One of the research and development projects offers a security system that sits on the phone level—an agency first.
The Homeland Security Department Science and Technology Directorate awarded $8.6 million in research and development contracts to five companies Wednesday to boost smartphone security across the federal government.
The department’s Mobile Application Security R&D project focuses on developing technology to fortify mobile devices and the software that often offers a way for attackers to access data or take over a device.
The threats to government devices are high because the devices usually operate outside of agency security systems and the value of the data stored on them, an April Homeland Security report on mobile device concluded. They often house citizens’ personal data, sensitive but unclassified information or details about government operations.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
These contracts aim to improve security across the enterprise—even for mobile apps developed by third parties and found in stores like Google Play or Apple’s App Store. Qualcomm Technologies received $1.8 million to develop a platform to continuously validate and secure third-party apps. United Technologies Research Center was awarded $1.4 million to create a cloud-based mobile app security system for Android devices that uses artificial intelligence and behavior monitoring to detect malicious and vulnerable apps. The department awarded $1.9 million to a joint project by Red Hat and Kryptowire to develop a platform for Android and iOS devices that enforces security checks throughout an app’s development life cycle.
Security on the Phone Level
The $1.8 million contract with Lookout Mobile Endpoint Security includes 2,500 licenses. It will mark the first time the department has offered federal agencies a smartphone security system that sits on the phone-level, said Vincent Sritapan, a program manager who leads mobile security research in Homeland Security’s Science and Technology division.
Previously, the department, which manages numerous governmentwide cybersecurity programs, only offered mobile device management support, Sritapan said. Mobile device management basically prevents all the phones within a particular organization from accepting files that are known favorites of computer hackers and forces them to follow certain organizational rules.
When a security system sits at the device level it can do much more complex work such as noting when a phone is behaving abnormally and alerting security staff that it might have been compromised.
Sritapan’s office will begin by providing the endpoint security system to offices within Homeland Security, but will later expand outside the department, he said.
In addition to the 2,500 licenses, the Lookout contract will fund the company to develop or improve specific services, including noting when mobile applications are engaging in risky behavior, such as beaming user information to overseas data centers, and when phones are connecting to risky Wi-Fi networks, said Bob Stevens, Lookout’s vice president for federal customers.
Other focus areas include disallowing apps that don’t come from official app marketplaces, ensuring phone traffic is only following certified and trusted paths through the internet and efficiently patching known vulnerabilities that hackers might exploit, according to a Lookout press release.
The contract is part of a Homeland Security push to ramp up mobile device security that includes a forthcoming policy that will require endpoint mobile protection for some DHS employees using smartphones while they’re overseas, Sritapan said.
Security on the App Level
DHS awarded another $1.6 million contract to the Virginia-based tech company Apcerto to use machine-learning to drastically shorten the government’s months-long process for vetting security on mobile applications.
The Apcerto platform can analyze and score the security of an application in a matter of minutes by comparing it to apps known to contain harmful software. It also checks the the application against baseline standards like the National Information Assurance Partnership, and notifies agencies when software doesn’t meet certain criteria.
“We want to automate pretty much every process associated with mobility,” Apcerto President and Founder Tom Suder told Nextgov. “You don’t want security to cost so much money that it costs more than building the application. You want to speed the cycles up and make it more affordable.”
Suder said Apcerto’s algorithm is currently trained on the Google Play store, which offers a database of good and bad applications that can be used in the platform’s comparison. With the Homeland Security funding, he said the group will begin adding data from Apple’s App Store to its system.
Suder said delegating tedious and repetitive vetting tasks to an algorithm will save money and man-hours, though he admits automation gives people less direct control. That said, people will still have final say on certification, and removing the potential for human error could reduce risk in the long run.
Automation can also increase the amount of software that can be analyzed in a given period, making app updates and security patches more readily available to employees. Suder believes delegating these otherwise manual vetting processes to an algorithm will help agencies become less hung up on cybersecurity and focus more on advancing their mission.
“You need to have [security], but you don’t want to stifle that innovation,” Suder said. “If you don’t have a good way to orchestrate application security, you’re not going to get very far. It’s got to be automated.”