The Problem with Mobile Device Cybersecurity Standards

Wireless Wonk

The Problem with Mobile Device Cybersecurity Standards

By Barlow Keener, Attorney  |  January 14, 2016

As we all know, cybersecurity is being taken seriously by the U.S. government. Cyberhackers are costly and are retrieving the royal jewels. 

Often the hacks are not discovered for months. In 2014, hackers spent an average of 205 days, almost 7 months, before being discovered, according to FireEye (News - Alert). Kaspersky Lab reported detecting 7,010 mobile banking Trojans in the third quarter of 2014. When hackers breached federal government servers in 2015, they accessed 21.5 million federal employee records and also took 5.6 million fingerprint records. Fingerprints are currently used as security protection for many mobile devices.

We hear in the news about security holes and breaches in our phones weekly, and even daily.  Lookout did a survey that found that 85 percent of federal government employees are aware of the risks of using their personal mobile devices for work but do it anyway. Mobile hacking could become a massive problem as the devices are portable and connect wirelessly. Portable means devices are easily lost or stolen. It also means devices will be accessing the Internet wirelessly through public Wi-Fi, or Wi-Fi set up by hackers in hotels, or even fake base stations set up nearby that the user’s mobile device sees as a legitimate roaming cellular connection.

The government is stepping up its efforts to help U.S. firms tighten the cyberhacking holes that mobile devices are particularly susceptible to. It is lending a helping policy and technology hand to enterprise to help protect against breaches into our largest firms through mobile devices.  Slowing mobile breaches is vital for our economy and national security. Grant Thornton (News - Alert) estimates that the global cost of cyberattacks for 12 months (2014-2015) was $315 billion. Gartner forecasted global spending on cybersecurity to be $75.4 billion.

The primary agency of the government working on cybersecurity standards is the U.S. Department of Commerce. The Department of Commerce and its sub-departments, the NTIA and NIST, are responsible for federal spectrum issues and cybersecurity. The National Telecommunications and Information Administration handles federal spectrum and other communications matters, and the National Institute of Standards and Technology studies spectrum and cybersecurity issues involving the government. In 2002, Congress mandated that NIST develop information security standards in the Federal Information Security Management Act of 2002. The National Cybersecurity Center of Excellence was created in 2012. In 2013, a presidential executive order, “Improving Critical Infrastructure Cybersecurity,” tasked NIST with creating a cybersecurity framework that would help organizations mitigate risks to the nation’s essential systems such as power generation and distribution, the financial services sector, and transportation. NCCoE collaborated with private firms like Intel (News - Alert), Microsoft, Symantec, and Lookout, to study and create real-world, standards-based cybersecurity capabilities for business needs.

In July 2015, NCCoE issued draft standards for health care: “Securing Electronic Health Records on Mobile Devices”.  In November 2015, NCCoE issued its draft "Mobile Device Security: Cloud & Hybrid Builds" which provides information to help protect data security on employees’ personal and organization-owned mobile devices. A "How-To Guide" was also delivered. There is a period open for commenting on the draft standards.  

NCCoE, through a survey, identified two problems with mobile phone cybersecurity: employee resistance, and the inability to implement and enforce a mobile device policy. The principal aim is creating more device cybersecurity technology, and standards, that eliminate or minimize the need for user compliance. The report noted that security controls have not kept pace with the security risks for bring-your-own-device scenarios and also for corporately owned and personally enabled mobile devices. The NCCoE report suggests leveraging cloud services to secure data, by keeping data secure in the cloud and off the device.

NIST’s efforts are admirable but not without questions. It is interesting that the four large mobile carriers and the largest mobile phone manufacturers were not part other NCCoE collaboration.  Apple (News - Alert), Google, and Samsung did not play a role. 

Also, there are several fundamental problems with creating cybersecurity standards. The standards can deliver the keys to the hackers. Once the standards are known, hackers will better know where the keys are located. Good security, the kind we want to see from the government and all large firms, must include a secret, complex methodology, known only to the creator.  Standards, while helpful, will not stop intrusions through mobile phones.

Also, standards can create false liability benchmarks for firms that may not comply with the standards but develop more sophisticated and workable cybersecurity protections that nevertheless are then breached by hackers. Because there is a standard, especially a government standard, these firms may be held to have intentionally ignored a government standard creating potential punitive damages.  

Barlow Keener (News - Alert) is the principal with Keener Law Group (

Edited by Kyle Piscioniere