recommended reading

FCC move to disable stolen smartphones won't stop government data thieves


A new nationwide system for shutting off stolen smartphones announced Tuesday might stop scammers from reselling government devices, but it won't necessarily protect the sensitive data inside, some information security experts say.

The wireless industry has agreed to, within six months, block service on portable electronics when users report them to police as stolen, Federal Communications Commission Chairman Julius Genachowski and law enforcement officials said Tuesday. The companies also are working to create, within 18 months, a single database containing the identification numbers of stolen devices worldwide so that thieves cannot swap carriers to avoid detection.

In Washington -- home of the federal government -- cellphones are stolen in 38 percent of all robberies, according to authorities. But while the national switch-off board might prevent fraud, confidential data stored in phones that are unencrypted still could be compromised, some information security experts say.

Several major agencies handling sensitive information have neglected to encrypt their employees' mobile devices, according to the White House's annual report on data security compliance.

The Veterans Affairs Department, the largest federal agency, reported that only 55 percent of its portable electronics inventory -- including smartphones, tablets and laptops -- is protected with a standard encryption format called Federal Information Processing Standards 140-2; NASA ranked at the bottom with a 41 percent protection rate; and the government's cybersecurity overseer, the Homeland Security Department, reported 75 percent of its devices were encrypted.

Most agencies reported encrypting at least 80 percent of their mobile devices, including 100 percent fully encrypted inventories at the State and Treasury departments and the General Services Administration and Social Security Administration.

AT&T, T-Mobile, Verizon and Sprint, the carriers that cover 90 percent of U.S. subscribers, have committed to participate in the phone-disabling database, FCC officials said.

The move comes after the Major Cities Chiefs Association, which represents New York, Philadelphia, Miami and other large U.S. cities, endorsed in February a resolution calling on FCC to require that communications firms disable stolen mobile devices to discourage future thefts.

The idea is that if the phones don't work, criminal rings won't have an incentive to lift them.

"This database will enable carriers to disable stolen smartphones and tablets, dramatically reducing their value on the black market," Genachowski said Tuesday, during a briefing on the initiative.

District of Columbia Metropolitan Police Chief Cathy Lanier said vigilance has not been enough of a deterrent for criminals.

But some security specialists said a larger problem for government is the lack of industry agreement on how to protect the sensitive information stored inside phones.

"The information in a cellphone is far more valuable than the ability to use it to make calls," said Tom McAndrew, an executive vice president at information technology compliance firm Coalfire. "The IT security industry has been struggling for years trying to figure out how to protect data at rest using encryption."

One of the major weaknesses with encryption on mobile devices is the inconsistency among industry standards, he said.

"It was not too long ago that anything in the federal government was made especially for the government, but now we rely on encryption solutions from the private industry," McAndrew said. "We have tried to standardize those encryption solutions using standards such as FIPS 140-2, but the vast majority of encryption solutions used in mobile devices are not certified to federal standards."

Federal phones also could fall prey to data thieves along the supply chain.

"Many mobile devices are manufactured with components from countries that are trying to get sensitive information from our federal agencies," said McAndrew, who also serves as president of the Seattle chapter of the global IT professional organization Information Systems Audit and Control Association.

The hardware, software and settings within communications devices must be validated as secure throughout the path of production, he added.

FCC's program "is a step in the right direction and will help provide some level of protection to consumers, but falls short of what federal agencies need," he said.

Officials at GSA, the purchasing arm of the federal government, said because the wireless industry database is still in development, it is too early to know whether the system will help its customers at agencies. Certain umbrella contract vehicles, including the large Networx telecommunications program, already require mobile device vendors to offer data security features, GSA officials said.

FCC officials did not immediately respond to a request for comment.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.