We need more federal guidance on mobile IT security

COVID has certainly accelerated -- if not mandated -- the adoption of teleworking alternatives and revisions to bring-your-own-device (BYOD) policies. The global pandemic forced many government officials to work from their own residences, using privately owned and configured computers, internet routers, smartphones, video cameras, messaging applications, teleconferencing platforms, encryption programs, etc. In no uncertain terms, federal chief information security officers (CISOs) lost control over the security perimeter of their organizations almost overnight. 

Not only are many more proprietary and/or sensitive communications now being transmitted over public telecommunications lines, but a vastly greater proportion of government work must now be conducted using the employees’ own personal hardware and software. From a strategic perspective, the threat surface has been dramatically increased while the administrative and/or legal authority of the agency’s most capable cyber defender to enact obligatory measures has been reduced. Consequently, federal departments urgently need to revisit their BYOD policies while expanding their remote and mobile network applications. 

My strong recommendation is for the nation’s security-forward agencies to provide the rest of the federal government with more guidance on mobile technology security, to include best practices and even preferred technology solutions. In its Oct. 6, 2020, public service announcement about teleworking, for example, the FBI addressed the risk of lax hotel Wi-Fi security but did not discuss mobile security writ large. With so many remote employees now using their personal smartphones to join Zoom, Webex or Teams meetings, it is imperative they are warned of the broader risks to mobile devices in general. In its Telework Guidance and Resources, even the Cybersecurity and Infrastructure Security Agency did not adequately prioritize threats to mobile device users (e.g. smishing or phishing attacks). This recommendation is not meant to devalue the great contributions of the FBI, CISA, the U.S. Computer Emergency Readiness Team, the National Institute of Standards and Technology, the National Security Agency or others thus far, but rather to encourage the dissemination of much more public guidance. 

There is no legislation that mandates the installation of specific measures for mobile threat detection or mobile application security per se. I offer that it is now time to implement certain baseline security requirements for every government-issued or privately owned mobile device that is used for federal government business. Just as we now consider wearing a mask or getting a COVID vaccine responsible societal behavior, we should all be limiting our own smartphone’s ability to propagate computer malware or compromise the confidentiality and/or integrity of the data it stores and processes.

That is now arguably good cyber hygiene for all responsible citizens, and government entities at the federal, state and local levels should offer them the ability to opt into public safety utilities. I applaud NYC Cyber Command for making its NYC Secure app freely available to all users. That move helps to overcome the false distinction between private and work devices. Those of us who have served in law enforcement or intelligence roles know all too well that the compromise of a private smartphone can yield a substantial amount of personal information that can then be utilized to compromise the same person’s work devices. In short, hacking BYOD can also indirectly threaten government-furnished equipment.

Effective systemwide security requires mobile threat detection and privacy measures to be active on as many devices as possible. That is how to best protect our new “digital sidewalks,” as the CIO of the San Jose, Calif., calls this digital environment. Mobile threat detection applications must become a staple of the cybersecurity landscape akin to putting antivirus software on laptop computers. Broad adoption of such protocols would enable a new organizational approach of BYOAD for “approved” devices that meet certain security requirements.

Other commentators have previously argued for the imposition of stricter cybersecurity measures to protect the shared ecosystem. To date, I had resisted that temptation because I felt that sensitive government work could be adequately insulated from unregulated devices. COVID has proven that assumption wrong. Please join me in striving for much higher resilience in the mobile technology that powers our socially distanced economy and government.