Bob Stevens is the vice president of federal for Lookout.
From Hillary Clinton’s emails to White House Chief of Staff John Kelly’s smartphone, the use of personal technology for government business, and the related security risks of doing so, has been a hot topic in the news. So it came as no surprise when late last month, Sen. Ron Wyden, D-Ore., a leading congressional voice on cybersecurity, sent a letter to acting Homeland Security Department Secretary Elaine Duke and National Security Agency Director Adm. Michael Rogers urging them to better secure White House officials' personal devices and email accounts.
While I applaud Wyden for taking action to prioritize cybersecurity in the White House, I am concerned that the focus on personal technology takes attention away from the arguably greater threat posed by unsecured government-issued mobile devices.
Employees in the public sector use mobile devices every day to get their jobs done. Yes, some government employees use personal devices for their work, but the vast majority of mobile work is happening via government-issued devices. Indeed, the Government Accountability Office recently estimated that the federal government spends about $1.2 billion annually on about 1.5 million mobile devices and associated services. And alarmingly, according to a 2015 Lookout survey, 35 percent of federal employees reported encountering malware on their government-issued devices.
Because of the combination of features only available on mobile—connected via Wi-Fi or cell networks with voice, camera, email, location, passwords, contact lists and more—these devices have become an attractive target for cyber criminals and nation-states looking to spy on government agencies, infrastructure providers and others.
Mobile devices have also become critical to multifactor authentication. They are increasingly acting as the "thing you have" (which accompanies the "thing you know," such as a password) in two-factor authentication setups, which have become commonplace in government workplaces. This puts the mobile device squarely in attackers' crosshairs, as they may now breach the device in order to gain access to a targeted system.
Perhaps most importantly, government mobile devices represent an avenue to attack back-end systems containing tremendous amounts of personally identifiable information on millions of Americans, as well as unclassified, but still sensitive, information relevant to government functions.
It’s encouraging to see members of Congress proposing legislation that aims to secure internet of things devices. What’s often overlooked in news reports on these bills is that the key “thing” they must consider is the mobile phone. The Internet of Things Cybersecurity Improvement Act of 2017, introduced by Sen. Mark Warner,D-Va., states that the bill applies to every “physical object[s] that—(A) is capable of connecting to and is in regular connection with the Internet; and (B) has computer processing capabilities that can collect, send, or receive data.” It seems clear that this applies first and foremost to every smartphone or mobile device. I implore Congress to pass legislation that not only establishes minimum requirements for the security of devices purchased by federal agencies but also has teeth for enforcement. One simple federal agency enforcement mechanism would be to add mobile security-related metrics (e.g., reporting on risky or malicious applications detected on mobile devices) to the Federal Information Security Management Act.
Threats to government mobile devices are real and exist across the spectrum of mobile risk, including malicious targeted attacks to devices and network connections, non-compliant apps that leak data, and vulnerabilities in device operating systems or apps. The federal government cannot wait to address mobile security or get distracted by the latest high-profile security misstep. Personal and government-issued mobile devices alike must be secured today.