We need systemic mobile IT security

While the cyber security landscape in 2020 was undeniably shaped by the COVID pandemic and widespread fears that disinformation could delegitimize a democratic election, the first quarter of 2021 was dominated by the “Sunburst” hack that compromised many federal departments and agencies. Amidst those compelling concerns, however, I believe that another vital infrastructure security issue has been largely overlooked. COVID, disinformation, and supply chain vulnerabilities have all underscored the criticality of systemic IT security for mobile devices.

It is time for all federal departments and agencies to fully embrace teleworking and mobile connectivity as one form of standard operating procedure. We cannot afford to be caught off guard again by the next pandemic or another exigency.

As a result of my own 16-year career in the Intelligence Community, I am painfully aware of how difficult the issues of teleworking and “bring your own device” (or “BYOD”) can be for certain organizations — but whether it is for continuity of operations in a crisis, improved efficiency, or quality of life issues for workforce retention, the shift to remote and mobile connectivity that COVID accelerated is here to stay. It is imperative that federal policies allow CTOs, CIOs, or CISOs to evaluate new requirements and procurement officers to acquire (or mandate in the case of BYOD) the needed security solutions.

As Dr. Thomas Wingfield, former Deputy Assistant Secretary of Defense for Cyber Policy, eloquently stated in a speech last November, “Organizations need to move from a paradigm of cybersecurity, to one of cyber resilience.”

Federal CISOs can no longer hope to have a well-delineated perimeter that they can securely administrate; instead, they will need to ensure functional resilience for mobile and IoT devices that are technically and legally beyond their control.

At a December 2020 AFCEA webinar entitled “Paper Security vs. Real Security,” several prominent information assurance leaders spoke to that very concept of federal workplace resilience in the contexts of COVID, BYOD, and FedRAMP. My own recommendation for operating in a zero-trust mobile environment is aimed at encouraging real resilience in lieu of paper compliance that either inhibits productivity in a modern workplace or else elevates risk exposure to unacceptable levels.

I have spoken with several government organizations that are currently grappling with how to make such an institutional transition. That will be no easy feat; however, there is no real alternative if the government is going to avoid obsolescence.

So, what would successful implementation of my recommendation look like?

There would need to be clear acceptance that employees must have the ability for full remote, mobile functionality to do their jobs. That does not mean the physical workplace would be eliminated — largely because there are still additive benefits of in-person collaboration as well as group morale that cannot be achieved through purely virtual interaction — but physical isolation should no longer impose any significant reduction in efficacy.  

Further, there would need to be agreement and acceptance that any mobile device utilized for government activity is subject to certain requirements, to include supply chain sourcing limitations and inclusion of selected security applications that can identify when compromises are being attempted. The “Pegasus” malware that was transmitted through messaging apps is but one example of why we need to widely deploy mobile security applications that can detect and prevent the spread of zero-day exploits. While I appreciate that some government employees may argue that they should not be obliged to encumber their personal property with specified applications, I would simply then respond that those devices should never perform government work. All employees could be offered government-issued mobile devices if need be to preserve civil liberties. 

I would like to underscore that mobile device management (MDM) itself is not enough; we need the ability to detect and block threats in progress. Two very good frameworks for understanding that need are the MITRE Corporation’s mobile attack matrix and NIST’s Guidelines for Managing the Security of Mobile Devices in the Enterprise. Last year, NIST also sought comments regarding updates to its Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. In my opinion, those resources make a persuasive case for mobile threat detection within any organization.

A very good example of forward progress in this area is the DOD Mobility Unclassified Capability (DMUC) sponsored by the Defense Information Systems Agency, which provides infrastructure at the enterprise level to ensure mobile connectivity and security for the warfighter in the field.  I sincerely hope that other departments and agencies will follow similar suit.

A final element for fundamentally improving the mobile ecosystem is to better assess the security vulnerabilities of “apps” themselves. Just as with computer hardware and other software, the race to market usually takes precedence over extensive security reviews. Many glitches (i.e., flaws or coding errors) are usually found and fixed after the product has been introduced into the marketplace. Given the options of either (1) mandating and enforcing elaborate security reviews of app prototypes (akin to FDA approval for a vaccine) or (2) providing a substantive third-party security review prior to installation of any app on a government issued or BYOD mobile phone that will conduct official business, I respectfully submit that (2) is the more viable and realistic option.

Sean Kanuck is founder and CEO of Exedec LLC, a strategic consulting firm, and an affiliate of Stanford University’s Center for International Security and Cooperation. He served as the first National Intelligence Officer for Cyber Issues (2011 – 2016).