Part of the issue is the fact that consumer security awareness is not at the level that it should be, the GAO said, and federal efforts to help have so far been lacking.
The GAO report noted that cyber criminals may use a variety of attack methods, including intercepting data as they are transmitted to and from mobile devices and inserting malicious code into software applications to gain access to users’ sensitive information. Premium SMS scams are on the rise, and there’s also just good old-fashioned phishing and teasing to malicious links at a website.
These threats and attacks are facilitated by vulnerabilities in the design and configuration of mobile devices, as well as the ways consumers use them, the GAO noted. Common vulnerabilities include a failure to enable password protection and operating systems that are not kept up to date with the latest security patches.
The GAO said that protection will have to be a multi-pronged effort that takes into account all parties. For instance, mobile device manufacturers and wireless carriers can implement technical features, such as enabling passwords and encryption to limit or prevent attacks. Meanwhile, consumers can adopt key practices, including setting passwords, using two-step authentication and limiting the use of public wireless connections for sensitive transactions, which can significantly mitigate the risk that their devices will be compromised. Unfortunately, many consumers still do not know how to protect themselves from mobile security vulnerabilities, raising questions about the effectiveness of public-awareness efforts.
Meanwhile, federal agencies and private companies have promoted secure technologies and practices through standards and public-private partnerships. But the GAO said that despite these efforts, safeguards have not been consistently implemented.
For instance, the Federal Communications Commission (FCC) has facilitated public-private coordination to address specific challenges, such as cellphone theft. However, it has not yet taken similar steps to encourage device manufacturers and wireless carriers to implement a more complete industry baseline of mobile security safeguards.
When it comes to consumer awareness, neither the Department of Homeland Security (DHS) or the National Institute of Standards and Technology (NIST) have yet developed performance measures or a baseline understanding of the current state of national cybersecurity awareness that would help them determine whether public awareness efforts are achieving stated goals and objectives.
The Obama Administration has been considering issuing an executive order to get such broad initiatives underway. Efforts to get a cybersecurity bill through Congress have to date failed, prompting Democrats to call on the White House to mandate cybersecurity protection measures for businesses and government agencies alike through an executive order. The GOP has maintained that such a step is an overstepping of government authority into the realm of private enterprise – one that will hamper competition and innovation by placing too many regulatory restraints on daily operations.
In fact, government agencies are unsure of how to secure their own infrastructure, let alone help citizens do so.
So what to do? Going forward, the GAO recommended that the FCC encourage the private sector to implement a broad, industry-defined baseline of mobile security safeguards. GAO also recommended that DHS and NIST take steps to better measure progress in raising national cybersecurity awareness. The FCC, DHS, and NIST generally concurred with GAO’s recommendations.