Good News, Bad News for Federal Mobile Security
A DHS report to Congress indicates that security has improved even as threats have increased.
The U.S. Department of Homeland Security (DHS) has submitted a report to Congress that shows some good and bad news about the security of the government’s mobile device environment. "Threats to the mobile device ecosystem are growing, but also ... the security of mobile computing is improving,” said Dr. Robert Griffin, DHS acting undersecretary for science and technology, in a written announcement.
The report attributes improved security to significant safeguards implemented by operating system vendors and to federal departments and agencies putting into place enterprise mobility management systems to manage their mobile devices and apps.
On the other hand, the report says threats to the government’s use of mobile devices exist across all elements of the mobile ecosystem. These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures.
Threats to mobile devices range from those perpetrated by nation-states, organized criminals or hackers to loss or theft of mobile phones. Additionally, threats that target consumers—such as social engineering, ransomware, banking fraud, eavesdropping, identity theft and theft of services or sensitive data—also affect federal government users, according to the report.
Further, government mobile device users may be targeted with additional threats simply because they are public-sector employees. Lastly, the report warns that federal government mobile devices could become an avenue to attack back-end computer systems containing the data of millions of Americans and sensitive information related to government functions.
The report, which drew support from the Defense Department and General Services Administration, presents a series of recommendations to enhance government mobile device security. Key recommendations include:
- Adopt a framework for mobile device security based on existing standards and best practices.
- Enhance Federal Information Security Modernization Act (FISMA) metrics to focus on securing mobile devices, applications and network infrastructure.
- Include mobility within the Continuous Diagnostics and Mitigation program to address the security of mobile devices and apps with capabilities that are on par with other network devices.
- Continue the DHS Science and Technology Directorate applied research program in mobile application security to enable the secure use of mobile applications for government use.
- Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities, including ways to handle common vulnerabilities and exposures generation.
- Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include protection and defense against mobile threats.
- Create a new defensive security research program to address vulnerabilities in mobile network infrastructure and increase security and resilience.
- Develop policies and procedures regarding U.S. government use of mobile devices overseas based on threat intelligence and emerging attacker tactics, techniques and procedures.
The report is based on findings from the Study on Mobile Device Security mandated by the Cybersecurity Act of 2015.