CIS Mobile is a cybersecurity company focused on reshaping the mobile computing market for government customers dominated by an industry producing expensive legacy equipment few users want. Purchased a year ago by CIS Secure and rebranded CIS Mobile, the subsidiary has deployed phone products in Canada and the U.K. U.S. pilots are ongoing. Both CIS Secure and Acorn Growth Companies, the mid-market defense and aerospace private equity firm controlling CIS Secure, felt the government mobile computing space demanded new solutions so users would actually use a supplied device, instead of resorting to their own to get work assignments completed and create added security risks.
Consumer mobile phones offer a reasonable level of day-to-day security, but have some notable shortcomings. First, their user agreements allow phone producers, telecom providers, application creators, third party marketers, and others to collect, track, aggregate, and sell data users generate with their phones. From the most expensive iPhone to free devices, consumers pay first by buying a unit and second via data aggregation – referred to as digital exhaust, digital trail, or digital breadcrumbs. No matter the label, every consumer has an ever growing collection of data firms gather and monetize.
This is particularly challenging for employees in the defense, intelligence, law enforcement, emergency management, finance, and other government domains. Detailed tracking of their behavior patterns and whereabouts, data usage and with whom, along with a host of other observations, can be combined to build a profile of enormous detail. Even external constituencies, such as journalists, have been used as proxies to track the location of the U.S. President, his staff, and employees of different agencies.
Mobile solutions exist to provide high levels of security, but come with a host of compromises that limit adoption and user interest. Well known examples include the Boeing Black Phone, the SME PED (stopped in July 2015), and Sirin Labs’ phone. However, they cost thousands of dollars. Other competitors include: ESD Cryptophone, Dark Matter’s Android based phone, Silent Circle, and Atos’ Hoox Android phone.
Finally, the U.S. Defense Information Systems Agency (DISA), in conjunction with the National Security Agency (NSA), developed a phone with added security features to control a device’s camera, GPS receiver, bluetooth, and other functions. Currently, DISA has a user base of approximately 150,000 and expects to have a new phone and tablet released later in 2020. So, in theory, CIS Mobile has many competitors for what is a niche market of U.S. and several allied government users.
CIS Mobile approaches the market in several unique ways. First, they embrace the movement of bring-your-own-device (BOYD) and user desires of having one phone for professional and personal use. Second, they support current commercial off the shelf (COTS) hardware in the form of Google’s Pixel 3a and the rugged Sonim XP8. Third, the platform offers over-the-air (OTA) updates via three centralized management servers covering policies, messaging, and push-to-users. Servers reside with a customer on their premises.
At the core of the firm’s efforts is altOS, a secure containerized Android platform allowing users to move among containers with a single finger swipe – such as left for their professional container or right for their personal container. By defining security access simultaneously between work and personal, altOS provides several levels of security in a very user empowering format. Furthermore, altOS can be configured for use in secure environments via geofencing. Once defined, altOS will automatically disable hardware features – speakers, cameras, microphone, wireless communications – in a secure location. Therefore, users no longer need to be separated from their phone. With a docking station, keyboard, mouse, and monitor the phone can easily morph into a full blown workstation, removing the need to carry a laptop.
CIS Mobile also utilizes Android’s verified boot paradigm whereby digital signatures at each step of the boot process confirm the integrity of the device. Should the phone identify an issue, it will refuse to boot. Flashed to a phone and centrally managed, these containers can be removed as needed – such as for traveling – and returned to the device once an employee has completed an international assignment.
CIS Mobile combines Android and their own security updates and pushes them to customers monthly. Clients can then evaluate the changes and distribute them into the field when appropriate. For example, an immediate update for a Federal Emergency Management Agency (FEMA) team could make sense while an intelligence group on assignment might require a delayed approach. For every user, having a COTS phone that looks and behaves like everyone else’s device is a significant security benefit.
While the mobile phone market is very well defined by size, geography, OS, user category, and other parameters, sizing up the secure mobile market is challenging. I found some figures during my research but even CIS Mobile President Bill Anderson isn’t 100% certain of the market’s complete size. The firm’s conservative working hypothesis starts with DISA’s 150,000 to 200,000 users. Combine users from the Five Eyes, an intelligence alliance of five nations including the U.S., and the market broadens to several hundred thousand users. However, the team recognizes the market may be orders of magnitude larger.
Their go-to-market plan is to serve government clients first and build a track record of success. A year or so down the road, the team expects to expand to government contractors with the same product solution. The firm does not expect to sell devices to consumers.
The firm’s two biggest challenges over the next twelve months include finding the right software development talent and building greater customer awareness around the benefits of their product solution. Android developers with strong kernel, library, and system applications experience can be challenging to find and recruit and marketing secure communication products requires nuance.
As a strategist, I find CIS Mobile’s product solution compelling because the firm starts with user needs first to create a security platform that is easy to use and manage. Too many security products and services compromise the user experience or ignore it altogether, expecting whatever associated friction to be tolerated by everyone.
The team wisely decided to leverage infrastructure that was already robust – phone platforms from Google and Sonim, Android’s development architecture, approved carrier access – and solve problems where other mobile platforms fell short around usability and cost. CIS Mobile’s first priority was to gain control over all of the mobile device’s computing resources, secure them, and stop digital exhaust at every level.
Introducing innovative functionality – frictionless containerization, geofencing, flexible backend systems, OTAs – has allowed CIS Mobile to develop a unique platform. Competitors – such as Silent Circle and Atos – also use containerization and everyone in the space utilizes a variety of hardening techniques to secure a device. But if a user base spends time circumventing a phone’s limitations, in a best case scenario, or avoids the device altogether in the worst case, the tightest security parameters won’t matter. CIS Mobile’s platform and user approach is a powerful reminder that security is not the primary challenge. In isolation, there are lots of security solutions that do their job successfully, such as spending two minutes switching phone containers in the field with a competing product.
CIS Mobile has worked to solve a set of critical security communication challenges by thinking differently. Instead of asking, how do we want a user to behave with our device, the firm asked themselves, what established behaviors do users already have and how do we make those patterns secure in dynamic global environments? Too few cybersecurity vendors think in these terms.
At the end of our interview CIS Mobile President Anderson stated he thinks the CIS Secure/CIS Mobile combination has the benefit of an established firm, with strong customer relationships, and the dynamism of a startup, with the recent addition of the mobile team and their unique approach to secure communications. The older firm knows how to sell to their customer base and new guns know how to be innovative. Given what the team has built, I can understand the enthusiasm. By putting their users first, the company has developed an innovative solution that hits three high marks – customer enthusiasm, genuine affordability, and real security.
I look forward to following CIS Mobile over the next eighteen months as they achieve greater U.S. market traction and getting back in touch for an update. Stay tuned.