The Pentagon has determined that Department of Defense (DoD) personnel are guilty of using theirs business smartphones in an unauthorized manner, thereby endangering national security.
A report (opens in new tab) by the Department of Defense Inspector General (DoDIG), the agency responsible for inspecting the Department of Defense, uncovered the use of unauthorized apps and services on workers’ smartphones on a large scale.
Additionally, there was little infrastructure or policy that allowed the Department of Defense to control and manage the use of these devices, and users were not adequately trained in their acceptable and safe operation.
Unauthorized Apps
Unmanaged apps, e.g. B. for shopping, playing, VPNs and – bizarrely – “luxury yacht dealer apps” have been installed on work phones and unapproved messaging apps have been used for official communications, all in violation of DoD regulations and posing cybersecurity risks.
The main problem with these apps, the report says, is that they often come with permissions that allow access to other information stored on the phone, such as contact lists, photos, and GPS data.
Other apps also had explicitly malicious features that were known or contained potentially inappropriate content, e.g. B. in connection with video streaming and gambling.
Perhaps more worrisome was the lack of oversight cited in the report, which noted that the Department of Defense had failed to effectively manage device usage and warn employees of the potential dangers of misusing work devices.
“DoD personnel can inadvertently lose or intentionally delete important DoD communications on unmanaged messaging applications. Additionally, mobile applications that are misused by DoD personnel or compromised by malicious actors can leak DoD information or inject malware into DoD systems.”
The report’s recommendations for the future were to forward and delete messages from unsanctioned to sanctioned messaging apps and that access to public app stores should not be granted “without legitimate need”.
It also recommended creating a list of approved apps for official stores and updating policies related to phone and app usage, as well as providing training “on the responsible and effective use of mobile devices and applications.”
This is certainly not the first time the Department of Defense has been reprimanded for its lax stance on cybersecurity. In 2021, the former director of the department’s Defense Digital Service wing had sanctioned the use of “an unmanaged mobile application for official DoD business in violation of DoD electronic messaging and records policies.”
Even more recently another examthis time from the US Department of the Interior, found that the password practices were pretty pathetic, as many could be cracked fairly easily using standard hacking methods.
