Re: Applying Zero Trust Principles to Enterprise Mobility 

Thank you for the opportunity to comment on the Agency’s draft paper, Applying Zero Trust Principles to Enterprise Mobility. Trusted Future is a new organization dedicated to the belief that we need smarter, better-informed efforts to enhance trust in today’s digital ecosystem in order to expand opportunities for tomorrow.   

We share the view that mobile devices “present unique opportunities and challenges in adopting comprehensive zero trust models” and applaud CISA’s efforts to advance ZT from a mobile device perspective – especially given the dynamically changing and critical mobile threat environment.  As mobile devices become even more essential to the way the government works, the way federal workers do their jobs, and the way agencies deliver services, it’s become even more essential that leaders incorporate proven trustworthy principles in their enterprise mobility strategies,  

We therefore want to focus attention on the importance of elevating trust throughout our technology ecosystem, and use our comments to underscore that, ironically, trust is at the very heart of a successful zero trust framework.  

* * * 

Trusted Future is a non-profit organization dedicated to the belief that we need smarter, better-informed efforts to enhance trust in today’s digital ecosystem in order to expand opportunities for tomorrow. We believe we deserve a vibrant digital ecosystem that is trusted, responsible, inclusive, and safe — one where you can trust that your privacy will be protected, your data will be secured, your safety can be protected, that leads to a more just, equitable and inclusive society, and that fosters previously unthinkable opportunities to improve your life. We bring together experts, advance new research, highlight common sense best practices, policies and recommendations, and explore new ways to foster and enhance the basic trust we need to support and sustain a healthier digital ecosystem. 

* * * 

In today’s increasingly dynamic mobile threat environment, mobile devices must be equipped to protect against the full spectrum of device, network, phishing, and malicious app risks and attacks.  They have become more critical to our work, more complex to defend, in an environment that is evolving at increasing speed.  As mobility has become more essential to achieving mission focused outcomes, advancing zero trust architecture in the federal enterprise has become even more essential.   

MOBILE DEVICES ARE INCREASINGLY ESSENTIAL FOR ACHIEVING FEDERAL GOALS  

Mobility has become critical for enabling workers to be more productive, accessible and collaborative; improving government service delivery.  Increasingly, it is difficult for government workers to function without mobile devices.   

• Mobility Boosts Worker Productivity.  A 2016 Frost & Sullivan survey showed that the average government worker loses 52 minutes of productivity time per day – and 28 percent in overall productivity – without a smartphone at work.  
• Mobility Improves Federal Service Delivery.  The Administration is pushing for investments to improve the way government uses technology to interact with the public, and has made mobile service delivery a priority. For example, President Biden’s Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government directs agencies to take steps to improve the digital customer experience for their respective agencies’ customers by updating mobility capabilities. 
• Mobility Enables Agencies to Meet Unique Mission Goals.  As highlighted in the fact sheet accompanying President Biden’s Executive Order on Improving Customer Experience and Service Delivery for the American People, several agencies are improving service delivery by harnessing mobile device capability.  For example:   
• More flexible FEMA disaster relief.  For the 25 million individuals, families, and small businesses who live through a Federally recognized natural disaster each year, access to more flexible mechanisms to provide supporting documentation, such as virtual inspections and submitting photos of disaster damage from a mobile phone, can greatly reduce barriers to obtaining support.  
• Better integrated care for U.S. Veterans.  For the 200,000 service members who transition to civilian life each year and the more than 18 million Veterans across the United States, improved mobile capability will mean that veterans and beneficiaries, and their caregivers or other designated representatives, can access digital services through a single, integrated, and fully inclusive digital platform on VA.gov and a flagship VA mobile application so that VA’s customers don’t have to use separate portals, websites, or mobile applications when managing their health care and benefits online. 

• Mobility enables a more agile, productive, and cost-effective federal workforce.  As we all know, the pandemic has accelerated trends towards greater use of teleworking and reliance on mobile devices. For Fiscal Year 2020, the Office of Personal Management reported that roughly half of the federal government’s 2.1 million employees were engaging in telework six months into the COVID-19 pandemic, a development that saved the government $180 million.  According to a survey from the American Federation of Government Employees, nearly 80% if federal and DC government workers said they were more productive while teleworking during the pandemic. A hybrid future seems inevitable for most government agencies, which makes the need to ensure that mobile devices are secure that much more essential.
   
  

The Administration is Taking Critical Steps to Get Ahead of Future Challenges.  

We are heartened that the Administration appears focused on this issue at the highest levels.  For example, we applaud the White House for the President’s efforts to bring together leading private-sector innovators with the government’s leading researchers to help drive new resilient mobile networks through a $40 million   Resilient and Intelligent Next-Generation Systems program – RINGS – designed to create a platform to advance U.S. leadership in next-generation wireless networks and systems, strengthening U.S. competitiveness in a key technology area in the face of international supply-chain challenges. 

THE MOBILE THREAT ENVIRONMENT IS BECOMING MORE DYNAMIC AS THREAT ACTORS ARE BECOMING INCREASINGLY SOPHISTICATED 

As mobile devices become more essential to federal efforts, their impacts are more profound, the threat landscape has become more dynamic, and it is therefore increasingly critical that we elevate mobile security within the federal enterprise.   

• The mobile threat landscape is changing rapidly. Zimperium, in their 2022 Global Mobile Threat Report, found a 466% increase in exploited, zero-day mobile vulnerabilities. Nearly half, 42%, of enterprises reported mobile devices and web apps led to a security incident.  Incredibly, 75% of phishing sites specifically targeted mobile devices and 23% of mobile devices encountered malicious applications worldwide.  As the authors of that report note, “mobile phones and apps are a soft target, and attackers are keenly aware of this.”   

• Mobile malware is on the rise.  According to PurpleSec, “Third-party app stores host 99.9% of discovered mobile malware.” Similarly, Nokia’s 2021 Threat Intelligence Report finds virtually all malware on mobile devices gets there through downloads from third-party sources.  Nokia indicates that because the “security of official mobile app stores has improved significantly in recent years,” it is now increasingly important for mobile device security that apps are only made available from trusted sources. RiskIQ’s Mobile App Threat Landscape Report highlights how it often works: “Threat actors have made a living taking advantage of this myopia to produce “rogue apps” that mimic well-known brands or otherwise purport to be something they’re not, purpose-built to fool customers into downloading them.” 
• Mobile Message Phishing (smishing) attacks have become a primary mobile attack vector.   In a smishing attack, text messages are sent to users containing links designed to trick them into downloading malicious software, or entering private details or login credentials into a fake website for malicious actors to see and steal. Common lures include fake missed delivery notifications, fake receipt for a false charge, fake alerts related to the COVID-19 pandemic, and even notifications of winnings. Proofpoint research shows they “detected a 500% jump in mobile malware delivery attempts in Europe” beginning in early February.  According to their research, this increase was due in part to an increase “in campaigns that use SMS/mobile messaging as their delivery mechanism.”  The risk is therefore heightened if a device is configured to allow the user to download apps from an unauthorized source.  
• Mobile risks are increasingly pervasive. Trusted Future recently conducted its own survey on device security.  We found that an amazing 65% of respondents reported that they had received a smishing text.  But what was especially surprising was that only about half of the respondents were following even the most basic cyber-hygiene best practices – like adopting two-factor authentication, adopting strong passwords, and only downloading from official app stores. 

  

ENTERPRISE MOBILE DEVICE RESILIENCE DEPENDS UPON FULL IMPLEMENTATION OF EXISTING FEDERAL MOBILE GUIDANCE 

To have a true zero trust mobile device policy, it’s important to incorporate and build upon the critical and widespread agency expertise on mobile security – including guidance from agencies against the downloading of unauthorized apps (aka sideloading)—into the broader conversation around cybersecurity, for government users, corporations, and ordinary consumers.  

CISA’s draft enterprise mobility paper correctly highlights the importance of vetting apps given the nature of the threat to mobile devices. This can be one of the most important ways to tackle the surge in mobile malware.  Zimperium’s summary of the dangers associated with the unvetted sideloading of apps from unofficial or alternative app stores captures the danger succinctly: 

“Available on both iOS and Android devices, these alternative app stores often act as a black market with very similar traits; the available app could be the same, or an elaborate copy and decoy, and the only way to tell is to take it apart. But as most mobile users won’t be breaking down the code of the app they just installed, these alternatives have become ripe with malicious code.”  

Existing Federal Guidance is Critical for Tackling Mobile Threats.  

U.S. government agencies—including CISA—have published guidance or directives discouraging users from downloading any apps from unofficial app stores, which are known to invest much less attention into vetting the apps on their platform.  For example, 

• Cybersecurity & Infrastructure Security Agency: “Avoid potentially harmful apps (PHAs). Reduce the risk of downloading PHAs by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store. Do not download from unknown sources or install untrusted enterprise certificates.” 

• DHS’s Science and Technology Directorate: “Third-party stores also exist . . . but the reliability and security of apps from these sources may vary widely and the vetting process may be opaque or less robust than is the case for the public stores of OS vendors. . . . [U]sers should avoid (and enterprises should prohibit on their devices) sideloading of apps and the use of unauthorized app stores. Android’s built-in Verify Apps feature or third- party, mobile threat protection solutions for both Android and iOS can help identify potentially harmful apps installed on devices.” 
• The National Security Agency: “Install a minimal number of applications and only ones from official application stores.” 
• The General Services Administration: “Applications available through approved methods (provided with the operating system – Apple iTunes and Google Play respectively). Installation of applications from unknown sources is not authorized. These unknown sources include third party application sources, such as the Amazon App store. . . . Allowing mobile apps to be loaded from an unknown source presents one of the greatest risks to GSA’s environment when using mobile devices.” (emphasis added) 
• FBI’s Criminal Justice Information Services Division: “One of the few effective attack vectors to compromise mobile operating systems is to manipulate the device user to install a malicious application. . . . Unsigned or un-trusted apps are cryptographically prevented from executing on non-jailbroken iOS devices. . . . On either platform it is highly desirable to limit allowable applications to a pre-approved pool of apps via MDM or organizational App store structures and device policy. However, the risks associated with uncontrolled app installation is several orders of magnitude greater on Android based devices.”  
• The Federal Trade Commission: “Use official app stores. To reduce the risk of installing potentially harmful apps, download apps only from official app stores, such as your device’s manufacturer or operating system app store.”
  
  

Expert Foreign Mobile Security Guidance Echos the Same Guidance 

• The UK’s National Cyber Security Centre: “Only download apps for smartphones and tablets from official stores (like Google Play or the App Store). Apps downloaded from official stores have been checked to provide protection from viruses and malware.” 
• The Canadian Centre for Cyber Security: “Remain vigilant and only download applications from trusted app stores to ensure you have the official version.” 
• Australia’s eSafety Commissioner: “Apps for your iPhone or iPad should only ever be obtained from the App Store, while apps for Android devices should only be obtained from Google Play. Apps obtained from anywhere else may well be dangerous, and could try to misuse your information or put a virus on your phone.”  
• New Zealand’s Computer Emergency Response Team: “Apps that are available from 3rd party sellers may not be legitimate, and could contain malware (like viruses). Android phones have a setting that prevents 3rd party apps from installing.” 

• The European Union Agency for Law Enforcement Cooperation (Europol): “Just a game? Only install apps from official app stores . . . Be cautious of links you receive in email and text messages that might trick you into installing apps from third party or unknown sources.” 
• India’s Ministry of Electronics and Information Technology’s Computer Emergency Response Team (CERT-In): “Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device’s  manufacturer or operating system app store. Do not download from unknown sources or install untrusted enterprise certificates. Apps that are available from 3rd party sellers may not be legitimate and could contain malwares.”  

 

Even in a zero-trust world, users should avoid (and ideally be prevented from) downloading apps from sources that do not display the indicia of trust associated with robust official app marketplaces. Limiting attack vectors is essential to building secure by design and a prerequisite to a successful zero-trust architecture.   

ZERO TRUST STARTS WITH TRUST 

The term zero-trust implies that we should assume-away trust in the condition of the network. One might then draw the conclusion that trust in the elements of the network is not as important as we thought it is or was. But this is not really the case.  In fact, the network, whether highly segmented or not, is still made up of elements of software and hardware and practices related to those elements, and if the elements are not trustworthy, malicious actors will blow through each gate of the Zero Trust Architecture. So, really, trust is foundational to Zero Trust Architectures (ZTA) and networks. And not having trustworthy elements in the ZTA brings a false sense of security, and might make matters worse. There is no silver bullet here for untrustworthy network elements.   

Therefore, even in a ZTA environment, there is significant value in promoting, measuring, and focusing on the trustworthiness of the products, services, and the companies embedded in the network architecture.  As we advance ZTA across the Federal and private sector enterprises, CISA, and other national security agencies such as the NSA, NIST, and FBI should double-down on the importance of trusted products, services and companies as essential elements of the ZTA.   Perhaps we need to say “Zero Trust starts with Trust.”  That also means we need to continue to encourage companies to compete on security and trustworthiness, and avoid regulations or policy proposals that could be predicted to undermine trust and the security of products and services that the zero-trust architecture actually relies upon.   

Cybersecurity policy is complex and highly technical. It’s also very delicate and dynamic. To make things even more complex, the U.S. technology industry builds-once and sells-globally. Therefore, the policies we adopt that impact products, services, and U.S. companies impact architectures globally – across enterprise, consumer, critical infrastructure, government and military networks. There is no such thing as a local impact. As usual, the practical and technical implications of any recommendation from CISA must be understood, and must be clearly beneficial across the global information infrastructure.  

Thank you for focusing on ZTA and mobility in the federal enterprise, and collecting ideas about how to best implement ZTA principles.  We appreciate the opportunity to comment, and would be happy to further engage on this important topic.