The Department of Homeland Security lacks the authority it needs over mobile telephone networks to properly do its job of securing federal IT systems against hackers, according to a new report from DHS’ Science and Technology Directorate.
The authors also recommend overhauling the standard reporting and information sharing formats for vulnerabilities and threats — like the National Vulnerability Database and the Common Vulnerability Enumeration — so they can include threats to mobile IT as well.
The report suggests that future IT security is endangered because the U.S. government, which for many years didn’t own any mobile networks, lacked a voice in global discussions about standards for cellular communications dominated by legacy state-owned national telecom companies from adversarial nations.
Finally, the authors say, DHS needs to include mobile device security in its governmentwide Continuous Diagnostics and Monitoring program — which provides cybersecurity tools for U.S. agencies — and in the metrics it uses to measure departmental IT security under FISMA, the Federal Information Security Modernization Act.
The study was led by DHS’ Vincent Sritapan, who told CyberScoop it was designed as high-level overview of mobile threats and the various defenses against them; a collection of best practices; and a series of recommendations for next steps.
Consumer smartphones are basically powerful computers equipped with enormously sensitive cameras and microphones, plus multiple different ways to connect themselves — a potential security nightmare for federal IT managers.
The report authors quickly turned their attention to vulnerabilities in mobile networks themselves, like the notorious attack on the SS7 protocol, as a big variable federal managers couldn’t control; since, like everyone else, their communications are carried by the cellular providers’ own infrastructure.
“If the underlying infrastructure has vulnerabilities, that impacts the federal government. We use the same network carriers as the public citizenry and vice versa,” Sritapan said.
“There are gaps in DHS legal authorities to test, verify, or assess and mitigate risks relating to the security of mobile devices” on federal networks, especially in real time, the study point out.
There are various measures network carriers can take to mitigate vulnerabilities in SS7 and other security holes, but the report notes, “it is difficult to obtain objective evidence of carrier compliance with best practices, because of the lack of legal authority.”
“I can’t say one way or the other whether we need legal authorities. I can identify where we have gaps,” Sritapan told CyberScoop. “DHS cannot require telcos to secure their networks, nor can we check on their networks, either.”
And the federal government is also not a big enough customer to leverage buying power to improve security in the massive consumer mobile device marketspace, he said. “We’re too small to drive the market.”
The report notes in a footnote that FCC “may have authorities over some of these [mobile network] issues.”
“We are looking at some of that now,” said Sritapan when asked whether FCC might be able to get the information needed from the carriers. “FCC has reviewed this report,” he said.
Sritapan said national standardized formats for vulnerability and threat notification needed to be updated, to take better account of mobile security.
“[Automated Indicator Sharing] and all that [information sharing] stuff is geared towards traditional indicators, network based [or] host based [threats],” he said. “When it comes to mobile … Where is it?”
The report states that numerous industry executives approached the study’s authors with concerns about the lack of U.S. government representation on global telecom standards-setting bodies like GSMA and 3GPP.
Until the establishment of FirstNet — an agency within the Commerce Department chartered by Congress in 2012 to build and operate a nationwide broadband network for state and local police and emergency services — the U.S. government didn’t own any mobile networks and so didn’t qualify for membership.
As a result, the report points out, DHS has been unable to review proposed standards GSMA is developing for SS7 filtering and monitoring.
But, DHS officials say, in many other countries, including not just U.S. adversaries like Russia and China, but competitors like Brazil or India, the government still effectively controls the legacy state-owned telephone monopolies — and can manipulate the membership system to control more votes.
The executives “feel that this puts the U.S. information and communications technology sector at a competitive disadvantage globally,” the report states.
You can read the full report below.