What Federal Mobile Security is Missing
We need to rethink our approach to fighting foreign cyber threats.
Leading U.S. intelligence agencies recently issued a warning to Americans to not buy Chinese-made smartphones. Companies like Huawei and ZTE are known to have close ties to the Chinese government, and U.S. agencies appear to have reason to suspect these companies of cyber espionage.
Recent developments show increasing the determination of foreign powers to disrupt as much as possible the U.S. political, military and social systems. Mobile devices—and social media—are an immediate and exploitable attack target.
The need to secure these devices, particularly those of government employees, isn’t new. Yet today’s common cybersecurity measures are flawed. We need to rethink our approach to fighting foreign cyber threats. This involves not only understanding the weaknesses in today’s security measures but leveraging other methods to fill in those gaps.
Today’s Common Security Measures Are Flawed
Several federal regulations govern compliance of devices that work on National Security Systems, the most prominent being CNSS Policy 11. These regulations require either use of Common Criteria or CSfC certified solutions or getting approvals from NIAP/NSA for uncertified ones.
Yet the commercial off-the-shelf solutions currently available for federal and public sectors are far from ideal. Heavy modifications are often required to make and ensure these devices remain compliant. The level of needed security falls short for the most specialized phones. Employees are reluctant to carry heavily modified phones and resort to carrying two phones (one enterprise-owned and one personal), thus increasing risks for security breaches.
One alternative is to use specialized, hardened phones. Yet while these provide significantly better security, they are also very expensive, difficult to maintain, and aren’t always updated with the most recent hardware and software security measures.
The situation is only growing worse with time. More phone models appear to pose security risks via backdoors to foreign entities. The sophistication of attackers grows faster than the robustness of countermeasures.
There are ways to address all above challenges with U.S. technology and U.S.-made solutions. These solutions combine advantages of COTS phones and specialized phones while providing superior levels of cybersecurity. They fortify standard COTS phones and tablets with plug-in hardware-isolated computation and storage container which render existing and future threats harmless while maintaining compliance with U.S. government certifications and policies.
These solutions are the missing piece to many of today’s cybersecurity measures for mobile devices.
There Should Be a Layered Approach to Cybersecurity
“Missing piece” should be emphasized because cybersecurity shouldn’t rely on the hopes of one master solution. Instead, companies should use a multi-layered approach that encompasses various security protocols. Specifically, modern cybersecurity should involve three layers.
The first is the user's common sense. Malware gets on a phone in 99 percent of cases through explicit user permission. Government employees need to be trained and adhere to enterprise policies. Of course, this “common sense” approach only goes so far. Restricting app permissions or constantly changing passwords don't do much if the mobile device is already compromised.
Enter the second layer, mobile device management, where most of the heavy lifting of malware fighting happens. App-level policies, permissions, data analytics, traffic monitoring, behavioral patterning and heuristics, and many more.
The third layer is hardware protection, the ultimate battlefield for high-value targets. Existing solutions include hardened phones, TrustZone enclaves, HW root of trust, secure storage, firmware encryption, and others. Hardware protection provides the strongest security of all options available, securing everything from government employee devices to microfinance in developing nations.
Combining all three layers of security doesn’t have to be intimidating or expensive. Some U.S.-developed hardware technology provides better levels of security than all existing solutions without compromising on cost, user experience or technological advancements. Foreign-based cybersecurity threats are becoming more frequent and more invasive. We should be using all the tools at our disposal—user knowledge, mobile management, and hardware—to protect ourselves.
Uri Kreisman is the chief operating officer at Bluechip Systems.