The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Your phone could soon recognize you based on how you move or walk

with Bastien Inzaurralde


Within 18 months, your phone may be able to identify you based on the gait of your walk, the tension in your hand or the way your thumb moves across the touch screen. 

That’s the Pentagon's plan: It's in the final phase of testing technology that will reduce smartphone users’ reliance on difficult-to-remember passwords or an endless stream of text message verification codes, an official there told me. 

It's working with computer chipmakers and smartphone developers to make the technology commercially available as early as 2020, said Steven Wallace, a systems innovation scientist at the Pentagon’s Defense Information Systems Agency, or DISA. It's currently testing the system on 50 phones at the Defense Department. 

“Our goal from the very start was not to have something that was focused solely on the DoD,” Wallace said. “Our focus from the start was something usable at the commercial level.”

The tech companies haven’t made any firm commitments to adopt the identification system but appear eager to integrate the technology into smartphones within the next year or two, Wallace said.

He declined to name the companies DISA is working with but said if all goes well, the technology “will be available in the majority of handsets” in the United States. 

The technology would offer an extra layer of security for smartphone users by ensuring that a thief -- or someone who, say, picks up a phone left on a subway seat or park bench -- doesn’t get access to all the personal and professional information stored inside the device, Wallace said. If stolen phones are inoperable, there's less of a market for them. And more broadly, if consumer devices are better protected, national security improves: It gets tougher for hackers to steal information and intellectual property.

But the Pentagon's motivation is not just about securing consumers: If the tool is commercially available, the Pentagon can get the extra protection without paying an arm and a leg for specialized devices that only highly secured industries are using. In the past, Wallace said, the Pentagon has built super-secure smartphones but they've been too costly to deploy to anyone but a handful of top officials -- costing more than $4,500 per unit. 

Once the technology is fully vetted, DoD plans to use the technology for general purpose smartphones but not ones that access classified information, he said. 

Wallace hopes the cutting-edge identity verification system will be like the Global Positioning System and the Internet itself — in that they are all tools that were initially developed for military use but ended up benefiting society at large.

“I’m not going to say that we’re going to create something that’s as broad and as grand as GPS or the Internet, but there’s a history of the department working on things and those things ending up in consumer devices,” Wallace told me.

Similar technology is being used to verify the identities of some employees in highly regulated industries, such as financial services and health care, but it isn’t deployed commercially, Dawud Gordon, CEO of the company TwoSense, which is working on a separate but related DISA project, told me. Those industry tools build the sensing technology into software rather than into the smartphone's hardware, Gordon told me. 

The DISA project relies on sensors that already exist inside smartphone computer chips and are used by gaming apps but not generally for security, Wallace told me. 

DISA is working with a contractor to use those sensors to create a unique profile for how each smartphone user does various things, he said — including walking with the phone, typing on it and pulling it out of her pocket or purse. DISA then creates a "risk score" for the user that includes a weighted combination of all those factors, he said. If this score drops too low the person will be locked out of the phone. 

If a person is locked out in error, she could regain access using a more standard log in, such as a password, Wallace told me. 

Just because the capability exists in the phone’s hardware doesn’t mean people would have to use it to verify their identities, Wallace said. The smartphone provider could offer it as an option or organizations could use it to ensure employees don't leave unsecured devices in cabs or restaurants.

Because the sensors are on the phone’s hardware, the information they collect won’t be available to phone apps or other third parties, Wallace said, reducing privacy concerns. The only information that should leave the hardware side is when the phone user’s risk score drops too low and she’s locked out, he said.

Testing on DOD devices is expected to be finished within two months. 


PINGED: Three Democratic senators including presidential hopeful Amy Klobuchar (D-Minn.) want to know what the Department of Homeland Security is doing to secure the 2020 election. In a letter to DHS Secretary Kirstjen Nielsen, Klobuchar and Sens. Gary Peters (D-Mich.) and Richard J. Durbin (D-Ill.) sought answers about the size of teams at the department that are tasked with protecting U.S. elections and combating foreign influence.

Cybersecurity and Infrastructure Security Agency Director Christopher Krebs this month said his agency is “doubling down” on election security protection after the Daily Beast reported that DHS had downsized those efforts. Krebs said CISA was reducing the size of task forces supporting election security and countering foreign influence but replacing those workers with permanent agency employees. In their letter, the senators praised the federal government's work to secure elections but added that “we need to further bolster our election infrastructure ahead of 2020.”

The lawmakers also asked how many staffers CISA plans to recruit to help protect elections and what other initiatives the agency is taking to fend off potential threats to next year's election. “Given clear warnings from Intelligence Community officials that the 2020 presidential election remains a target for our adversaries, it is vital that we take strong action now in order to ensure our systems are secure on Election Day,” the senators said.

PATCHED: Sen. Mark R. Warner (D-Va.) asked four federal agencies what measures they have implemented to identify and patch cybersecurity vulnerabilities in the health-care sector. He also said that he wants to collaborate with federal agencies and others to develop a strategy aimed at reducing cybersecurity weaknesses in the health-care sector. “The health care industry has been identified as a lucrative target due to the valuable personally identifiable information criminals can monetize and lucrative opportunities to secure payment from victims of ransomware,” Warner said.
Warner’s letters to the Food and Drug Administration, Department of Health and Human Services, Centers for Medicare and Medicaid Services and National Institute of Standards and Technology follow similar missives that he sent to health-care groups last week. The senator also asked the federal agencies whether they have partnered with the private sector to seek input on how to better protect computer systems in the health-care sector. 

PWNED: A bipartisan group of 11 senators wants the Trump administration to further its crack down on Chinese telecommunications firm Huawei. The senators called for a U.S. ban on Huawei-produced devices called "inverters" that convert solar energy into useable power for other devices. Both industrial-scale inverters "and those used by homeowners, school districts, and businesses are equally vulnerable to cyberattacks,” the lawmakers said in a letter to Energy Secretary Rick Perry and Nielsen at DHS.

The senators also said Perry and Nielsen should collaborate with local officials at all levels of government and with businesses in the energy sector to protect the nation's energy systems. Sens. John Cornyn (R-Tex.), Marco Rubio (R-Fla.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.) were among the Republicans who signed the letter. Warner, the Senate Intelligence Committee's vice chairman, and Sen. Dianne Feinstein (D-Calif.) were among the Democrats who joined the bipartisan group. You can see the full list of senators who signed the letter here.


— Christy McCormick was elected chairwoman of the U.S. Election Assistance Commission, the agency announced in a news release. McCormick will serve in this position for one year. Cybersecurity reporters noted on Twitter that McCormick previously questioned the U.S. intelligence community's conclusions about Russian interference in the 2016 presidential election.

From the Wall Street Journal's Dustin Volz:

From Politico's Eric Geller:

— More cybersecurity news from the public sector:

Power struggle: Government-funded researchers investigate vulnerabilities in EV charging stations (CyberScoop)


— The finance and insurance industry was malicious hackers' favorite target in 2018, according to the annual IBM X-Force Threat Intelligence Index released today. This industry drew 19 percent of all attacks and incidents last year, followed by transportation services with 13 percent. “We expect the transportation sector to continue rising as an attractive target for malicious actors, because of the industry’s reliance on information technology to facilitate operations, its ubiquitous need for integration of third-party vendors, and its vast supply chain,” the report said. “These factors make for a larger attack surface than other industries.” The report also found that cyber criminals appear to rely less on ransomware attacks and more on cryptojacking — an attack that allows hackers to use other people's devices to mine cryptocurrency.

— Security researchers found a sharp increase in the size of distributed denial-of-service attacks against companies involved in market research and public opinion polling between the second half of 2017 and the second half of 2018, according to cybersecurity company NETSCOUT's Threat Intelligence Landscape Report, which was released today. Those attacks might be a backdoor for nation states to affect public perceptions of elections and the political process,  Mike McNerney, product manager for NETSCOUT Threat Intelligence, said in a statement. 

— Cyberattacks and concerns about data integrity rank fifth among the top 10 risks to the global economy in 2019, according to a report released yesterday by the Economist Intelligence Unit, the research arm of the Economist Group. “Although these attacks have been relatively contained so far, there is a risk that their frequency and severity will increase to the extent that corporate and government networks could be brought down or manipulated for an extended period,” according to the report. The authors of the report added that security breaches could jeopardize billions of dollars in daily transactions. “Were government activities to be severely constrained by an attack or physical infrastructure damaged, the impact on economic growth would be even more severe,” the report said.

— More cybersecurity news from the private sector:

Android Is Helping Kill Passwords on a Billion Devices (Wired)


China's technology challenge is bigger than just Huawei, British spymaster says (Reuters)

European Commission to take decision on network vendor security soon: Gabriel (Reuters)



Coming soon:


Trump keeps undermining his own administration:

President Trump still openly contradicts top White House officials more than two years into his first term. (Video: JM Rieger/The Washington Post, Photo: Jabin Botsford/The Washington Post)

A former campaign staffer accuses Trump of an unwanted kiss. Now she's taking him to court.

In a new lawsuit, Alva Johnson alleges that Donald Trump kissed her against her will in 2016, an allegation the White House denies. (Video: Alice Li, Jesse Mesner-Hage, Dalton Bennett/The Washington Post, Photo: Salwan Georges/The Washington Post)

Russian TV lists nuclear targets in U.S.

Russian state television said Moscow would target the Pentagon, Camp David and a naval communications base in Washington state in the event of a nuclear strike. (Video: Reuters)