Inspector General Report Highlights Department of Defense’s Questionable Cybersecurity Practices

by CHHS Extern Cat Sarudy

The Inspector General recently released a report that audited the Department of Defense’s (DoD) cybersecurity policies as they relate to the control of government-issued phones. The two biggest issues from the report were that the audit revealed “that DoD personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies.” Further, the report revealed that personnel were downloading applications that “could pose operational and cybersecurity risks to DoD information and information systems.”

Part of the report focused on an investigation into the DoD’s own app store, the “Personal Use Mobile Application” from which personnel can download apps. Their findings were that their employees are able to download any apps that are available to them from a normal app store like Apple’s App Store to bypass any restrictions the Personal User Mobile Application may have. While these applications are against DoD guidelines, employees were still able to download the unmanaged apps. “Managed” applications are apps that are “approved by DoD Components for official DoD business.” The next level of apps is those that are “authorized unmanaged” which are apps that the DoD Components have authorized “for personal use on DoD devices” Lastly, there are “unauthorized unmanaged” which are apps that are “downloaded from public application stores and cannot be used to conduct official DoD business or for personal use on DoD mobile devices.”

The Inspector General report detailed a number of apps that were downloaded onto work devices that were not authorized, such as dating or cryptocurrency apps. As the Inspector General report points out, the potential danger these apps can do, especially when it revealed many of these apps required access to a user’s location data, contacts, and photos. While the report had information relating to the name of the apps and the number of apps it found redacted, it did not shy away from hinting at the applications it found such as “applications for the creation of short-form videos.” While not releasing the name of the application that creates “short form videos,” one cannot help but assume this could be a reference to TikTok, which is app that’s most prominent feature is its ability to create and view short videos by other users. TikTok has been under fire in the US since 2020 when Former President Donald Trump threatened to ban the app from US platforms. The Federal Communications Commission, the Federal Bureau of Investigation and the National Security Agency (to name a few) have all highlighted the cybersecurity risk that TikTok presents given the data it collects and China’s ability to request that data from the app’s owner, Byte Dance Ltd. Further, President Joe Biden banned the use of TikTok on federal government issued devices this past December.

Further, the Inspector General noted there were communications apps that were used by violent extremist groups and apps used to live stream crimes. The Inspector General noted that apps that are not managed by the DoD specifically “pose operational and cybersecurity risks and could result in users inadvertently revealing sensitive DoD information or introducing malware to DoD information systems.” Further, even if the cybersecurity implications of this were not blatant, the report said that the lack of policy dealing with strictly unmanaged applications pose a risk of cyber espionage given that applications could have malicious code and the DoD Chief Information Officer does not require regular cybersecurity assessments of unmanaged applications.

Further, the report showed that there were personnel who had been using unmanaged and unsecured messaging applications to conduct official DoD business, which is against DoD policy. The current DoD policy is that “government-owned communication systems and equipment (including mobile devices) should be for official use and authorized purposes only.” This is problematic because personnel can use the unauthorized applications, like messaging apps, and the DoD then loses its ability to track and retain that information. The Inspector General noted that the unmanaged apps “create(s) the opportunity for DoD personnel to conceal communications and circumvent the creation of official DoD records, sheltering them from scrutiny or oversight.” The lack of control over retaining messaging records does not come as a surprise after the still missing text messages relating to the January 6th insurrection. The report addressed the missing messages and further reported that after the text messages couldn’t be found, the Deputy Secretary of Defense issued a memo directing that “DoD information service providers are to capture and save the data resident on DoD-provisioned mobile devices when they are returned by their users.” However, this only protects the records of apps from managed messaging applications, meaning that any messages sent over unmanaged messaging applications cannot be retained, directly against DoD policy and federal retention laws. This is even scarier given that the Inspector General found that there had been unmanaged unauthorized messaging applications which had “end-to-end encryption and automatic message deletion capabilities.”

While the DoD does supply training on the proper use of apps on government devices, the report found glaring holes in this training, such as the fact that the trainings do not teach users “the difference between managed, authorized unmanaged, and unauthorized unmanaged applications” or “how to identify applications approved for official DoD business.” Further, the trainings did not teach the cybersecurity risks associated with authorized unmanaged and unauthorized unmanaged applications and did not provide training on how to protect “sensitive DoD information on mobile devices.” This is perhaps one of the most shocking parts of the report given that the most basic advice  for employers is to have cybersecurity trainings. While the report made specific recommendations to the DoD based on the audit, one can only hope that all other government agencies take a hard look at their internal cybersecurity practices and make necessary changes.