It’s exciting to see the Jan 11, 2012 launch of National Dialogue on the Federal Mobility Strategy the effort is a step towards formalizing efforts across the federal government to apply mobile technology in ways that drive tangible mission and economic value for the government.
A new issue of the CGI Initiative for Collaborative Government’s Leadership journal on “Securing the Mobile Frontier” addresses a critical challenge that a national Federal mobility strategy must overcome to succeed – securing the use of mobile devices.
Stay tuned to www.collaborativegov.org/lead for updates over the next couple of weeks with full articles featuring senior government and commercial security executives. To get a flavor of what these executives had to say about the intersection of cybersecurity and mobility, see the following excerpts from the soon-to-be-released journal:
Gen. Keith B. Alexander
Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service
“Both the private sector and the USG value secure mobile devices – devices that protect the corporate and personal data resident on the devices and on the enterprise networks they access.
As greater and greater capability moves to mobile devices (e.g., banking), security becomes more and more valued. We are working closely with the private sector to ensure that the lessons learned from the last two decades of PC security are applied to mobile devices.
We believe that the future of network defense is a much more dynamic problem than in the past. New technologies and devices will continue to appear in our environment. So we can never secure the defense one device at a time. We need to improve the whole ecosystem through standards, best practices and improvement to the supporting infrastructure.”
Teri Takai
Chief Information Officer, U.S. Department of Defense
The supply chain “is very big in terms of our thinking,” Takai said, because DOD can’t “legislate” companies to protect their supply chains.
She has three approaches to supply-chain management. The first is traditional: ensuring that threats don’t have an entrée through components in weapons systems. To address that, she’s looking to partner with technology companies worldwide.
“We have to partner with those private-sector companies,” she said. “We can’t, if you will, proceduralize them to protect their supply chain. We’ve got to work with them. That’s No. 1.”
Second, DOD is pilot testing processes, particularly in major defense acquisition programs, to see how officials can study the supply chain to understand what’s embedded in the software, hardware and weapons systems the department uses. For several years, DOD has partnered with the Department of Homeland Security on the Defense Industrial Base Cyber Pilot. The project allows DOD to share information on threat intelligence with defense contractors and commercial telecommunications providers. By doing so, DOD aims to protect its assets by protecting those of its private-sector partners.
“The third piece that we’re beginning to look at is that going forward, there will be a certain amount that we cannot detect,” Takai said. “So we’re working very hard on what we call resiliency. Understanding that there will be some level of breaches, how do we react to that, how do we ensure that that does not damage our ability to carry out our mission? I think that’s going to be a growing area going forward.”
Gregory Schaffer
Assistant Secretary, Office of Cyber Security and Communications, U.S. Department of Homeland Security
With the growth of mobile applications, most people are starting to see their work and private lives comingle.
“I have a 9-year-old and a 12-year-old, and they are pretty convinced that that iPads and iPhones are gaming platforms,” Schaffer said. “People are no longer keeping separate those things that they do for business and those things they do for pleasure, and again that creates certain risks. I am pretty careful not to do that, but I don’t think everyone goes down that same road.”
Once users start putting both business and personal data on a single device, there are a range of security issues to consider. For instance, what if the device is left on the backseat of a taxi? What if there is a lawsuit and the device is part of a personal legal matter? “Now you have suddenly exposed the other side whether it’s the personal side or business side to some kind of legal process simply by having it all comingled on the same device,” Schaffer said.
The technological challenges of those devices, he added, are that “they are evolving so fast and the application space is evolving so fast that it is hard to keep up and secure things in the demand curve that has been created. So I think for IT and security professionals everywhere the pressure to stay ahead of that is enormous.”
So how do organizations keep their data safe as the use of mobile devices increases? The guidance in many cases is awareness, Schaffer said. “It’s making sure that people really understand what they are buying into when they connect certain things to this ecosystem,” he said. “Having people who really understand what these challenges are and how careful they need to be is one of the things we spend a lot of time doing. We do that through training, awareness programs and education programs.”
Lt. Gen. Susan Lawrence
U.S. Army Chief Information Officer/G6
The Army is testing a plan to allow users to connect their personal mobile device to the network using the CAC as a means of identification and authentication. Because the Army has embraced virtualized computing, the data is kept in the cloud, not on an individual device or a server under a desk, which improves security.
“You connect to the network, we authenticate it’s you, we scan your device so we can be sure there is no virus or malware on it, and then you have access to your authorized portion of the cloud,” Lawrence said. “At the end of the day, when you unplug, that data stays in the cloud. If you lose your Droid, we don’t care because our data is not there. It remains in the cloud. That will go a long way to securing our information.
Dr. Peter Levin
Chief Technology Officer, U.S. Department of Veterans Affairs
Levin sees open-source development as an important way to anticipate and defend against the unexpected in the ever-evolving mobile frontier. “Open source has the added advantage that you’ve got a lot of people looking at it at the same time,” he said. “It really is a blunt-instrument argument: more eyes, more brains, more secure.”
Dr. Edward Amoroso
Chief Security Officer, AT&T
Amoroso believes the future of security lies in virtualization, which means moving identity management and threat detection to the cloud. In that scenario, Amoroso said, “I just tell the ISP, ‘Here’s my policy: I want you to filter the viruses from my e-mail, I want you to filter spam, and I’d like these services to be allowed and these services to not be allowed. I don’t want my employees on Facebook, for example.’ The Internet Service Provider can very easily do that for wired and wireless service.”
Virtual makes sense to the next generation of mobile users. They accept that systems are maintained virtually, he said, and they easily relinquish control.
“If I look back over decades, it becomes crystal clear that security in the mobile ecosystem has to become virtual.”
Christopher Painter
Coordinator for Cyber Issues, U.S. Department of State
Painter has traveled to Kenya twice in the past few months and has seen firsthand how mobile use is evolving in that part of Africa. For instance, Kenya has an innovative payment system that allows people to pay bills and make purchases by transferring money electronically via their cell phones. It’s akin to swiping a credit card, but it’s revolutionary for people who might never have had a bank account before.
“It’s not just large countries that get innovative and profit from this,” Painter said. “This is the wave of the future.”
Given the growth and penetration of mobile devices and mobile broadband, security is as important as it is in the desktop PC world, Painter said. “Those platforms are just as susceptible to compromise and attack. This is not a subject for governments alone but will require close collaboration with the private sector so, to the maximum extent possible, security can be baked in instead of added later.”
Gregory Garcia
Former Bank of America Partnership Executive for Cybersecurity and Identity Management, and the first Assistant Secretary for the Office of Cybersecurity and Communications, U.S. Department of Homeland Security
“What everyone should know is that the policy and business as they relate to cybersecurity go hand in hand,” Garcia said. “Because we are in the world of technology and the Internet and security, we’re all interconnected, and if we’re all interconnected, we’re all interdependent. And if we’re all interdependent, it means we’d better be working together and collaborating and sharing the kinds of cybersecurity information and best practices that we can deploy to protect ourselves collectively. Information that isn’t shared is useless.”
“There is a fundamental understanding that major financial institutions that manage financial transactions over a technology network have a responsibility to partner with, coordinate with, collaborate with the government, with other financial institutions, with other industry sectors to be sure that collectively we’re not missing anything, that we’re able to join forces and share with each other so we have a common operational picture about what’s happening — not just in day-to-day cyberattacks, incidents or probes but what’s happening over time,” he said.
Disclaimer: The postings on this site are the opinions of the individual author, and do not necessarily represent CGI's strategies, views, or opinions. CGI expressly disclaims all liability for actions taken or not taken based on the content of this blog.
Pingback: Securing Mobile In The Federal Government, New CGI Collaborative Government Series | News & Insight for the DC Area Executive