Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Agencies struggle to grasp mobile cybersecurity
Thursday - 6/21/2012, 10:37am EDT
Ron Ross, a senior security specialist at the National Institute of Standards and Technology, said tablets and smartphones really are powerful computers and agencies should apply a risk-based security approach to them like any other system.
"That's a challenge. Today we are not doing it to the fullest extent. You have to ask the basic question, and this is where NIST is doing some work with the Homeland Security Department in exploring some of these new technologies, what kind of controls can an Android operating system or Apple operating system support?" Ross said Wednesday during a panel discussion on the Digital Government Strategy sponsored by AFCEA-Bethesda, Md. "What kinds of basic things that we would expect from any device or system, identity management, identification, authentication, access control and encryption, all of those core fundamental things that we do in cyber, how are those applied in these new technologies? We have to more work in understanding the technologies and how those fundamentals are applied."
Similar to PCs, smartphones and tablets provide a direct path for attack against agency networks, and that is why the security and risk management basics remain the same.
Two documents to improve security
NIST and DHS are working on two documents to help ease agencies' security concerns.
Ross said the new security control guidance would address mobile threats.
Ron Ross, senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST)
Ross and others said the decision making process based on acceptable risk is just another example of how mobile devices are similar to traditional computers.
But agencies are not consistently applying this approach. For instance, the Office of Management and Budget and DHS required employees to log on to their agency's network using secure identity cards under Homeland Security Presidential Directive-12 starting in fiscal 2012. But there is no mention in the Digital Government Strategy of how HSPD-12 fits in with smartphones or tablet computers.
Ross said it all comes back to risk tolerance. If an agency deploys a device and decides not to require employees to use their HSPD-12 card to log on, then that's a risk they can live with. But agencies must understand all the risks to a system and how to mitigate them, and then explain it to the agency's business leaders in a way they can understand.
NIST also is updating the HSPD-12 guidance, FIPS 201, to address mobile computing.
Mobile security reference architecture
DHS is developing a second document to help agencies protect mobile devices.
Sean Donelan, the program manager for the National Cybersecurity Division at DHS, said the agency is leading an interagency effort to create a mobile security reference architecture. It's one of several reference architectures the government is creating to help implement mobile and shared services.
"Rather than every single agency having to go out and develop their own way of doing things, we get 30-40 agencies together and they develop a reference architecture, which is a halfway architecture that it is about 60 percent done," Donelan said. "Each agency will go on and customize it to their own needs, but it gets the common things out there."
Donelan said DHS will release the draft mobile security reference architecture this summer for public comment.
The document also will help move agencies away from securing the device and more toward securing the data.
"Protecting information is even harder than protecting systems. We don't really understand what the issues are," he said. "Encryption is given as one of those things that will solve the problem. But encryption is really hard to do right as we've seen over and over again. The concept of mobile, desktop, laptop or mainframe will go away and it's going to be more about mission and information. We are not there yet. It's going to be a culture evolution."