should be “evaluated against the Protection Profile for Application Software and the Requirements for Vetting Mobile Apps.”
Further, the DHS says, the government “should select mobile devices and enterprise mobility management products that have been evaluated to meet a minimum level of security, e.g., the NIAP Product Compliant List or other government approved product lists. NIAP approved products must be considered in the context of the environment of use, including appropriate risk analysis and system accreditation requirements.”
However, there are gaps DHS says it faces. First, the report notes that “DHS has no legal authority to require mobile carriers to assess risks relating to the security of mobile network infrastructure as it impacts the government’s use of mobile devices.”
Additionally, “while DHS has the authority to evaluate voluntarily provided mobile carrier network information, DHS has no legal authority to compel mobile carrier network owners/operators to provide information to assess the security of these critical communications networks.”
Securing Mobile Infrastructure Is Key
To address these gaps, the DHS recommends that Federal Information Security Modernization Act metrics should be enhanced to focus on securing mobile devices through the Federal CIO Council’s Mobile Technology Tiger Team.
Additionally, the report says the Continuous Diagnostics and Mitigation (CDM) program should address the security of mobile devices and applications with capabilities to be at parity with other network devices (e.g., workstations and servers). The CDM program allows agencies to identify cybersecurity risks on an ongoing basis, then prioritize the risks based upon how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first.
Further, the DHS says the National Protection and Programs Directorate’s definition of critical infrastructure should be amended to include mobile network infrastructure. DHS says its Science and Technology Homeland Security Advanced Research Projects Agency Cyber Security Division “should continue its work in Mobile Application Security to enable the secure use of mobile applications for government use. This effort includes continued collaboration with NIAP to automate Mobile Application Security testing.”
DHS should coordinate mobility adoption with other agencies, “as inconsistencies across the federal landscape can weaken the best of security practices,” the report says.
DHS recommends new research and development programs “to secure mobile network infrastructure and address current and emerging challenges impeding mobile technology.”
DHS, the report states, should “develop a new program in advanced defensive security tools and methods for addressing mobile malware and vulnerabilities that spans applied research through operations, including new ways to handle Common Vulnerabilities and Exposures (CVE) generation for mobile.” Such an effort would help foster mobile threat information sharing, the report says. If initiated, DHS should coordinate this program with existing efforts within DOD.
Finally, DHS should assess mobile network infrastructure vulnerabilities and the government “should actively participate in all key mobile security related standards bodies and industry associations,” such as the Third Generation Partnership Project (3GPP) and GSMA “to better understand risks and help develop consensus-based standards and best practices to represent America’s national interests.”