May 24th, 2018

By Lookout

Over the past decade, the federal government has followed the rest of society in a general move towards mobility. The trend toward mobility is an essential part of fulfilling the government’s mission of service to the American public. More functionality and power is being put into mobile devices, which is a very positive development.

As more functionality moves to mobile however, it becomes an increasingly valuable threat vector. We recently sat down with Kiersten Todt, the resident scholar at the University of Pittsburgh Institute for Cyber Law, Policy, and Security, to discuss this trend. Todt was recently a panelist at the Federal Innovation Summit held in Washington, D.C., sponsored by FedScoop.

Todt is also the president and managing partner of Liberty Group Ventures, LLC (LGV), a role in which she develops risk and crisis management solutions for cybersecurity, infrastructure, homeland security, emergency management, and higher education clients in the public, private, and nonprofit sectors. She recently served as the executive director of the Commission on Enhancing National Cybersecurity, which helped carry out President Barack Obama’s Cybersecurity National Action Plan.See the Q&A below.

1. Thank you for speaking with us. What’s the current climate within agencies right now with regard to mobile security? Who gets it and who is still stuck in 2010?

Todt: The climate and understanding can vary not just between agencies, but also between entities within agencies. How mobility is viewed is intrinsic to what the entity understands cybersecurity to mean.

There are varying levels of understanding within federal IT circles. But there is growing awareness that the most important endpoint has become the mobile device. When we see incidents like General Kelly’s phone being hacked, that of course is sobering but also a reminder of how we all maintain all our information on our mobile devices. The challenge is to ensure IT processes are aligned with the urgency of the mobile security requirement.

General IT awareness also varies within federal communities, and affects how mobile security is viewed. For example, some entities would say “well, we’ll never go to the cloud,” when they already have! The more you know about cybersecurity, the more you realize that moving to the cloud improves security for critical functions of all agencies – payroll, email, HR, and others.

Much of this improved security is provided by third party vendors, who have more day-to-day information on evolving cybersecurity threats. It’s smart for agencies to work with companies solely focused on this function. Innovation will, unfortunately, always outpace security. But working with experts closes the gap. It’s a logical extension of the “outsource non-core function” mindset.

Of course, agencies need to ensure they are working with the right partners.

2. Was there a big takeaway or aha moment on your panel last week?

Todt: Personally my big takeaway was, be honest about how secure something can be made. There was a discussion around the Google Play store, and how those applications had been “secured.” I’m sure Google is indeed doing more than in the past on this front. But when such assertions are made, complacency can actually increase mobile vulnerabilities. Our IT environments can never be 100 percent secure – that’s not being defeatist, it’s just being fully informed.

Of course, vendors will never want to emphasize the negative. But the fact remains that the bad guys will always be a threat, simply because they will discover issues not yet identified – the “zero-day” exploit.

For example, an individual device might be secure, but there are so many interdependencies and access points involved in the functionality, those can become vulnerable. We’re seeing malware getting injected earlier in the development process, to the point where applications are being built around the planted malware.

3. Is it dangerous for the White House, Pentagon and other agencies to be considering personal device bans?

Todt: It is very dangerous. The biggest reason why is that people will not follow the policy and find workarounds, which will be far worse for mobile security. I’ve personally seen an example in the emergency management space where official emails were being forwarded to personal email addresses to avoid a similar workplace ban. Obviously, the chances that email infrastructure is as secure as a government one are slim to none.

What’s needed are logical policies that take into account how people actually use mobility. The federal government has recently outlined some very clear steps agencies can take to improve mobile security. Mobile devices are an essential part of employee productivity today. I think most employees would say they simply can’t function without mobile devices.

I’ve used the analogy of a surgeon and a scalpel in discussions with my clients. There is a level of risk inherent in any type of surgery. Does that mean it’s logical to ban the use of scalpels by doctors? Outright bans are lazy policy and counterproductive.

4. What are the chances recent guidelines for mobile security become mandates, if agencies don’t move fast enough?

Todt: I think that’s very likely. Recent history shows us that it’s always better when change happens voluntarily, as opposed to via government mandate. No one likes to be told what to do, and often times the government action will over-rotate, go further than it would have otherwise.

I think we’re seeing that now with the social media debate, Facebook, Twitter and so forth. The discussion around what are their responsibilities around data usage and protection. The process takes time, but if actions aren’t taken voluntarily there will be government regulation. Collaboration is almost always more effective and productive.

I’d argue another example is the creation of the Department of Homeland Security in the early aughts. In the aftermath of the 9/11 attacks, there was a consensus that this country needed an agency solely focused on defense. The objective was a good one, but 22 federal agencies and departments were thrown together in a very short period of time. There’s broad agreement among those I talk to that absent the 9/11 catastrophe, the agency could have been constructed more efficiently.

5. What do you see happening around federal mobile security in the next 12-18 months?

Todt: I hope to see awareness continue to grow within government for the need to integrate mobile security into fundamental operations. This could be supported through executive or general cyber policy guidance. The report done last year by DHS outlines some effective ways to increase security.

The White House and OMB have a big role to play in supporting this broader awareness, and helping to translate it into policy. Better integration is required, and embedding mobile security earlier in the development process.