Mobile device security organizations stepped up in a big way this summer to attempt to bring the U.S. federal government’s digital communications into the 21st century.
Companies such as BlackBerry—which last year stopped manufacturing cell phones—have been working with the government to create and disseminate software that protects mobile devices from eavesdropping or interception.
Between U.S. President Donald Trump’s issuance of the cybersecurity executive order that focuses on protecting federal networks and the U.S. National Security Agency’s (NSA) adoption of solutions like BlackBerry’s, the U.S. government is acknowledging the trend towards the mobile workplace—even when conducting classified business.
Trump caused headlines when he continued using his personal Android smartphone once he took office in January and, even after officially switching to a government-issued iPhone, gave his mobile number to world leaders. Experts agree that no mobile device can be completely secure, which is why sensitive phone calls have traditionally been conducted on secure phone lines in the White House or in the president’s private car.
Still, cell phones are undeniably ubiquitous, and the personnel in the upper echelon of the federal government are provided devices with expensive, cutting-edge technology to prevent intrusion, says ASIS International Defense and Intelligence Council Vice Chair Matthew Hollandsworth, CPP.
“As the technology and encryption capabilities get better and are reviewed and approved by NSA, there is a capability to talk on a cellular device at the top-secret level and get classified-level data,” Hollandsworth says. “It’s very uncommon right now because of the expense and the risk associated with it. If I have a cell phone in my pocket that I can talk classified on, and someone calls me and I’m on the train, I’ve got to watch what I say. Those are the types of risks that are associated with the mobile environment.”
While Trump undoubtedly has a team of experts monitoring his mobile device usage, the thousands of public sector employees and federal contractors who might deal with sensitive information via off-the-shelf mobile devices may pose a national security risk, notes Tony Anastasio, who does telecommunications work for the Defense Information Agency.
“Mobile phones, in my opinion, are very dangerous to anybody, especially government people, diplomatic officials, consulates, and embassies,” Anastasio tells Security Management. “There are so many vulnerabilities and exposures in these things.”
Anastasio has worked in the telecommunications industry around the world for more than 30 years and says there isn’t a good understanding of just how vulnerable mobile devices are to infiltration.
There are no federal requirements about what types of mobile devices can be used by federal employees and contractors or what they can be used for. The U.S. Department of Homeland Security (DHS) issued a report earlier this year assessing threats to the government’s use of mobile devices and noted, “DHS has no legal authority to require mobile carriers to assess risks relating to the security of mobile network infrastructure as it impacts the government’s use of mobile devices.”
Hollandsworth, who has managed IT security for federal agencies such as DHS as well as contractors, currently works as the director of corporate security at government contracting company American Systems. He says that in his 20 years in the industry, he has watched the evolution of how federal employees use mobile devices—and the dangers the changes have brought.
“It used to be that you had your cell phone and all it was was a phone,” Hollandsworth explains. “Nowadays, workers need to be more mobile, so you’ve got hot spots pulling up, wireless connectivity in just about every coffee shop around, and almost every federal employee, whether it’s a government contractor or staffer, has some sort of mobile equipment—a laptop, smartphone, tablet, or whatnot. When you start adding all of that up, you look at all the information now stored on those devices that are no longer in the direct control of the organization you’re working for…it does introduce quite a bit of additional risk.”
Both Hollandsworth and Anastasio say mobile device requirements for mobile employees run the gamut. As carrying around a personal cell phone all the time became the norm, some companies implemented bring-your-own-device policies that allowed employees to use their personal mobile devices for work as well. However, tensions over device privacy and ownership led most federal organizations to give employees government-issued devices to have more control over security.
“From a security perspective, people didn’t want to give up the access to their phones, they didn’t want things configured for them, they didn’t want people getting into their laptops—lots of privacy concerns there,” Hollandsworth explains. “From a company or government side, I think they want more control over the devices. If it’s a personal device, if something were to happen or information were to get on that device that needs to be cleaned, well there’s a concern—is it government owned or personally owned?”
Anastasio has experience with the issue. A company he worked for previously frowned upon his use of an Android device that he had rooted—a method allowing unfettered access to the device’s source code—but he says he pushed back. “I’d challenge them—they would say I couldn’t do that with my phone, but you’re going to control my personal phone? I don’t think so,” Anastasio explains. “These employees would say, ‘Hey, it’s my personal phone, I paid for it. Who has the right to tell me I can’t put my kid’s pictures on my phone?’ It’s a very personal thing.”
However, many government contractors—especially smaller startups that can’t afford a robust secure mobile device approach—have mobile requirements somewhere between issuing their own secure devices and demanding complete access to an employee’s personal device.
“We do enforce certain security standards no matter if it’s a personal device or we give it to them,” Hollandsworth says. “At my company, after we authorize you to connect up your laptop or smartphone we push down certain security settings so you have to change your password every so often. There’s a host of other settings we require for you to improve your connection.”
However, that might not be enough, Anastasio argues. “A lot of IT guys may not have a good understanding of mobile networks,” he notes. “They just breeze over, say that you can’t have Facebook or other generic apps, but they don’t always dig into the signaling side of the network.”
The reality of mobile device security is that regardless of whether it’s a locked-down, encrypted, government-issued device or an off-the-shelf consumer phone loaded with apps, it’s only as secure as the network it uses. Anastasio describes a myriad of ways networks can open phones to vulnerabilities, from Signalling System No. 7, which can allow phones to be hacked and render two-factor authentication useless, to fake cell towers that steal information when phones connect to them.
“Your mobile could be 100 percent clean with no software, malware, or apps, and you could just roam into a rogue cell site, and they can still collect your information,” Anastasio says.
The DHS mobile security report notes that the stakes for government employees using mobile devices are high. “Government mobile devices—despite being a minor share of the overall market—represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions,” the report states. Because the use of mobile devices by the government is “an almost insignificant market share,” changes to mobile device security must be accomplished through legislation and regulation, the DHS report states. “The typical use of the devices outside the agency’s traditional network boundaries requires a security approach that differs substantially from the protections developed for desktop workstations.”
One regulation coming down the pipeline is a new U.S. National Institute of Standards and Technology (NIST) standard for protecting sensitive information in nonfederal information systems—including mobile devices. The standard was first published in December 2015, and U.S. Department of Defense contractors have until December 2017 to become compliant.
“Within the contracting community, whatever type of system you’re using, whether it be your laptop or cloud computing or a mobile device, the government is putting into their contracts that you have to have certain security requirements implemented within your networks,” Hollandsworth says. He says the requirement, NIST SP 800-171, has 109 controls that dictate everything from physical protection of systems to access control, and it will tighten how federal contractors can use mobile devices to store intelligence.
Anastasio points out that regulations such as NIST’s and rules enforced by individual agencies are only effective if they are thoroughly and consistently enforced. “Most companies don’t want to touch mobile security,” he says. “They give you guidelines, and unless they pay for that bill on your cell phone, you still have your own personal phone right next to the one your company gave you.” Consistent education about mobile vulnerabilities is important.
Employers also need to keep in mind that classified information shared over mobile devices can be compromised in an old-fashioned way—via in-person eavesdropping or leaks. Anastasio cautions that people discussing classified information on their phones in a coffee shop or in an airport are just as much a risk as someone using an insecure mobile device. And even transcripts of Trump’s classified policy phone calls with world leaders were leaked in August.
Hollandsworth is getting a doctorate in leadership and says learning about how today’s generation will continue to grow as a mobile workforce underlines the importance of implementing a strategy to safely conduct government work on mobile devices. “The risk can only increase,” he says. “The desire and the need is going to continue to increase with having mobility, more power in your hand with a phone, and with that there’s a technology risk aspect that needs to be addressed.”