The Department of Homeland Security (DHS) workforce has become increasingly mobile, driving the need for secure mobility solutions and a coordinated approach and framework to guide the selection and implementation of common enterprise mobility solutions. To promote the safe and secure adoption of mobile technology in DHS and the federal government, the DHS Science and Technology Directorate (S&T) Cyber Security Division (CSD) within the Homeland Security Advanced Research Project Agency (HSARPA) has created the Mobile Device Security (MDS) program.

Motivation

The need for this program is the direct result of mobile threats presenting an increasingly common and more sophisticated threat to data stored or processed on DHS devices. Threats specific to mobile devices, applications and data have grown dramatically in the past few years. A recent analysis of threats highlighted several key developments, including the following:

• Increased focus of cybercriminals targeting mobile users. McAfee Labs reported seeing 2.4million unique pieces of malware in the last three months of 2015, a dramatic increase from 300,000 in 2014.
• Mobile threat sophistication is increasing. Certain malware even has entered the marketplace pre-installed on certain devices, indicating a compromised supply chain. Malware self-defense mechanisms also are gaining sophistication, evading attempts to detect and defeat the application.

Approach

To respond to the evolving threats and security challenges in the mobile space, S&T CSD has developed and will transition programs directed at several strategic objectives and initiatives. Through this work, S&T will ensure DHS is poised to bridge current capability gaps and deploy solutions that effectively, efficiently and securely enable the mission of the Department. The MDS program has established three overarching objectives to achieve its vision:

Objective 1: Partner with DHS Components and federal stakeholders to identify operational requirements and capability gaps

The MDS program leverages the efforts of existing federal and DHS mobility working groups to gather and prioritize mobile security capability gaps preventing mobile implementations both at the federal level and across the Homeland Security Enterprise (HSE). These groups include the following federal and DHS working groups:

Federal Interagency Working Groups:

• Federal Chief Information Officers (CIO) Council’s Information Security and Identity Management Committee (ISIMC) Mobile Technology Tiger Team (MTTT)
• ISIMC Identity, Credential and Access Management Sub Committee (ICAMSC)
• MTTT Mobile Application Security Vetting Working Group

DHS Mobility Working Groups:

• Mobility Initiative-5 (mi-5)

• Mobile Community of Practice

Objective 2: Develop secure mobile solutions to enhance the DHS mission

The MDS program has established several initiatives to address primary gaps identified through its partnerships with DHS Components and other federal agencies. DHS S&T has awarded $10.4M in mobile technology security research contracts. For a summary description of projects currently underway, please see the CSD 2016 Mobile Security R&D Program Guide. Following are key performers by technology grouping and project:

• Mobile Roots of Trust R&D
• Mobile Malware Analysis/Mobile App Archiving R&D
• Mobile Instrumentation
• Transactional Security Methods
• Next-Gen Mobile Security Management Tools
• Mobile Device Layer Protection

Objective 3: Partner with industry to foster innovation

Industry partnerships and relationships enable the MDS program to engage and leverage the power of the private sector to bring innovative solutions to the marketplace faster. The MDS program has formed valued relationships with academic and industry performers, many of which have been identified above.

Resources

Publications

• V. Sritapan and A. Stravou, “Mobile App Testing for the Enterprise,” in ISSA Journal, vol.14, issue 3, March 2016.
• K. Carver, V. Sritapan and C. Corbett, "Establishing and Maintaining Trust in a Mobile Device," in IT Professional, vol. 17, no. 6, pp. 66-68, Nov.-Dec. 2015.
• R. Johnson, N. Kiourtis, A. Stavrou and V. Sritapan, "Analysis of content copyright infringement in mobile application markets," Electronic Crime Research (eCrime), 2015 APWG Symposium on, Barcelona, 2015, pp. 1-10.
• R. Johnson, M. Elsabagh, A. Stavrou and V. Sritapan, "Targeted DoS on android: how to disable android in 10 seconds or less," 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, 2015, pp. 136-143.
• Z. Ali, J. Payton and V. Sritapan, "At Your Fingertips: Considering Finger Distinctness in Continuous Touch-Based Authentication for Mobile Devices," 2016 IEEE Security and Privacy Workshops (SPW), San Jose, CA, USA, 2016, pp. 272-275.
• Salles-Loustau G, Sadhu V, Pompili D, Zonouz S, Sritapan V., "Secure Mobile Technologies for Proactive Critical Infrastructure Situational Awareness," Proceedings of IEEE International Symposium on Technologies for Homeland Security (HST), Walham, MA, 2016.
• M. Phillips, N. Stepp, J. Cruz-Albrecht, V. De Sapio, T lu, V. Sritapan, “Neuromprphic and Early Warning Behavior-Based Authentication for Mobile Devices,” Poster session presented at IEEE International Symposium on Technologies for Homeland Security (HST), Walham, MA, 2016.
• R. Johnson, A. Stavrou, V. Sritapan, “Empowering Android MDMs Using Non-Traditional Means,” Poster session presented at IEEE International Symposium on Technologies for Homeland Security (HST), Walham, MA, 2016.

Snapshot Articles

• DHS S&T, DARPA Co-Leading Development of Higher-Level Mobile Device Authentication Methods, July 2016

Press Releases

• DHS Seeks Input to Study Safeguards to Mobile Devices; Industry Day Events to Follow, July 2016
• DHS S&T Awards SBIR Contract to Mclean Small Business for Mobile Security Research and Development, July 2016
• DHS to Hold Mobile App Security Research and Development Industry Day, June 2016
• DHS S&T’s Mobile Security Performer to be First R&D Performer Added to GSA IT Schedule 70, April 2016
• S&T Awards $10.4M in Mobile Security Research Contracts, September 2015
• S&T Awards $1.3M to Yorktown Heights NY Company, September 2015
• S&T Awards $759K to UNC Charlotte , August 2015
• S&T Awards $576K to Rutgers University, August 2015
• S&T Awards $1.7M to Fairfax VA Company , August 2015
• S&T Awards Hartford Conn Company $790K for Research , August 2015
• S&T Awards $2.2M to Malibu Calif Company, August 2015
• DHS S&T Awards $1.2M to Rockville Company, August 2015
• DHS S&T Awards $2.9 Million for Mobile App Security Research, July 2015
• DHS S&T Applies Mobile App Archiving Technology to Copyright Infringement, July 2015
• DHS S&T Expands Mobile App Archiving Technology, April 2015
• DHS S&T’s Mobile Security Performer to be First R&D Performer Added to GSA IT Schedule 70, April 2015
• DHS S&T App Technology Transitions to Commercial Market, December 5, 2014

Related Resources

• Mobile Device Security Fact Sheet
• Mobile Security R&D Program Guide, Volume 1

Mobile Device Security RFI: Mobile Threats and Defenses

As required by The Cybersecurity Act of 2015, the Department of Homeland Security Science and Technology Directorate (S&T) is conducting a study on mobile device defense capability gaps and safeguards and will submit to Congress a report detailing the study’s findings and recommendations.

Through a Request for Information (RFI) call published July 7 in FedBizOpps, the government is soliciting input from to the mobile and cellular industry and researchers on products, services capabilities and technologies that address threats related to the government’s use of mobile devices. Specifically, the RFI seeks the following information:

1. Completing a survey about the threats, products, services or technologies relating to mobile security.
2. Providing information about the standards and best practices on mobile defenses that will help mitigate mobile threats and vulnerabilities.

The RFI will enable industry and the research community to contribute information about mobile threats and vulnerabilities as well as existing and potential technology solutions to enhance security for mobile devices used by the federal government. The deadline for responding to the RFI is August 22, 2016.

The S&T Cyber Security Division will hold two Industry Day events—July 20 in Washington, D.C. and August 2 in Menlo Park, California—to provide additional insight about the RFI and answer questions about the informational appeal.

Contact

Program Manager: Vincent Sritapan

Email: SandT-Cyber-Liaison@hq.dhs.gov