In April 2017, the Department of Homeland Security (DHS) in collaboration with the National Institute of Standards and Technology (NIST) issued a “Study on Mobile Device Security.” The research found that endpoint surface area is vulnerable to attacks that could open up a “backdoor” to accessing national security assets like drones and weapons systems. While that report defined mobile devices as smartphones and tablets, cyber attacks continue to put a spotlight on the need to define and protect a growing ecosystem of connected devices. The explosion of the Internet of Things (IoT) in particular is forcing continued dialog around what exactly constitutes an endpoint and how it can be breached.
Agency leaders need to take a long hard look at their cybersecurity security strategies in order to tackle immediate mobile device needs, but also ensure security frameworks and deployments are flexible, scalable and technically capable enough to address future challenges introduced by a new wave of endpoints. As aptly stated by Adam S. Hickey, deputy assistant attorney general for national asset protection in DOJ’s National Security Division (NSD), “As devices proliferate, and as we connect them increasingly to each other and the Internet, security needs to be at the front end. How do we do that? How do we encourage that? That’s the challenge for the government.”
What should we consider an endpoint, anyway?
According to TechTarget, “An endpoint device is an Internet-capable computer hardware device on a TCP/IP network.” Laptops, tablets and smartphones typically come to mind as the most common endpoints given our daily interaction with these devices. Just think, more people own mobile devices than toothbrushes or even toilets. For government agencies, the mobile device flood represents new productivity opportunities but also more endpoints to track and manage.
Add on top of this a new wrinkle. As we enter the IoT age, what we traditionally considered an endpoint is quickly evolving as more “things” become connected. DoD Policy Recommendations for The Internet of Things (IoT) sought to clarify the boundaries of this growing ecosystem outlining, “More recently and commonly, IoT ‘things’ are viewed as devices that have internet access along with sensor and/or actuation or control mechanisms.”
If DoD’s definition seems a bit broad and open-ended, it is. Just this past summer, NIST computer scientist Jeffrey Voas explained, “There is no universally accepted definition of IoT.” That means that tanks, fighter jets or other weapon and non-weapon devices equipped with sensors must be also considered potential endpoints. Drones and unmanned aerial vehicles (UAV), along with the data they collect and key functions they can execute (such as drop a payload), likewise introduce expansive threat surface area that must be secured.
The horse is already out of the barn
IoT adoption is not slowing down anytime soon. According to research firm Gartner, the worldwide forecast of connected things in use is predicted to reach 20.4 billion by 2020. Under the umbrella of IoT, wearables such as smartwatches, body-worn cameras and head-mounted displays are also gaining adoption. Gartner forecasts that more than half a billion wearable devices will be sold worldwide in 2021. GSA is already leveraging the benefits of IoT to support its smart buildings initiative and to increase the efficiency of its fleet through telematics tracking. DoD is similarly adopting IoT technologies to streamline military asset tracking and support network-centric warfare strategies in an increasingly connected battlefield.
As the endpoint footprint grows, so too does the threat opportunity — and we’re already seeing the fallout. According to DoD, “The number and relative simplicity of IoT devices greatly expands the attack surface exposed to the Internet.” In late 2016, this came true when the world was hit by one of the most massive Internet disruptions of its time. The cause of the malicious DDoS attack was orchestrated using the notorious Mirai botnet, which was largely made up of IoT devices. In January 2018, a variant of Mirai aimed at ARC-based devices raised its ugly head again in the form of Okiru.
Lawmakers such as U.S. Senator Cory Gardner feel that IoT devices could be used as “weapons of mass disruption.” As one example, Johns Hopkins University researchers last year demonstrated just how easy it is to hack and crash a hobby drone.
How do we lasso this challenge?
While the Senate’s Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is a step in the right direction toward establishing ground rules which heighten IoT security standards, there’s still work to be done. NIST is has been working to address IoT and other cybersecurity challenges as recently as this month through its latest draft updates to its Cybersecurity Framework.
Together with instituting smart policies and educating users, deploying a mobile endpoint security platform represents an essential building block in future-proofing any agency against today’s expanding ecosystem of endpoints threats. Luckily, a range of defense-grade hardware and software solutions are available on the market today to lock down a range of mobile devices. From encryption to malware protection, multi-factor authentication, biometrics, mission action verification, cryptographic digital credentials, containerization and more, federal decision makers must leverage the full toolset of solutions to safeguard mobile devices and critical government data. IT teams must think of mobile endpoint security as holistic home protection solution: If you don’t address security from the hardware level up, it’s like having an alarm system for the top two levels of your house but leaving your basement door open for anyone to break in.
We’re just at the beginning of solving the rapidly evolving mobile endpoint security problem. There must be continued industry discussion around protecting today’s mobile devices, defining emerging endpoints and developing updated cybersecurity strategies. I encourage commercial industry innovators, policymakers and agencies to work hand-in-hand to help shape policies and technologies that can secure our government’s most sensitive information.
Learn more about how Samsung is helping federal agencies secure and maximize the productivity and cost-savings benefits of mobile technology.