On Tuesday, I had the great pleasure to speak at the U.S. Chamber of Commerce's 5th Annual Cybersecurity Summit. This premiere event convenes public and private sector leaders around one of our most pressing national security concerns. My presentation focused on how U.S. Government CIOs and security professionals can secure the next frontier for cyber attacks: the mobile device.
Mobile is critical infrastructure for government agencies, corporations, and, in a way, everyday citizens. Because of that, mobile has also become the new frontier for attack and it needs to be secured.
Enterprise app development is exploding. Workers are using mobile devices to consume, create, and share just as much, if not more, sensitive data than they do on their laptops or desktops. In fact, mobile apps represent more than half of Internet use today.
Because of the combination of features only available on mobile — always-connected to Wi-Fi or cell networks, a microphone, a camera, and access to email, location, passwords, contact lists, and more — mobile has become an attractive target for cybercriminals and therefore a critical endpoint to secure.
Indeed, given the proliferation of mobile apps, if you gain access to someone’s mobile device you gain access to their life, both work and personal. Marc Benioff, CEO and founder of Salesforce, famously stated that he runs his company from his phone. In fact, every CEO and government official I’ve spoken with in the last few years does a majority of their business from their smartphone.
The increasing dependence on mobile devices for productivity is the driving force behind major changes in the cybersecurity balance of power.
Here are the three mobile security takeaways that I presented in my talk to the U.S. Chamber of Commerce.
1. Mobile is the new frontier for cyber attacks
Just about a month ago, Lookout, together with our research partner Citizen Lab, reported on Pegasus, a mobile spyware threat targeting high-value individuals around the world.
Pegasus is an extremely sophisticated threat sold to nation-states for millions of dollars and is designed for high-value targets including: activists, journalists, government officials and corporate CEOs.
You can read more about this unprecedented threat here, including relevant details for both CISOs and non-technical executives.
The takeaway from the Pegasus discovery is that the era of the highly resourced attacker going after phones instead of network or desktop infrastructure has arrived. These actors see mobile as a fertile platform for gathering information about targets and regularly exploit the mobile environment for this purpose. This is true in both the private sector and the federal government.
At Lookout, our enterprise customers are seeing nearly 30 in 1,000 mobile devices encounter serious threats. When you consider that these detections include spyware like Pegasus, data exfiltrating trojans, and root enablers that compromise the integrity of the device, any infected devices introduce unacceptable risk to an organization.
2. Government agencies are behind in securing mobile
Many government agencies believe they aren’t actually subject to cyber-threats from mobile devices because they don’t allow personal mobile devices to access their networks and they feel their GFE (government furnished equipment) issued devices are safe because of usage restrictions or their use of Enterprise Mobile Management software. Unfortunately, the opposite is true.
Lookout conducted a study of Lookout-protected mobile devices associated with the networks of 20 different U.S. federal organizations and found that these federal mobile devices had a significant exposure to app-based threats, with 110 serious mobile threat encounters per 1,000 devices per year. In a separate study of 1,000 U.S. government employees, nearly 40 percent of employees at government agencies with rules prohibiting the use of personal smartphones at work say the rules have little to no impact on their behavior.
That said, we do see some signs of progress:
This is real progress, but given the severity of the risk, more immediate action and accountability must be taken.
- As required by The Cybersecurity Act of 2015, the Department of Homeland Security Science and Technology Directorate (S&T) conducted a study on threats relating to the security of the mobile devices used by the federal government. Resulting from this study, NIST, just two weeks ago, issued the Mobile Threat Guidance report to assist public and private sector organizations in defending against threats to mobile devices and mobile infrastructure.
- NIST 800-53 (Rev. 4), which provides guidelines for selecting security controls for information systems supporting federal agencies, requests that malicious code protection mechanisms exist at information system entry and exit points, specifically noting mobile devices. These guidelines will hopefully impact major federal mobile device deployments such as those being planned in support of the 2020 Census managed by the Census Bureau and the Department of Commerce.
- Following news from Lookout about Pegasus, Congressman Ted Lieu (D-CA) urged Congress to have a hearing on mobile security.
3. A call to action for U.S. Government agencies
To move towards a more secure future, here’s my call to action for the U.S. government: embrace mobility, but recognize the security risks. Be dynamic and proactive with a robust mobile security policy. Recognize mobile is part of every agency’s infrastructure and should be treated with the same priority as any other potential attack surface.
As the threat landscape evolves, organizations must broaden their view of mobile security to include protection from vulnerabilities, malicious code (like the Pegasus spyware), and risky behaviors (such as apps that send data back to servers and potentially violate an agency’s compliance requirements).
By not effectively securing mobile devices, many agencies may actually be putting their compliance at risk as well. For example: HIPAA compliance applies to not just PCs but mobile devices as well.
- Every agency department head needs to be held accountable for prioritizing mobile security and implementing a plan for securing that environment.
- Smartphones and tablets must be secured alongside all IT assets
- Everyone needs to be protecting their mobile devices because, as we saw with Pegasus, the attackers have realized just how much data and information they can access via smartphones and tablets.
To put mobile security into perspective it helps to think back to 1999, a time when many organizations didn’t think they had a security “problem.” By 2001, we had seen millions of computers infected across the internet and businesses were disabled on a monthly basis having to cleanup malware infections from threats many of you probably recognize: Slammer, Blaster, Code Red, and Nimba.
The entire corporate world learned its lesson, which spawned a large portion of the current cybersecurity industry, and caused a change in strategy for many large firms. We swore we wouldn’t let it happen again, and we didn’t. Enterprise malware infection rates are in the fractions of a percentage point per year. On PCs, anyway.
In the mobile world, we have created the same type of ecosystem where malicious code is proliferating wildly. The bottom line is that mobile is being exploited on a daily basis and we all need to do a better job of protecting the mobile data and devices that power the work of government.