White House Chief of Staff John Kelly had a problem with his smartphone in the summer of 2017. It wasn’t working or updating software properly for months, so he turned the device into White House tech support.
The support team learned, however, that Kelly’s phone was compromised – as early as December 2016 – with the suspected breach possibly launched by hackers or even operatives from a foreign government seeking access to Kelly’s data while he served at his prior post as the Secretary of Homeland Security.
As mobile devices emerge as ubiquitous in government today, the incident illustrates how security vulnerabilities leave these devices – and, in turn, federal agencies – exposed.
In terms of adoption, there certainly appears to be no turning back, as enterprise mobility – which empowers people to do their jobs from anywhere using a variety of devices and applications – is driving digital transformation in government. Whether deployed by a FEMA response team assessing a disaster scene, an Education Department supervisor writing a report from home or military/Intelligence Community operatives pursuing missions, agencies now depend upon mobile technology to perform duties and achieve objectives. To cite two real-life examples: The Navy’s Sea Warrior Program (PMW 240) offers 70+ apps in its Navy App Locker, with thousands of downloads a month. The Navy has successfully created a framework that accelerates acquisition, development and deployment of mobile solutions across the Navy. VA Mobile from the U.S. Department of Veterans Affairs allows military veterans to access their electronic health records (EHRs), schedule appointments and connect with care providers from their devices from the comfort of their homes.
In fact, 86 percent of federal decision-makers believe mobile devices play a critical role in their jobs and nearly all use these devices to check email during the workday, according to research from Market Connections. By 2021, the U.S. government will spend $20.7 billion on these solutions, up from $14.1 billion two years ago, according to a forecast from IDC Government Insights. In addition, Bring Your Own Device (BYOD) is further expanding mobile adoption, as one-half of federal employees rely upon personal smartphones to do their jobs and three-quarters use personal tablets for work purposes, according to research from FedScoop.
Yet, beyond the practical uses and bigger picture benefits, few agencies truly understand the inherent and growing risks that these devices bring.
Mobility now spans government IT, from end users accessing applications in on-premise data centers to software as a service in public clouds. In the process, attack vectors are proliferating as more and more endpoints access the network, resulting in agencies often struggling to defend people, devices and data, whether on-premise or in the cloud. According to the FedScoop research, three of five federal IT/security officials are concerned about the protection of government-issued devices – as well as the potential for mobile usage to trigger a network attack. When asked to name their top mobile security priorities for the next 12 to 18 months, 64 percent of these professionals said they are primarily focused on preventing breaches caused by endpoint connectivity, and 46 percent cited the need to more quickly identify mobile security incidents, and recover from them.
However, despite their employees’ widespread use of personal devices for work, less than three of ten agencies support secure mobile access for functions such as email, collaboration/chat, document management, business systems and agency-specific mission systems.
The lack of protection could create major privacy issues, as devices “represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions, (systems that) hold tremendous amounts of personally identifiable information (PII) that could potentially be used to compromise citizen financial wellbeing, privacy, or identity,” according to last year’s “Study on Mobile Device Security” from the Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST).
In response, as part of its Mobile Device Security for Enterprises (MDSE) project, NIST is developing repeatable reference architectures to build in security for mobility programs. The project includes guidance about protecting device configurations, the cloud and enterprise systems.
Such guidance proves essential in the modern era, because enterprise mobility has disrupted the entire concept of cyber defense: Agencies that once relied on perimeter-based security, IT-provisioned/controlled standardized devices with a handful of on-premise applications, now need to support largely user-centric and (because of BYOD) user-determined environment defined by heterogeneous endpoints and thousands of applications in public clouds.
To secure all of this, agencies must implement a strategy that incorporates a holistic view of the enterprise. To find out how, please look for Part II of this blog in this space in the near future.