The Pentagon is shockingly bad at managing its employee smartphones
Officials are using government-issued devices much like a teenager would – and that has security implications
The US Department of Defense has been rapped by the Pentagon's Office of the Inspector General for what amounts to pretty pisspoor management of government-issued smartphones.
While Uncle Sam slowly wakes up to the fact there are mobile applications out there, like TikTok, that have privacy and security implications if installed on devices meant for official use, the audit agency published a report [PDF] last week revealing that unauthorized apps and services are rife on DoD phones.
What's more, the investigation found that the department has little control over its devices and employees aren't properly trained in what is or isn't acceptable use of their government phone.
The probe follows a 2021 audit of the Defense Digital Service, the department's tech branch, which found that the former director had authorized staff to use "an unmanaged mobile application for official DoD business, in violation of DoD electronic messaging and records retention policies."
Noting that the use of unmanaged apps for official business "poses operational and cybersecurity risks and could result in users inadvertently revealing sensitive DoD information or introducing malware to DoD information systems," the OIG expanded its purview to see how deep the rabbit hole goes.
The resulting report does not make happy reading for a government body ostensibly charged with maintaining national security. DoD employees were found to have downloaded heaps of "unmanaged" apps of the kind you would otherwise expect to find on someone's personal mobile, including games, shopping, and entertainment. Workers had also conducted official business through unapproved messaging apps, which contravenes DoD record retention policies as well as posing operational and cybersecurity risks.
The OIG does not explicitly name offending apps, but mentioned purposes include online dating, fantasy football, multiplayer roleplaying games, video streaming, third-party VPNs, "luxury yacht dealer applications" and personal business apps.
The problem is, the auditor found, that staff access to public app stores is not controlled and installed items frequently seek "unnecessarily invasive permissions," which could mean contact lists, photos, camera or GPS being exposed to entities that might wish to do the US harm. Some apps were also said to have "known cybersecurity risks" or "potentially inappropriate content."
- China's spy balloon barrage earns six of its companies a spot on US entity list
- American jailed for smuggling controlled tech to Iran
- Australian government gives made-in-China CCTV cams the boot
- Embarrassment as US cyber ambassador's Twitter account is hacked
"For example, two of the applications downloaded were from a Chinese commercial off-the-shelf drone manufacturer that allow users to fly drones and capture, edit, and share images," the report said.
It went on to define "inappropriate content" as "applications for the creation of short-form videos; communication applications that have been exploited by violent extremists, hate groups, and sexual predators; and sexually themed games. Examples of applications that represent possible unacceptable use of DoD mobile devices include applications for live streaming crimes, police scanners, and gambling."
The report concluded that the DoD "does not have adequate controls over the use of mobile applications" and that personnel took advantage because the department "does not have a comprehensive mobile device and application policy that addresses the operational and security risks" associated with their use. Training was also said to be lacking.
"As a result, the DoD Components' mobile device programs vary widely in the features and applications that users are permitted to access and use. DoD officials may not be aware of the operational and cybersecurity risks that unmanaged applications pose to the DoD. DoD personnel may inadvertently lose or intentionally delete important DoD communications on unmanaged messaging applications. Additionally, mobile applications that are misused by DoD personnel or are compromised by malicious actors can expose DoD information or introduce malware to DoD systems."
It is, in other words, a responsible systems administrator's worst nightmare. The OIG recommended that official messages on unmanaged comms apps be forwarded to an official messaging account and deleted. It added that employees should not be allowed access to public app stores "without a justifiable need."
It also recommended that the phone and app policies be updated and that staff are given regular training "on the responsible and effective use of mobile devices and applications." The report suggested publishing a list of approved apps for conducting agency business.
As the threat of weather balloons closes in around the United States, citizens can surely rest easy when their safety is in the hands of a department this competent. ®