GAO: Step Up Mobile-Device SecurityA Call to FCC, DHS, NIST to Strengthen Mobility Safeguards
Congressional auditors say the Federal Communications Commission, Department of Homeland Security and the National Institute of Standards and Technology need to step up their efforts to encourage better implementation of controls for mobile devices (see list of controls at end of article).
The Government Accountability Office, the investigative arm of Congress, in a report issued Sept. 18, recommends that the FCC encourage the private sector to implement a broad, industry-defined baseline of mobile security safeguards and asks DHS and NIST to take steps to better measure progress in raising national cybersecurity awareness.
Officials at the FCC, DHS and Department of Commerce, which oversees NIST, generally concurred with GAO's recommendations.
According to the GAO report, threats to the security of mobile devices and the information they store and process have been significantly increasing. For instance, GAO says, the number of variants of malicious software, known as malware, aimed at mobile devices has reportedly risen to 40,000 from 14,000 in less than a year.
The auditors write that cybercriminals may use a variety of attack methods, including intercepting data as they are transmitted to and from mobile devices and inserting malicious code into software applications to gain access to users' sensitive information. These threats and attacks are facilitated by vulnerabilities in the design and configuration of mobile devices, as well as the ways consumers use them. Common vulnerabilities include a failure to enable password protection and operating systems that are not kept up to date with the latest security patches.
GAO says mobile device manufacturers and wireless carriers can implement technical features, such as enabling passwords and encryption, to limit or prevent attacks. In addition, the report says, consumers can adopt key practices, such as setting passwords and limiting the use of public wireless connections for sensitive transactions, which can significantly mitigate the risk that their devices will be compromised.
"Federal agencies and private companies have promoted secure technologies and practices through standards and public private partnerships," GAO Information Security Issues Director Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati write in the 49-page report. "Despite these efforts, safeguards have not been consistently implemented."
The authors write that the FCC has not yet taken steps to encourage device manufacturers and wireless carriers to implement a more complete industry baseline of mobile security safeguards, although the commission has facilitated public-private coordination to address specific challenges, such as cell-phone theft.
"Many consumers still do not know how to protect themselves from mobile security vulnerabilities, raising questions about the effectiveness of public awareness efforts," the GAO officials write.
The GAO officials contend DHS and NIST have not yet developed performance measures or a baseline understanding of the current state of national cybersecurity awareness that would help them determine whether public awareness efforts are achieving stated goals and objectives.