Mobile security threats facing feds

What: "Study on Mobile Device Security," prepared by the Department of Homeland Security's Science & Technology Directorate in consultation with the National Institute of Standards and Technology.

Why: Mobile devices pose a special risk to the security of government systems and data, in part because commercial carriers aren't subject to the security controls that can be applied to federal networks. The Cybersecurity Act of 2015 required DHS to explore security gaps that arise from government's use of commercial mobile devices and recommend security improvements within the mobile device ecosystem.

The mobile threat requires a substantially different approach to security than desktops, particularly because mobile devices "operate outside of enterprise protections and have evolved independently of desktop architectures," the report said.

Nation states, organized crime and hackers use the same variety of threats against federal mobile devices as they do against consumer phones -- social engineering, ransomware, banking fraud, eavesdropping, identity and data theft.

Federal mobile users, the study said, may also be specifically targeted just because they're government workers, particularly because their devices could provide a way into computer systems that contain sensitive data on Americans or access to government functions.

Despite the growing threat, the study noted mobile device security is improving thanks to operating systems providers and mobile device and enterprise mobility management systems that inject additional scrutiny and manage security configurations.

However, DHS lacks legal authority to close security gaps with wireless service providers, the report said. While DHS can evaluate voluntarily provided mobile carrier network information, the agency doesn't have the authority to make wireless carriers provide information to assess their networks' security.

Although the General Services Administration has successfully leveraged the federal government's vast buying power to nail down group discounts with carriers, the study said that purchasing power may not be enough to give the federal government any leverage on wireless security issues with service providers.

According to the study, in the vast global wireless market of 4.7 billion users, the federal government has little influence. The study said it expects that number to increase to 5.6 billion users by 2020, encompassing almost three quarters of the world's population.

Verbatim: "When viewed against this backdrop, the use of mobile devices by the U.S. Federal Government is an almost insignificant market share. This means that the Government's ability to influence the market cannot be accomplished by purchase power alone, but must instead be achieved via its legislative and regulatory authority. It also means that special care must be taken in the use of these devices because the default level of security is optimized for consumer ease of use, which is not appropriate for Federal employees."

Read the full report here.