Trade group objects to proposed NIST mobile security guidelines

A mobile security technology proposal drafted by the National Institute of Standards and Technology (NIST) is being soundly rejected by one of the main trade groups representing a broad cross-section of industry.

NIST's "Guidelines on Hardware-Rooted Security in Mobile Devices," issued in draft form in October and out for public comment until last Friday, has drawn sharp criticism from the Telecommunications Industry Association, which labeled NIST's proposal as "over-prescriptive" because it "suggests that security in mobile devices can only be realized using a specific architectural implementation of secure or trustworthy environment, namely the Trusted Platform Module (TPM) architecture specified by the Trusted Computing Group (TCG).

BACKGROUND: Smartphone, tablet security and management guidelines on tap from NIST

TPM is "one way to implement security in mobile devices but it's isn't the only way," said Brian Scarpelli, senior manager of government affairs at Arlington, Va.-based TIA, adding that software-based security can also be relied on. He indicated the TIA membership of carriers and software vendors would prefer not to have to adhere to a specific implementation to meet new federal guidelines for mobile devices, and TIA is reaching out to NIST to voice its objections. TIA industry membership includes carriers such as Verizon Communications and Sprint Nextel, as well as Apple, Dell and VMware.

The TPM specification from the TCG is a hardware-based cryptographic-processing technology that can be used for several security purposes, primarily device integrity. TPM is used in desktops and servers but not mobile devices at present. The National Security Agency, for example, which influences technology decisions made at the U.S. Department of Defense, has been an enthusiastic proponent of TPM.

TPM exists in much internal computer hardware today, though it appears to suffer from lack of widespread deployment in part due to lack of applications making it easy to deploy.

NIST argues for TPM by saying that "many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts."

NIST says it wants to "accelerate industry efforts" to use hardware-rooted trust technologies, and specifically TPM, in mobile devices such as smartphones and tablets that the federal government would acquire. NIST criticizes today's mobile devices, saying they are "vulnerable to 'jailbreaking' and 'rooting,' which provide device owners with greater flexibility and control over the devices, but also bypass important security features which may introduce vulnerabilities."

NIST asserts in its guidelines proposal that TPM and hardware-based root of trust is the model the federal government would like to see for use in assuring device integrity and verification, and that this would also help the government in adopting a bring-your-own-device approach where government employees could use their personally owned devices for work as well.

In its rebuttal to the NIST proposal, TIA's comments reject NIST's contention that "mobile devices are not as secure as laptops and personal computers," calling NIST's statements "inaccurate reflections of the state-of-the-art security supported by today's smartphones and tablets. Today's smartphones and tablet implementations support immutable, hardware-based root of trust that provide security features equivalent to those supported by laptops and personal computers."

In its comments, TIA pleads with NIST to reconsider its drafted guidelines proposal for mobile. "We urge NIST to ensure that any security requirements that it places on Federal agencies do not in effect cause the information and communications technology (ICT) manufacturers and vendors on which these agencies rely to choose between either making significant design and/or system alterations inconsistent with existing measures taken to ensure that private information systems are secure or to refrain from directly participating in the Federal market."

The TIA adds, "If this were to happen, it would bifurcate the ICT market that currently successfully serves both government and private entity alike, and would deprive Federal users of the benefits of the dynamic private research and development ecosystem."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkingverizonmobile securitywirelesssmartphonesTIAsprint nextelVMwareAppleDellconsumer electronicssecurity

More about AppleDellIDGNational Security AgencyNextelSprintTechnologyVerizonVerizonVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts