A report detailing both the current and emerging threats to the federal government’s use of mobile devices, complete with a number of security recommendations, was recently submitted to Congress by the U.S. Department of Homeland Security’s (DHS) Science and Technology Directorate (S&T).
The report was mandated as part of the Cybersecurity Act of 2015 and relied significantly on information provided by mobile industry vendors, carriers, service providers, and various academic researchers.
DHS S&T found that threats exist across all elements of the federal government’s use of mobile technology, including smartphones and tablet computers, each of which require a different security approach from that of desktop workstations. These threats exist for mobile devices, the report said, due to the fact that mobile systems are exposed to a distinct set of threats that operate outside of enterprise protections and have evolved independent of desktop architectures.
The report also cautioned that federal mobile devices may become an avenue to attack back-end computer systems, which contain the data and sensitive information of millions of American citizens.
To address numerous security concerns, the report recommended that the federal government adopt a framework for mobile device security based on existing standards and best practices, that it enhances the Federal Information Security Modernization Act’s metrics to focus on securing mobile devices and network infrastructure, and that it include include mobility within the Continuous Diagnostics and Mitigation program to address mobile device security.
DHS S&T also recommended the federal government create a new defensive security research program to address mobile network vulnerabilities and that it increase active participation in key mobile-related standards bodies and industry associations, among others.
The National Protection and Programs Directorate, the NPPD Office of Emergency Communications, the NPPD United States Computer Emergency Readiness Team, the National Cybersecurity and Communications Integration Center, and the Office of Cybersecurity and Communications Network Security Deployment all provided information used in the report.