Home » Technology » Mobility » Mobile device security: A hurdle for federal agencies
A federal proposal to bolster cybersecurity published in the wake of recent government data breaches makes no specific mention of mobile device security, one of the most vulnerable and expanding points of entry into federal networks.
An estimated 40 percent of government employees will be using a smartphone, tablet or notebook by 2020, according to a report published by IDC Government Insights.
The simple fact that smartphones are more widely used will introduce new vulnerabilities into federal networks, according to Dennis Dwyer, a senior security researcher for Dell SecureWorks’ Counter Threat Unit.
“Imagine you are a government employee, you walk into your office on Monday and your smartphone is in your pocket,” Dwyer said. “What you don’t realize is that your phone was compromised by malware over the weekend.
“As you sit at your desk, a hacker may potentially use your cellular connection to remotely turn on your phone’s WiFi and attempt to access the agency’s server,” he added.
The federal government has taken steps to avoid this hypothetical situation from becoming a reality.
The Department of Homeland Security has a multifaceted approach to mobile device security in place, said Robert Palmer, acting deputy director of the agency’s Enterprise System Development Office. This strategy includes employee cybersecurity education, mobile device management (MDM) tools and an expansion of “derived credentials” — a technology that builds authentication into the device itself instead of an external access card.
Many experts insist, however, that there is more to be done and federal agencies remain static in a dynamic cybersecurity ecosystem.
“In this day and age, agencies have got to get away from the ‘good enough’ security model,” said Tony Rizzo, the entrepreneur-in-residence at Blue Hill Research.
Rizzo said this adjustment should begin with more uniform mobile security policies.
Homeland Security has a number of departments and divisions, each with unique security measures in place. This could mean the use of several different MDM solutions and possibly even different vendors across the agency, Rizzo said.
This differentiation is not viable long-term. “It’s no longer useful for individual departments to take on this issue,” he said. “It needs to be implemented from the top down.”
Rizzo recommends these top-down security measures include virtual SIM technology, which goes beyond a secure container’s separation of personal and professional mobile usage and instead integrates two different phone numbers into the same device.
He also suggests that agencies pay further attention to security on the app development side of mobile devices. While an MDM tool may secure a device, it does not secure the applications being used and it does not secure the data itself, he said.
Beyond specific measures, an ever-evolving security plan that adapts to new innovations appears to be the key to a strong long-term mobile device security infrastructure.
“Whatever plan you have in place, it should be a constantly evolving plan, not something you throw up on the shelf to gather dust,” Dwyer said.
Rizzo said there are obstacles to implementing this fully integrated and evolving security plan at federal agencies.
“They work at a snail’s pace,” he said of the federal government’s bureaucratic tendencies, “and new security measures are hard to get in and impossible to get out.”
A rigorous certification process to approve vendors for government contracts contributes to these delays.
“When it takes 18 months to close a deal with a MDM provider, you can’t go back, you can’t update, it’s almost impossible to dislodge that MDM tool,” Rizzo added.
Federal IT security departments may also find their budgets cut if they effectively secure a network because the absence of a breach doesn’t write headlines or capture the attention of legislators drafting the annual budget, Dwyer explained.
“[Legislators] start to ask, ‘If we haven’t had any problems, why do we have to blow up our budget to beef up the server?’ It’s that kind of mentality that is dangerous,” he said. “A breach will happen.”
While the federal environment may not be conducive to drastic changes in mobile security policy, these changes remain a necessity.
“Going forward, federal agencies have to grab mobile security by the horns and wrestle that bull to the ground,” Rizzo said. “The agencies that don’t will be the ones on the front page of the news.”