Are Government Agencies Susceptible To Mobile Threats?

Mobile devices providing anywhere-anytime access have been extremely beneficial for government agencies that function best through agile and responsible work. Though mobiles have helped expand agency capabilities, this technology also brings security risks—especially in light of 5G’s imminent arrival.

Government agency staff using mobile devices

Higher speeds and increased connectivity are clearly advantageous in such busy, saturated environments, but a huge downside of 5G is the fact it will lead to larger attack surfaces—the sum of potential points of unauthorized entry to a network.

With 5G already enhancing wireless communication even further, its cybersecurity risks could also become more pronounced. With this in mind, now is the time for government agencies to examine the mobile threats they currently face, how they may change in the future, and how best to protect themselves.

Phishing attack

The threats plaguing government agencies

Mobile phishing

Hackers often succeed in gaining access to unauthorized networks by using phishing to trick users into sharing confidential information. These kinds of tactics have proven to be a significant threat to government agencies, with the Director of the U.S. National Counterintelligence and Security Center announcing that phishing attacks were responsible for almost 90% of the successful federal data breaches over the past eight or nine years.

Unfortunately, the risk of falling victim to these attacks is even greater when employees are using mobile devices for work purposes. Gartner’s Market Guide for Mobile Threat Defense notes that as the screens of mobile devices are much smaller than other devices, certain details may be omitted for the sake of user experience. This makes it harder for employees to spot suspicious signs in their browsers and emails, making phishing attacks more likely to succeed when conducted through mobile devices.

With 5G data speeds enabling employees to work more effectively outside of the office we can expect to see an increase in the number of agencies with roaming policies and mobile teams. IT departments at agencies should be aware that the increased number of 5G devices are likely to be a target for bad actors and we can expect an increase in the number of mobile phishing threats.

Vulnerable VPNs

In February, Senators Ron Wyden and Marco Rubio wrote a letter to the Director of Cybersecurity and Infrastructure Security Agency (CISA) outlining their concerns about mobile data-saving and VPN apps like Dolphin and Yandex made in Russia and China. As these direct all user traffic through their own servers, the senators argued that when government agencies use these apps, it increases the chances that their data could be surveilled by the Russian and Chinese governments. Furthermore, the CISA recently warned users to urgently update a VPN with critical vulnerabilities as it could “become compromised in an attack” without the required software patch. Even though VPNs should protect government agency data by creating a private network, this won’t be the case if their mobile VPN itself has security flaws.

For remote workers to be productive, they need access to their agencies’ cloud systems, enabled by 5G the number of employees utilizing the cloud from outside the office is expected to increase. Agencies should consider how their staff are connecting to these resources and evaluate whether their current methods meet security standards.

Risky apps

As a Department of Homeland Security report on the threats of the Government’s use of mobile devices highlighted, apps can pose significant security threats: “Vulnerabilities present risk when they are exploited—either intentionally or unintentionally—and result in some compromise to a user’s data.” Unsecure communications between an app and a remote server could allow cybercriminals to “eavesdrop”, or even conduct man-in-the-middle attacks, to alter data.

App permissions can also put mobile devices at risk if users allow apps to access personal data such as contacts, photos and message history. Attackers can take advantage of these permissions to extract confidential government information from government agency mobile devices. Furthermore, apps can be infected with malware if there are gaps or vulnerabilities in its code, while malware can even be repurposed as a legitimate-looking app to increase the chances of it being downloaded. For example, in July, a fake WhatsApp program was uploaded to the Play Store and downloaded over 1 million times.

As bad actors utilize more and more sophisticated techniques IT leaders should consider how to secure mobile devices to ensure government information is not exposed.

Cyberscurity padlock and keys

How can agencies protect themselves?

Adaptive access control

Adaptive access control assesses contextual factors surrounding the access request, following an authorization policy considering operational need and risk. For example, the system would analyze factors like whether the OS is up to date, whether the user is attempting to gain access from an appropriate location, and whether there is malware or a risky app installed on their device. To summarise, access privileges are granted depending on user identity, their need, and how great a potential security threat they pose depending on real-time risk factors. With context determining user access, there are fewer opportunities for privileged credentials to be abused.

Role-based access control

Government agencies can reduce their attack surface by implementing role-based access control (RBAC). This means that each individual can only access certain resources depending on their role, rather than allowing them free rein across the network. As such, RBAC abides by the principle of least privilege access as users can only access what they need to do their job—something which can be hard to enforce through a VPN connection alone. In consequence, agencies can limit the number of materials that could be rendered vulnerable by their employees, and thereby reduce the opportunities for cyberattacks.

Implement a mobile security product

Though security training is important, it only provides a baseline at the end of the day. The sophistication and evolution of security attacks means it’s a full time job keeping on top of the latest threats.

As training merely provides a very thin first line of defense, it cannot be relied upon alone, especially with the potential for more attacks following the launch of 5G. An October 2019 EU risk assessment report highlighted a number of increased 5G security threats, including the possibility of more attack paths that could be exploited “by threat actors, in particular non-EU state or state-backed actors”. This is presumably in reference to China’s Huawei 5G, which is already being embraced by countries including France, Germany and Brazil in spite of US attempts to ban it. The EU report also predicted that network equipment and functions will become more sensitive due to the new features of the 5G network architecture, and noted that its implementation is set to be a major security concern considering the crucial role it’s expected to have in many critical IT processes.

BYOD

These issues show why every organization needs a security solution that is capable of handling the challenges associated with a mobile world. Without network and endpoint diagnostics giving security teams visibility over device behaviour, there will inevitably be security gaps, particularly in less-managed environments, such as those implementing bring your own device (BYOD) policies.