Feds' Shift to Mobile Creates Security Cracks
Feb 5, 2014 5:00 AM PT
Federal employees quickly have become strong adherents of mobile devices. In a recent survey, 90 percent of government employees said they used at least one mobile device -- laptop, smartphone or tablet -- for work purposes.
However, the enthusiasm by federal workers for the use of mobile devices has not been matched by appropriate concerns for security, according to the survey, which was conducted by the Mobile Work Exchange.
Federal employees are "practicing potentially dangerous behaviors," survey results suggest.
Only 11 percent of federal respondents fully observed mobile security protocols, while 48 percent were "mindful" of security but still had some low-risk habits to correct. The failure of the remaining 41 percent to adequately meet security standards puts "both themselves and their agencies at risk," the exchange reported.
Among the concerns reflected in the survey are that 31 percent of federal staff respondents used public WiFi technology for work tasks; 52 percent reported failure to utilize multifactor authentication or data encryption; and 25 percent failed to use passwords on mobile devices for work purposes.
On other security measures, 15 percent of respondents said they had downloaded a non-work-related app onto the mobile device they used for work, while 10 percent admitted to opening an email or text from someone they did not know.
Only half of respondents said that their agency required employees to take regular security training related to mobile devices. Many staffers reported that their agencies did not provide them with even written information on mobile security.
Agencies Come Up Short
The Mobile Work Exchange survey also included the results from a sampling of 30 federal agencies in order to obtain an institutional perspective on mobile device security. Only 10 percent of the agencies reported a satisfactory security performance, while 57 percent were failing to secure agency data as a result of gaps in mobile usage.
In four specific categories, just about half of federal agencies took the following security steps:
- Required employees to register mobile devices with the IT department;
- Utilized a remote-wipe function on mobile devices;
- Tracked lost phones; and
- Utilized multifactor authentication or data encryption on mobile devices.
One bit of possible good news: It appears employees are pretty careful about keeping track of their mobile phones, based on the survey results, but even the small number of lost phones could be costly.
"The study shows that 6 percent of government employees who use a mobile device for work say they have lost or misplaced their phone," noted Larry Payne, Cisco vice president for the U.S. federal sector.
"In the average federal agency, that's more than 3,500 chances for a security breach," he added. Cisco sponsored the Mobile Work Exchange research.
The gaps in mobile security have occurred despite specific requirements for agencies to implement protection protocols and provide guidance for employees.
"While the mandates cover computer security awareness, it is taking some time for the mandates to catch up to the mobile security awareness that is needed," Cindy Auten, general manager of the Mobile Work Exchange, told the E-Commerce Times.
"With technology constantly evolving, it can be difficult for agencies to keep up with these complicated policies. In order to do so, agencies need to provide regular security training for their workforce, and establish a firm policy for mobile device use," she said.
"While it is the agency's responsibility to provide mobile device management and training, it is the responsibility of the end-user to follow these policies. Simple steps such as creating a complex password -- and changing it often -- or using a secure wireless connection are effective techniques for end-users to begin practicing," Auten recommended.
Technology Remedies Are Available
The responsibility for mobile security ultimately may fall on agency management and workers, but there are some technology remedies that can be brought into play.
"The most important first step is to have the network properly identify users and devices prior to granting them access to government resources. With a real-time list of connected assets, the operator can easily set policy, react to malware threats, and inboard new users prior to them accessing resources and data," Kevin Manwiller, manager of security mobility solutions for Cisco's federal unit, told the E-Commerce Times.
"In addition, the use of a mobile device manager on the endpoint can control applications, perform a remote wipe if the device is lost or stolen, and set requirements for malware detection," he said.
Agencies can use the SuiteB cryptographic tool developed by the National Security Agency, Manwiller also noted. All connections to the network can go through an advanced malware tool to identify and stop known and unknown threats.
Cisco has a significant role in the mobile security arena, Manwiller observed.
"The network has more visibility than anything in identifying devices attempting to connect, limiting access based on security posture or policy, and redirecting traffic through malware cleansing tools," he said.
Cisco's solutions include an IdentityServices Engine for controlled access and asset inventory, as well as antimalware tools with Sourcefire. In addition, Cisco and its partner Lancope have the ability to analyze network behavior using NetFlow tools to identify suspicious use and insider threats, he said.
The Federal Buzz: TechAmerica, Terremark Cloud
TechAmerica Expands Reach: TechAmerica, which manages a major public sector program on behalf of IT and other technology-oriented companies, will broaden its portfolio with increased attention to the healthcare and education sectors.
"We want to expand from our traditional focus on procurement and acquisition, to highlight the benefits of technology and on helping the government use technology more effectively," said Mike Hettinger, TechAmerica's newly appointed senior vice president for the public sector. At the federal level, the organization will be more cognizant of facilitating government integration of separate IT components such as the cloud, mobile devices and Big Data initiatives.
TechAmerica will still remain heavily involved in federal IT procurement issues, especially in dealing with acquisition reforms.
"We need to figure out some of the systemic problems in procurement and address them as a whole rather than looking at piecemeal parts of the process," Hettinger said.
Current legislative proposals have addressed some of the issues that trouble the IT sector but these efforts still need work, he noted.
"Some of the initiatives towards a more centralized approach to acquisition through some new vehicle or through the General Services Administration are worth exploring," Hettinger told the E-Commerce Times, adding that he favored putting IT acquisition tools in the hands of the appropriate people at federal agencies.
As a result of the IT problems associated with the launch of the Healthcare.gov program, the Obama administration recently convened a meeting with industry representatives to discuss acquisition issues. Continuing such cooperative efforts would benefit the procurement process, Hettinger said.
While the Healthcare.gov debacle generated some harsh criticism of the federal IT acquisition process, Hettinger took a more conciliatory approach.
"I don't think the system is completely broken," he said, while acknowledging that significant improvements were in order.
One of TechAmerica's major goals, he said, would be educating members of Congress on the IT acquisition process in order to generate meaningful reforms.
Health Exchange Contract: The Department of Health and Human Services will spend an additional US$8.7 million on a contract with Terremark Federal Services, a unit of Verizon, for expanded cloud computing for health insurance exchanges created under the Affordable Care Act.
HHS did not anticipate the need for more cloud capacity in the original agreement with Terremark, it noted in a recent disclosure document, and it expanded the contract through an out of scope provision because there was not enough time to conduct a normal competitive procurement for the additional capacity.
The expansion was approved last November after HHS conducted a stress test of the system. The additional component brought the total value of the Terremark contract to $46 million.