The U.S. Department of Homeland Security (DHS) sent Congress a study on Thursday warning it of security threats to members’ mobile devices and a need for increased device security.
“The study found that the threats to the federal government’s use of mobile devices—smartphones and tablet computers running mobile operating systems—exist across all elements of the mobile ecosystem,” according to a DHS press release. “These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections, and have evolved independently of desktop architectures.”
The report, Study on Mobile Device Security, was mandated by the Cybersecurity Act of 2015 and compiled by the DHS Science and Technology Directorate with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence.
The study reveals that the threat to the mobile device ecosystem—smartphones and tablets—is growing. These threats range from those perpetrated by nation states to organized criminal gangs to hackers to regular loss or theft of mobile devices.
U.S. government mobile device users are also susceptible to threats that target consumers, including social engineering, ransomware, and identity theft. “Further, federal government mobile device users may be targeted with additional threats simply because they are public-sector employees,” DHS said.
The study also warns that government employees’ mobile devices might be targeted to give attackers access to sensitive computer systems.
“Government mobile devices—despite being a minor share of the overall market—represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions,” according to the report. “Systems managed by the Department of Defense, DHS, the Department of the Treasury, the Department of Veterans Affairs, Health and Human Services, the Office of Personnel Management, and others hold significant amounts of sensitive but unclassified information, whose compromise could adversely impact the organization’s operations, assets, or individuals.”
To address these threats, the report recommends that the federal government—and DHS in particular—take action to enhance mobile device security for government employees.
“DHS has a responsibility to not only secure the means of communication used by department and agencies, but to safeguard the nation against emerging threats in both the physical and cyber domains,” DHS said. “Mobile technology is essential to the United States not just for government use, but also for the security and integrity of communications for businesses and citizens.”
The study recommended the government take the following actions:
Adopting a framework for mobile device security based on existing standards and best practices
Enhancing the Federal Information Security Modernization Act metrics to focus on securing mobile devices, applications, and network infrastructure
Including mobility within the Continuous Diagnostics and Mitigation program to address mobile device security
Continue the DHS Science and Technology applied research program on Mobile Application Security
Establishing a new program on mobile threat information sharing
Coordinating the adoption and advancement of mobile security technologies into operational programs
Developing cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats
Creating a defensive security research program to address mobile network infrastructure vulnerabilities
Increasing active participation in mobile-related standards bodies and industry associations
Developing policies and procedures on government use of mobile devices overseas based on threat intelligence and emerging threats.