The Pentagon has found that employees at the Department of Defense (DoD) are guilty of using their business smartphones in unauthorized ways, putting national security at risk.
A report (opens in new tab) from the Department of Defense Inspector General (DoDIG), the agency responsible for auditing the DoD, uncovered the use of unauthorized apps and services across workers’ smartphones on a huge scale.
Moreover, there was little infrastructure or policies in place which allowed the DoD to control and manage the use of these devices, and users were not given adequate training on their acceptable and safe operation.
Unmanaged apps such as those related to shopping, gaming, VPNs and – bizarrely – “luxury yacht dealer applications” were installed on work phones, and unapproved messaging apps were being used for official communications, all of which contravenes DoD regulations and poses cybersecurity risks.
The main issue regarding these apps, highlighted the report, is that they often have often have permissions allowing access to the other information stored on the phone, such as contact lists, photos and GPS data.
Other apps also explicitly had malicious features that were known about, or contained potentially inappropriate content, such as that related to video streaming and gambling.
More worrying was perhaps the lack of oversight cited in the report, commenting that the DoD did not manage device use effectively, nor did it warn employees of the potential dangers of misusing work devices.
“DoD personnel may inadvertently lose or intentionally delete important DoD communications on unmanaged messaging applications. Additionally, mobile applications that are misused by DoD personnel or are compromised by malicious actors can expose DoD information or introduce malware to DoD systems.”
The report’s recommendations going forward was to forward messages from unsanctioned to sanctioned messaging apps and delete them, and that access to public app stores should not be granted “without a justifiable need.”
It also advised that a list of approved apps for official business be written, and that policies be updated relating to phone and app usage, as well training “on the responsible and effective use of mobile devices and applications” be given.
This is certainly not the first time the DoD has been reprimanded for its lax attitude to wards cybersecurity. In 2021, the former director of the department’s Defense Digital Service wing had sanctioned the use of “an unmanaged mobile application for official DoD business, in violation of DoD electronic messaging and records retention policies.”
Also, more recently, another audit, this time of the US Department of the Interior, found that password practices were pretty woeful, with many able to be cracked fairly easily with standard hacking methods.