Mobile Cybersecurity: A New Oxymoron?

Wireless Wonk

Mobile Cybersecurity: A New Oxymoron?

By Barlow Keener, Attorney  |  January 26, 2015

Mobile is the new cybersecurity focus. CIOs are delivering iPads and tablets to all the employees. Bring your own device, or BYOD, smartphones and tablets are used for company and for personal use. No longer are managers carrying around two devices like a company BlackBerry (News - Alert) and a personal iPhone. Because mobile BYODs are connecting to the corporate network, where all the corporate jewels are stored, the way in for cyber theft is now the mobile device.

Cybersecurity is a very big deal. Home Depot reported $34 million lost through a cyber-breach, not to mention damage done to its consumers. JP Morgan (News - Alert) reported a breach that “compromised” information for 76 million households and will spend $250 million on cybersecurity in 2014. USIS, which performs background checks for government employees including the U.S. Post Office, may have compromised personal information of 800,000 USPS employees through a breach, according to The Wall Street Journal.

In October 2014, Kmart was reportedly breached. In November 2014, Beth Israel Deaconess Medical Center was fined $100,000 for the disclosure of 3,767 records when a laptop was stolen. The FBI is upset at Apple and Google for new tight encryption schemes on smartphones, locking out law enforcement. However, smartphone users are looking for encryption protection.

In 2014, 31 percent of mobile users reported fake links and phishing scams, according to the Norton Cybercrime Report. Mobile malware experienced a 614 percent increase, according to the Mobile Threat Report. Cybersecurity attacks happen silently. The average breach takes place 229 days before detection. Spending is huge. Gartner (News - Alert) projects that global cybersecurity spending will be $83.2 billion by 2016.

Mobile carriers face government-imposed liability. The SEC (News - Alert) is currently considering rules to require disclosure of breaches. Companies are fighting back with the U.S. Chamber of Commerce opposing the SEC regulations arguing that disclosures will only help attackers. If mobile carrier information is hacked, the carriers will face tremendous FCC (News - Alert) fines. On Oct. 24, 2014, the FCC held that two small wireless and wireline carriers were subject to $9 billion in fines, but then lowered the fine to $10 million. The carriers, the FCC found, allowed open access to 300,000 customer records. They allegedly used “unprotected” servers that “anyone in the world could access with a search engine and basic manipulation.”   

FCC Commissioner Ajit Pai strongly dissented for the FCC’s imposing a fine based on violations of law that were not expressly included in the FCC rules, commenting “there is no pre-existing legal obligation to protect personally identifiable information … or notify customers…. The Commission has never adopted rules regarding the misappropriation, breach, or unlawful disclosure of information.” Pai pointed out that the fine was “by far the biggest in our history. It strains credulity to think that Congress intended such massive potential liability for ‘telecommunications carriers’ but not retailers or banks or insurance companies or tech companies or cable operators or any of the myriad other businesses that possess consumers.”

Mobile opens the door for cyberattackers. The FCC will have opportunities for future fines. Small cells give cyber hackers the ability to create phantom carriers that smartphones will connect to as legitimate providers. A hacker’s small cell next to an office building can sniff on nearby phones. Mobile applications are supposed to be walled off in smartphones to prevent data theft. However, users rapidly give all permissions thus opening the door for app malware. CIOs can require that BYODs use a controlled OS – where techs can approve applications and wipe the phone when stolen.  

"It is only a matter of the when, not if, that we are going to see something traumatic," warned Admiral Michael Rogers, U.S. Cyber Command head. This means it is inevitable that one or more of the big four mobile carriers will soon be reporting a cyberattack. The FCC’s controversial fine equaled $33 per customer record. Such an FCC fine on 125 million records would equal $4.125 billion. Carriers are doing all they can to prevent cyber theft, but even the government itself is unable to plug holes in the network fence.  

Like banks, government agencies, and utilities, mobile carriers are spending millions on cybersecurity. Device makers are accelerating efforts to encrypt devices as a mobile solution. Encryption is the key and going forward will likely include Bitcoin block-chain technology. Encrypted data, at the customer record level, could be protected even if taken by hackers.

Government fines will not help solve the mobile cybersecurity problem. Cyberattackers are, we have learned, for the most part outside the U.S. jurisdiction and are often nation-state intelligence groups working for both commercial and military reasons.  No matter how secure the networks become, human error will leave a back door open.  We have just begun to fight cybersecurity and there is no easy solution, technical or regulatory, in sight.

Barlow Keener is the principal with Keener Law Group out of Boston.

Edited by Maurice Nagle