Insight by Carahsoft

Mobile devices remain the ‘soft underbelly’ of federal cybersecurity

Bob Stevens, the vice president of public sector for Lookout, said agencies need to understand the potential risks and threats against their mobile ecosystem.

Mobile Device Threats

Mobile devices are the soft underbelly for the bad guys to attack.

Mobile Device Policy

The best option is to understand the mobile ecosystem and then take appropriate action to make sure they are safe and secure for employees to use.

In 2012, the Office of Management and Budget issued the digital and mobile strategy. Among the 29 goals of the strategy were things like using APIs and ensuring agencies buy devices and services in a more coordinated way.

Now almost six years later, the discussion around mobility and mobile devices has evolved.

Agencies now buy mobile device and services through a centralized set of contracts in an effort to reduce fragmentation and duplication of more than 1,200 mobile agreements and 200 unique services plans that costs the government about $1 billion annually.

Now almost six years later, the acceptance and the ability to secure mobile devices has led the Defense Department to develop a way for employees and soldiers to use mobile devices in secure spaces. In fact, the Committee on National Security Systems issued a new policy in November giving the official in charge of a secure space the authority to decide if mobile devices will be allowed in the area. The policy covers secure spaces up to the top secret rating.

Even with these signs of progress, the mobile environment remains complex and in need of better ways to secure and manage data, apps and devices.

Bob Stevens, the vice president of public sector for Lookout, said despite these efforts most agency mobile device strategies, particularly around security, remain in the nascent stages.

“The threat is really across the spectrum. It’s around the applications on the device and the vulnerabilities that exist in the operating systems. It’s in the networking capabilities so when they attach to WiFi as mobile devices always are trying to attach to WiFi devices. It’s also in the Web browsing that people use today,” Stevens said on the Innovation in Government show. “Mobile devices are the soft underbelly for the bad guys to attack.”

Unlike desktops and laptops that agencies have locked down and made less vulnerable over the past decade, Stevens said many of these mobile devices remain exposed to attacks. And because federal and contractor executives carry smartphones and tablets around almost wherever they go, the hackers, nation states and other adversaries see them as an avenue to steal data.

“A lot of people have a belief that mobile devices are inherently secure, which can’t be further from the truth. They are insecure as anything else that we use in our daily lives, and the bad guys know that, for the most part, because we have that belief, they know it’s an easier attack vector for them because they know it would be easier to compromise than other potential devices,” Stevens said.

There have been several recent examples of this challenge for agencies. In October, White House officials said someone hacked into chief of staff John Kelly’s personal smartphone. And in January, Defense Secretary James Mattis let it be known he is considering banning personal cellphones from the Pentagon.

Stevens said, at least for federal employees and contractors, a cell phone ban may be the easiest way to ensure security, but it’s probably not the best way.

“The best option is to understand the mobile ecosystem and then take appropriate action to make sure they are safe and secure for employees to use,” he said. “If you go down the banned path, you potentially risk demotivating employees and lowering morale. It will tougher to recruit millennials, for example, because they are used to carrying their mobile devices anywhere they go in the world so they will not be real happy if they are told to check their mobile devices in the car. And think about the loss of production as a result of that. If my mobile devices are in my car or in a safe somewhere, how many times am I going to go check it throughout the day and reducing my productivity?”

Stevens said agencies can take several steps to lock down the ecosystem. Many departments already have implemented mobile device managers (MDM) software, which is a good policy enforcement tool.

Stevens said the next capability agencies should consider is implementing a mobile threat protection (MPT) tool, which is an application that resides on a device that provides near-real time analytics of the applications, the operating system, the WiFi connection and other potential threat vectors.

He said agencies also may want to consider containers to keep data in secure areas and away from the open Internet as well as data encryption.

When dealing with mobile devices and infrastructure, Stevens said, like so many things, agencies should understand their risks across the entire infrastructure, including malware on applications, potential man-in-the-middle attacks and web browsing.

“Agencies also need to understand that their employees are using their personal devices to accomplish work because it’s easier for them and allows them to get their jobs done in a more efficient manner,” Stevens said. “Rather than stick your head in the sand, start to embrace it and try and help the employees become more productive while ensuring the security of the mobile devices is where you need it to be.”

 

About Lookout

Lookout is a cybersecurity company for a world run by apps. Powered by the largest dataset of mobile code in existence, Lookout is the security platform of record for mobile device integrity and data access. Lookout is trusted by hundreds of millions of individuals, hundreds of enterprises and government agencies, and such ecosystem partners as AT&T, Deutsche Telekom, and Microsoft. Lookout is ISO 27001 and Privacy Shield certified and FedRAMP In Process. To learn more about Lookout Government Solutions, visit www.lookout.com/gov and follow Lookout on its blogLinkedIn, and Twitter.

 

Resource Center