Wars and conflict have always advanced the state of spying technology. In the past, it was airplanes, radar, and the bombe, Alan Turing’s code breaking machine known as the “original computer.” Today, microphones, cameras and apps on our phones have made mobile devices the latest new weapon for cyber war.
With enterprise app development exploding, people are using mobile devices to consume, create, and share just as much sensitive data, if not more, than they do on their laptops or desktops. Mobile apps represent more than half of internet use today.
Because of the combination of features only available on mobile — connected via Wi-Fi or cellular networks with voice, camera, email, location, passwords, contact lists, and more — these devices have become an attractive target for cyber criminals and nation-states looking to spy on government agencies, infrastructure providers, companies, and individuals.
Given the reliance on mobile apps for everything from buying products to corresponding with friends to getting work done on the go, if an enemy or criminal gains access to someone’s cellphone, they gain access to all aspects of that person’s life — both work and personal.
Malicious actors have figured this out. We know of at least one organization that is entirely focused on helping nation-states spy on individuals through their mobile devices. In August, Lookout, together with its research partner Citizen Lab,revealed that Israel-based NSO Group sells software that remotely and silently spies on people through their iPhones. This spyware, called Pegasus, may also be targeting other mobile platforms, such as Android devices.
What’s particularly alarming about Pegasus is that infection is incredibly simple: Just clicking a link can infect an iPhone with the spyware and lead to total data compromise, including the theft of every email, text and password typed on the device and any verbal conversation uttered in its vicinity post-infection.
In minutes, and without any indication, your own phone can become someone else’s spy.
It’s not hard to imagine a nation-state or criminal syndicate attacking Americans’ smartphones to acquire intelligence on a person’s whereabouts or connections and using that information to manipulate U.S. politics, embarrass American organizations or plan an attack on our critical infrastructure.
Both the public and private sector need to be prepared for the next front, the mobile device. Unfortunately, that appears not to be the case. We are deeply concerned the Office of the Federal Chief Information Officer does not consider mobile security as one of the top ten threats facing our nation.
In a study of 20 federal agencies, Lookout found that 110 in 1,000 mobile devices encounter threats. When you consider that this includes spyware like Pegasus and other threats that exfiltrate sensitive data and compromise the integrity and built-in security of the device, any infected device introduces unacceptable risk to an enterprise or government agency. And yet, very few companies or government agencies treat mobile devices as part of the critical infrastructure that needs to be secured.
Testifying before a recent hearing of the House Oversight and Government Reform Committee, one agency’s chief information officer said that the mobile security of employees’ personal devices — even when they were connected to the agency’s systems — is “not my responsibility.” And as the recent report from the President’s Commission on Enhancing National Cybersecurity states, “Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms.”
This must change.
The next administration should issue an Executive Order that directs the Office of Management and Budget, in conjunction with Department and Agency leadership teams, to prepare a plan for securing all IT assets, including all smartphones, tablets, connected devices, and printers. The plan should include specific, actionable steps every agency must take to implement the plan immediately. Agency heads must be held accountable for the implementation and progress toward securing these systems.
Congress must also do more to address the issues of mobile security. It’s imperative to hold congressional hearings on these critical security concerns and determine how to protect American citizens and organizations from being victims of mobile attacks. Private enterprises, particularly those that are already top targets of cyber-attacks, must take this threat seriously and prioritize the security of their mobile devices.
Mobile is the new frontier for cyber war. It’s time to update our defenses with the right kind of armor.