Mobile devices are in nearly every workplace, and increasingly serve as linchpins for authentication. Agencies must better understand and manage those risks.
The Presidential Commission on Enhancing National Cybersecurity and the Center for Strategic and International Studies (CSIS) both released reports recently that share a pressing message: the U.S. government must address mobile security now.
"The days of employees working only at an office using an organization-issued desktop computer fully managed by the organization are largely over," the Cybersecurity Commission states in its report, "Mobile technologies are heavily used by almost every organization's employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms."
Outdated strategies and new priorities
Employees in the public sector use mobile devices every day to get their jobs done, whether supervisors know about it or not. Fully 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have little to no impact on their behavior, according to a Lookout survey. Further complicating the issue, 64 percent of IT security leaders say it is very likely that sensitive data is present on their employees' mobile devices, according to a survey from analyst firm ESG and Lookout.
So today, having a secured mobile workforce is a necessary component of an agency's overall security architecture. CSIS notes in its report that the "last formal cybersecurity strategy was issued in February 2002." The Obama administration released a "sixty day cybersecurity review" in 2009, which CSIS called "effectively a strategy," but neither report addressed the growing role of cloud computing and mobile devices.
CSIS: The next move is the president's
Because of the combination of features only available on mobile — connected via Wi-Fi or cell networks with voice, camera, email, location, passwords, contact lists and more — these devices have become an attractive target for cybercriminals and nation-states looking to spy on government agencies, infrastructure providers and others.
CSIS' recommendation is clear: "In keeping with the trend to cloud-based applications and data storage accesses from mobile devices, the president should task NIST to work with encryption experts, technology providers, and Internet service providers to develop standards and methods for protecting applications and data in the cloud, and provide security methods for data resiliency and recovery."
It further states that: "The President should issue an Executive Order directing OMB to draft a plan to secure all Department and Agency IT assets, including IoT devices and all network-connected devices, to be approved by the President no later than 60 days after assuming office."
The plan should include specific, actionable steps every agency must take to implement the plan immediately. Agency heads must be held accountable for the implementation and progress towards securing these systems.
In short: the federal government cannot wait to address mobile security.
The key role of mobile in two-factor authentication
The cybersecurity commission's report also provides the following recommendation: "Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication."
This should raise flags for agencies, especially those that still lack stringent mobile protection. Mobile devices are increasingly acting as the "thing you have" (which accompanies the "thing you know," such as a password) in critical two-factor authentication setups. This puts the mobile device squarely in attackers' crosshairs, as they must now breach the device in order to gain access into a targeted system. The report states:
"Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance. FIDO specifications are focused largely on the mobile smartphone platform to deliver multifactor authentication to the masses, all based on industry-standard public key cryptography."
What visibility into mobile risks looks like
IT and security organizations within federal agencies can keep sensitive data safe only when they have visibility into mobile endpoints. This is no different than the typical SIEM technologies used by security professionals for actionable security event data for other types of endpoints, such as PCs and servers. Mobile visibility, however, is dangerously missing from today's solutions.
Mobile security technology should further provide detection and remediation of: mobile malware, compromised operating systems (i.e., jailbroken or rooted devices), sideloaded apps (i.e., apps downloaded from third-party marketplaces), network attacks and risky applications.
"Malicious actors continue to benefit from organizations' and individuals' reluctance to prioritize basic cybersecurity activities and their indifference to cybersecurity practices. These failures to mitigate risk can and do allow malicious actors of any skill level to exploit some systems at will," reports the Cybersecurity Commission.
Government organizations cannot wait for a public, noisy data breach that originated on mobile devices to begin securing them, lest they become the headline they want to avoid.
NEXT STORY: Chaffetz backs Trump's tough line on feds