A senior DHS cyber official emphasized the need for mobile devices to fall in line with secure-by-design efforts at a recent think tank event, while urging industry to adequately address security before rushing to put out new apps in the mobile marketplace.

“This world we live in where we are first to market instead of first to security has resulted in a really unstable cybersecurity ecosystem” for mobile applications, DHS’ Iranga Kahangama said at a Wednesday event hosted by the R Street Institute. Kahangama is assistant secretary for cyber, infrastructure, risk and resilience at DHS.

Kahangama participated in a panel on mobile device security with former National Security Agency official Glenn Gerstell, Lisa Plaggemier of the National Cybersecurity Alliance and moderator Amy Chang of R Street.

When companies are “racing to market” to beat a competitor, Kahangama said the app they end up releasing may not be developed with “the proper vetting and tools.”

The panelists discussed necessary steps to shift the burden of mobile device security from an app’s end users to its developers and producers.

“Manufacturers of hardware and software are not [currently] responsible for consequential damages that result from their having bugs in their software,” Gerstell said. Gerstell is currently a senior adviser at the Center for Strategic and International Studies.

However, Gerstell said the Biden administration “has finally come around to what cybersecurity experts have been advocating for” in the national cyber strategy’s proposal to shift liability “from the end user to the manufacturer.”

The Cybersecurity and Infrastructure Security Agency is leading on secure-by-design efforts, per the strategy’s implementation plan. The agency’s approach is anchored in its secure-by-design principles.

Regulations will be needed to establish liability protections, Gerstell said, as well as “more court cases” to establish how the new policy will be enforced.

Kahangama provided recommendations for mobile developers looking to increase their credibility in the market. He said, “Be radically transparent in how you are building your products,” and suggested using a Software Bill of Materials to make security analysis more “accessible” for consumers.

Plaggemier emphasized the cost-effectiveness of implementing secure-by-design processes for mobile apps. She explained it is “much, much cheaper” to remediate a vulnerability during the design and development process compared to after an app has been “pushed to production.”

She said, “We can’t test security into a product at the end of the day. It’s got to happen up front.”

Panel discusses security concerns for SMS messaging

The panel also weighed in on concerns associated with Short Message Service (SMS), an unencrypted service used to send messages between cellular devices.

Gerstell said individuals and organizations should avoid using SMS as a method of multifactor authentication “for anything that’s really serious or significant.”

Kahangama echoed this sentiment, referring to SMS as “a concern” and “a threat.” He explained the government has already reduced SMS use among “agencies and departments that we know are potentially more at risk for espionage.”

Plaggemier, however, expressed doubt that consumers would be motivated to move away from the service. She said, “I don’t think we’ve been able to express benefits of alternatives that are enticing to the business world and consumers,” emphasizing the entrenched nature of the “convenient” service in people’s lives.

Gerstell added that while it would be beneficial to transition to “internet-based and IP-based forms” of messaging, telecom companies and developers are currently “investing more in SMS.”

Nevertheless, he predicted that the next “few years” will be characterized by reduced usage of SMS as a means of authentication for “secure, critical apps.”