Recent events have brought to the forefront the vulnerability and threat vector smartphones present.
“The very things that make mobile devices such a productivity tool are the exact same things that make them a big target for espionage and for malicious activity,” Kiersten Todt — president and managing partner at Liberty Group Ventures and resident scholar at the University of Pittsburgh Institute for Cyber Law, Policy and Security — said Oct. 24 in Baltimore, Md., at the annual MilCom conference hosted by AFCEA.
“We saw most recently [White House] Chief of Staff John Kelly’s phone getting compromised and by all accounts that was likely by a nation-state actor given what he wasn’t able to do.”
Mobile devices that are compromised, she said, can be exploited by adversaries to enable the microphone, allowing them to listen into sensitive conversations, access data that’s going through the smartphones or be able to take pictures of a surrounding area.
“We typically have looked at smartphones as a peripheral device, but I think we all appreciate right now that smartphones we each hold are really the access points into both our personal and professional lives,” Todt, who previously served as executive director of commission on enhancing national cybersecurity, said. “The data that travels through those devices is critical.”
In the military context, a report by the Wall Street Journal earlier this month charted how Russia targeted the smartphones of NATO soldiers, with the goal of gaining operational information, gauging troop strength and intimidating soldiers.
Personal devices brought onto the battlefield can be exploited allowing adversaries to geolocate positions and direct fires upon their positions.
“This might be the clearest example yet of how our reliance on networks and connected devices has created new threats to national security,” retired Rear Adm. Bill Leigher, Raytheon DoD Cyber Programs director, said. “This should make it clearer than ever that nation-states have brought the fight to new terrain — our commercial networks and the devices people use every day.”
Complicating matters even further is the combination of social media posting through smartphones. A Russian sailor broadcast the position of his ship’s previously unknown location to much of the world when he posted a selfie off the coast of Syria complete with the geo-tag active.
The military is trying to engrain best practices into the ranks of their enlisted soldiers with a recognition that it starts at the highest levels first.
“How do we train our soldiers to understand the vulnerabilities and what our Ukrainian partners are realizing that by using your personal cellphone what that opens you up to,’ Maj. Gen. Patricia Frost, director of the Army’s Cyber Directorate, said during a panel discussion in Augusta, Ga., in August. “If we — this is the leader level — will not recognize the vulnerabilities that we’re bringing into the environment and the threat vector that we’re introducing, how do we expect our soldiers at the most junior level to be disciplined.”
She noted that they might being to use the National Training Center as a teaching moment, saying if X number of soldiers brought their personal devices to NTC, leaders could say they targeted them, brought indirect fires on their position as to demonstrate the threat vector they’ve introduced.
“I have been at forums at field grade and higher level where we’ve told everyone we’re going to go classified, leave your cellphones in a designated place and we scan the room and more than 50 percent to 75 percent still brought their cellphone into the room,” Frost said.
“Right now we have to appreciate the mobile devices are an endpoint priority equal to — or I would argue even more so — important than the laptops and the desktops that we each use,” Todt said.
“Being able to develop the policies around protecting the information on our mobile devices and importantly protecting the data is what has to happen. Critical information has to be the priority for looking at how we secure devices, data and how we’re securing our workforce.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.