DHS: Moving Forward with Mobile Security

The Science and Technology Directorate (S&T) of the Department of Homeland Security (DHS) is responsible for leading the development of next-generation cybersecurity solutions for the US government. In this high-profile role, S&T can set the level and pace of cybersecurity innovation across the broader technology industry.

S&T aligns with a statement made by the Office of Management and Budget, which reads, “Special attention should be paid to R&D that can support the safe and secure integration into society of new technologies that have the potential to contribute significantly to American economic and technological leadership.”[1]

Vincent Sritapan

I spoke with Vincent Sritapan, Program Manager at the Cyber Security Division of DHS. His group has published Volume 2 of the “Mobile Security R&D Program Guide.” The Guide offers an overview of innovative security technologies intended to accelerate the adoption of secure mobile technologies by DHS, the entirety of the federal government and beyond.

The Guide’s creation was driven by a recognition that the federal workforce has become increasingly reliant on mobile technologies. There are 1.5 million mobile device subscribers within the federal government. DHS understands that the government’s increasing reliance on mobile technology has made it an attractive and lucrative target for cyberattacks.  “As use of mobile technologies becomes more pervasive in the government, solutions are needed to secure mobile devices and coordinate lifecycle management,” Sritapan noted. “We need policies to guide the selection and operational use of mobile solutions.”

“The goal of the project was to identify and provide ways to address the major pain points we see in mobile technology use in the government,” said Sritapan. “These include gaps in security with mobile devices, applications and networks.” Given the trend toward using mobile devices outside of federal agencies’ traditional network boundaries, there is a clear and urgent need for improved mobile security. “Our vision is to stimulate improvements in mobile security through collaboration with other agencies such as the DoD, FEMA and so forth,” Sritapan added.

The Quest for Mobile Security in the Federal Government

To promote the adoption of safe and secure mobile technology within the Department of Homeland Security (DHS) and across the entirety of the Federal government, S&T is developing requirements that span mobile device security and mobile app security. Focus areas include mobile software roots of trust, firmware security, virtual mobile infrastructure, continuous validation and threat protection for mobile apps, and tools to integrate security throughout the mobile app development lifecycle.

The R&D Program Guide

The Program Guide highlights new technologies and processes that further the goal of enabling the mobile workforce to support the homeland security mission. They were selected for the potential to support mission success through effective, efficient and secure mobile technologies.

• Orchestration Platform and Correlation for Mobile Software Assurance Tools – orchestrates mobile app development and vetting. It includes solutions for normalizing and rating mobile apps based on predefined standards and embedding these security steps throughout a mobile app development platform.
• Advancing Mobile Endpoint Security – advances new mobile endpoint security capabilities that alert device users, mobile enterprise administrators and security personnel to security threats and provide the ability to remediate vulnerabilities.
• Android Security Toolkit – leverages Microsoft’s Xamarin platform, security enhancements and mobile DevOps best practices to enable the government to build a secure mobile application (app) framework that supports the needs of DHS and other federal agencies. Provides the capability to write cross-platform native mobile apps from a single code base for Apple, Android and Microsoft operating systems. Apps developed can run on-premises or in any cloud platform, including government-only clouds that meet critical regulatory compliance requirements.
• Hardware-Anchored Continuous Validation and Threat Protection of Mobile Applications – addresses continuous validation and protection for mobile applications (apps) and devices by focusing on developing capabilities that operate within the High Level Operating Systems (HLOS). The program uses a hardware-anchored Mission-Critical-Grade Security Layer (MCGSL) to address zero-day attacks on commercial mobile devices by leveraging the Qualcomm® Snapdragon™ Security Platform and extending commercial capabilities to a military-grade mobile app security testing platform.
• Assured Mobile Application Lifecycle using Red Hat Mobile – integrates code-scanning technology into the mobile app development lifecycle, develops new capabilities and enhances the Red Hat Mobile Application Platform (RHMAP), while leveraging the mobile app information assurance software testing by Kryptowire for iOS and Android platforms.
• COMBAT: COntinuous Monitoring of Behavior to Protect Devices from Evolving Mobile Application Threats – vets mobile apps, preventing unauthorized access to sensitive information on mobile devices through robust identification of malware and vulnerable code.
• Trusted User Module (TUM) – provides software-based roots-of-trust for mobile devices suchas mobile phones, tablets and wearable devices where a Trusted Platform Module (TPM) chip is absent.
• Virtual Mobile Infrastructure – enables organizations to virtualize mobile devices so sensitive apps and data can be made available to mobile devices virtually, while maintaining appropriate security controls for the data on back-end servers.
• SENsor Secure Enterprise Infrastructure – provides existing systems complete security overlay for mobile, IoT devices and their apps.
• Persistent Implant Finder – automates the unpacking, modification, analysis and repacking of firmware to create new FRAK analyzer modules capable of identifying a variety of implants providing detailed reports for further human analyst investigation.
• Prepositioned Cyber-Threats – automates the detection of prepositioned cyber-threats in mobile applications, internet of things (IoT), embedded systems and critical infrastructure technologies.

[1] –OMB Memo M-17-30, Fiscal Year 2019 Administration Research and Development Priorities