Mobile Security: Changing the Very Nature of Cyber Risk
Online and Mobile Safety The most impactful new cyber threat comes from smart phones and tablets, which use the airwaves as their communication media.
Smart devices provide easy access to critical systems and infrastructure. They have changed the very nature of cyber space and swelled the size and complexity of threat space. Privacy awareness has increased; new security technologies are being introduced and government regulations are trying to address the issue, but they cannot keep up. We must understand and manage this brand new dimension of cyber risk.
Mobile devices are more than just portable desktop computers. They not only facilitate intrusion by highly accessible wireless means, but they are packed with dozens of radios and sensors along with many pre-loaded apps that continuously collect user information, including texts, contact lists, GPS locations, transmissions and more. These devices are always working to communicate with each other and local devices and radios even when they seem to be turned off.
"Social media platforms and apps exacerbate the problem by increasing the traffic of users’ private information and activity details, including who they have spoken with, monitoring their location, where they shop, and even their conversations."
Some apps seek information about their users’ activities, sometimes for nefarious motives and for information to resell to advertisers. This provides dimensions of open access and covert channels that have expanded the threat space greatly. Users are trapped into granting access permission when they buy devices, often not realizing the scope or the consequences of the rights they give up.
Social media platforms and apps exacerbate the problem by increasing the traffic of users’ private information and activity details, including who they have spoken with, monitoring their location, where they shop, and even their conversations. The data broker industry uses this as their data gathering platform, packaging the information and reselling it to others. In 2013, a senate report found that this $150 billion industry “operates behind a veil of secrecy,” selling financial, health, personal and behavioral data to other organizations, often packaged to emphasize vulnerable people. Indeed, app developers often make more from the data gathering they facilitate than from the nominal purchase fee of their app.
Vulnerable users are inadvertently giving away private information that they would choose not to if given a choice. For example, while children are playing their games, walking around and interacting with others, they are often being tracked and their data mined by their smart phones in violation of COPPA (Children's Online Privacy Protection Act) and CPNI regulations of the FCC. Even with legal and sensible motivations on the part of data brokers and social media platform/app suppliers, they have opened up new exploitable channels for terrorist activity. These unintended consequences challenge the business, national and citizen privacy interests.
Critical infrastructure industries and government organizations are subject to new risks as well. From field technicians using tablets to work on the power grid, to traveling executives tethered to corporate insider information, to law enforcement and national security agents exposed to adversaries; mobile device access provides covert channels for nefarious activity. Mobile banking not only facilitates public privacy breaches, but also may enable manipulation of securities transactions. A grid shutdown similar to the 2003 Northeast blackout could be instigated by a tablet in the field. Border patrol agents could be tracked, endangering their mission or person.
What must be done? Since the scope of mobile cyber risk is so overwhelming, indeed saturating, we must develop a cyber risk triage approach. Focus protective resources on high impact threats. This starts by identifying high impact breaches and exploitations and quantifying their consequences. The content, behavior and location of information items with severe public and national consequences may then be protected – passively – without using tools that are themselves intrusive and exploitable.
There are emerging methods and technologies that provide information about vulnerabilities, unauthorized downloads and breach consequences. FCC, FTC, DHS and SEC regulations are being interpreted as to their applicability to mobile security by common carriers and financial institutions. DHS has legal tools, such as the NIST Framework and the U.S. Safety Act, which designates qualified anti-terrorist technologies, the use of which carries cyber security legislation is still bouncing around congress. There may soon be more. Only time will tell.