On September 13, the R Street Institute’s Cybersecurity and Emerging Threats team hosted a virtual event on the security risks posed by mobile devices. The event featured a panel moderated by R Street’s Cybersecurity and Emerging Threats Senior Fellow Amy Chang, and experts from civil society and government, including Glenn Gerstell, a Non-Resident Senior Adviser with the International Security Program at the Center for Strategic and International Studies; Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk and Resilience at the Department of Homeland Security; and Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance. Opening remarks were provided by Brandon Pugh, the Director of the Cybersecurity & Emerging Threats program at R Street. 

Due to the ubiquity of cell phone, tablet and other mobile device use, cybersecurity risks are plentiful, including the insecurity of text messaging protocols, the vulnerability of mobile applications and the data they collect on consumers and unclear expectations around who would be best suited to address vulnerabilities that arise from insecure development practices. Major themes from the panel discussion are shared below.

SMS was developed for convenience, not security

SMS, or short messaging service, was thought of in the 1980s and was originally used for telecommunications companies to communicate to their subscribers. Over time, with technological advancements and the introduction of keyboards onto our mobile phones, texting evolved to include user-to-user communication and file sharing. 

While convenient, the messaging protocol has not been adapted or updated since its inception, and this poses attendant risks. The panel provided several examples here: interception of text message data, interception of multi-factor authentication codes via phone number, the ability to steal someone’s identity and conduct fraud via SIM swap attacks (attacks that allow fraudsters to steal and use your phone number). A recent report from the Cyber Safety Review Board underscored how these risks have played out in real time via malicious actors.

Many panelists conveyed that despite these vulnerabilities SMS will likely continue to exist in its current form since it is convenient and used in cross-platform messaging. Simultaneously, newer protocols are being developed, such as Rich Communication Services (RCS), as well as applications that provide end-to-end encryption for messaging. 

Shifting the culture of security towards secure-by-design and -default

Big breaches of insecure applications make headlines every year. Gerstell noted that “The extent of the possible malice is limited only by a criminal’s imagination, unfortunately, and we’ve seen many examples of that.” Efforts by the federal government seek to address this.

Secure-by-design and secure-by-default are two principles that the United States and international allies are advocating for to ensure products are designed from the start with security in mind and embrace security out of the box. These are important concepts for mobile devices, but they also apply across technology types

Kahangama underscored how important it is to galvanize the private sector to shift the burden of securing their devices away from the end user and more towards the developers and the producers of technology and products, especially because they are the ones who have more resources, more technical sophistication, and a better understanding of potential security implications. The 2023 National Cybersecurity Strategy stressed this sentiment. The U.S. government has also made substantial efforts to work with companies to secure commitments to adhere to these principles of secure-by-design/-default, and how to leverage security as a competitive advantage. 

Consumer sentiment on device security

Plaggemier explained how mobile phones are central to our daily lives, yet few people think about how to protect themselves from attendant risks. This can include how data is collected about individuals, and how it is used and stored; how secure or insecure downloaded applications are; and even what multi-factor authentication (MFA) is and how to use it. In fact, the National Cybersecurity Alliance found 43% of people have never heard of MFA.

As consumers become more educated about cybersecurity, they are able to make demands on companies to ensure that their devices and applications are not only convenient, but also secure. Beyond company involvement, panelists conveyed that users have a vital role to play in proactively taking security-enhancing measures.

Panelists ended the event on an optimistic note: we already know the shortcomings of mobile device insecurity, and we know what the solutions are. The hard part really comes down to mobilizing all the relevant stakeholders—from developers to governments to consumers—to address these issues and advance solutions that improve education, awareness and ensure the security of our nation’s mobile device users.

Stay up to date with the latest in cybersecurity policy. Sign up for R Street’s newsletter today.