Classified DOD mobile devices found to have ‘significant’ security holes
The findings of a new Department of Defense (DOD) Inspector General (IG) audit has highlighted significant vulnerabilities in the privacy, security, and authentication practices involving classified mobile devices used by authorized U.S. military officials and civilian employees. These deficiencies not only compromise the integrity of sensitive information, but they also expose DOD to potential breaches and insider threats.
The redacted unclassified version of the IG’s audit report, Audit of Cybersecurity of DoD Classified Mobile Devices, says that addressing these challenges requires a concerted effort to enhance training, enforce compliance, and implement advanced monitoring and inventory systems. The recommendations provided in the report serve as a critical roadmap for strengthening the cybersecurity posture of classified mobile device programs, ensuring the protection of national security interests in an increasingly mobile and interconnected world.
The audit’s objective was to determine whether DOD components effectively implemented cybersecurity controls to secure classified mobile devices, and the sensitive information accessed, stored, or transferred through them. The findings present a concerning narrative of systemic deficiencies, which was amplified by the surge in telework and mobile device usage during the COVID-19 pandemic.
These problems “occurred because DOD component authorizing officials, Classified Portable Electronic Device Managers, and program managers were not prepared to effectively manage the increased demand for classified mobile devices caused by the COVID-19 pandemic and the transition to an unprecedented amount of telework beginning in March 2020,” the audit concluded.
The audit report underscores substantial shortcomings in maintaining the confidentiality of classified information on mobile devices. Key issues include inconsistent application of encryption protocols, weak physical security measures, and lack of comprehensive user training. Classified mobile devices, including smartphones, laptops, and tablets, are designed to store, process, and transmit sensitive and classified information. Despite their inherent risk, some DOD components failed to implement basic safeguards, such as ensuring encryption compliance and maintaining up-to-date software patches.
DOD IG Robert P. Storch said in a statement that he “previously identified cybersecurity threats as a Top DOD Management and Performance Challenge,” emphasizing that “security for DOD mobile devices is essential for safeguarding national security, protecting classified data, and ensuring the integrity of the DOD’s missions. In today’s digital environment, mobile devices are indispensable tools that provide the DOD’s workforce with the flexibility and efficiency required to meet their responsibilities. However, they are also a primary target for cyber threats which could compromise data and the national security landscape. Securing these devices is not merely a technical priority; it’s a critical operational mandate that enables the DOD to fulfill its mission safely and effectively.”
The audit revealed that some devices lacked sufficient Data-at-Rest (DAR) protections, which secure stored classified data. Devices configured with DAR capabilities are critical in preventing unauthorized access to sensitive information if a device is lost or stolen. However, the lack of standardized training on DAR protocols for users and inconsistent enforcement of these measures jeopardized the security of classified data, which can include personal and other sensitive information. This deficiency raises alarms about the potential for breaches, which could have severe implications for national security.
The report identified significant lapses in maintaining accurate inventory records for classified mobile devices. Incomplete records hinder accountability, making it challenging to track devices and prevent unauthorized usage. For instance, components like the Defense Information Systems Agency (DISA), the U.S. European Command (USEUCOM), and even the U.S. Special Operations Command (USSOCOM), reported inconsistencies in recording critical inventory elements such as user information, device serial numbers, and data classification levels.
These lapses in inventory management expose systemic vulnerabilities, the IG said. Without accurate records, it becomes nearly impossible to recall devices that may be at risk due to outdated software or compromised security features. Moreover, the inability to reconcile inventory discrepancies further exacerbates risks, as unauthorized individuals could potentially exploit untracked devices to access sensitive, classified, and personal data.
Another glaring deficiency lies in the monitoring of user activities. Continuous monitoring of device usage is a cornerstone of effective cybersecurity, enabling early detection of unauthorized access or anomalous behavior. The report highlights that several DOD components nevertheless failed to implement robust user activity monitoring protocols. This oversight undermines efforts to mitigate insider threats and to be able to detect breaches promptly, the IG said.
Proper authentication is fundamental to ensuring that only authorized personnel can access classified mobile devices and the information they contain. However, the audit revealed significant deficiencies in access control and user verification procedures.
One critical finding is the inconsistent enforcement of user agreements and training requirements. User agreements are essential documents that outline the responsibilities and obligations of personnel entrusted with classified devices. These agreements should detail protocols for maintaining device security, reporting incidents, and adhering to strict usage guidelines. Yet, the audit found that some components failed to ensure all users signed and acknowledged updated agreements.
Additionally, the report identified inadequacies in verifying user justifications for device access. The DOD requires users to provide a valid mission need before being issued classified mobile devices. However, vague or absent documentation was prevalent, raising concerns about unauthorized or unnecessary access. For instance, some components accepted generic justifications, such as “COVID-19,” without further elaboration.
Another notable authentication lapse involves the failure to disable inactive accounts. The report reveals that some components did not regularly review and remove access for users who no longer required devices. This oversight significantly increases the risk of unauthorized access, particularly in cases where devices or accounts remain active without legitimate oversight.
The audit makes several urgent recommendations to address these challenges. These include updating inventory systems to include all mandatory data elements, conducting regular audits to ensure device accountability, and implementing comprehensive user training programs. The recommendations also emphasize the need to establish and enforce robust access control measures, such as periodically revalidating user justifications and promptly disabling inactive accounts.
Furthermore, the IG’s report calls for the standardization of user agreements to include all required security provisions. Ensuring that all users understand and acknowledge these agreements is crucial for maintaining a secure operating environment. Training programs should also be enhanced to cover all technical and administrative requirements, equipping users with the knowledge to handle classified devices responsibly.
Finally, the audit stresses the importance of continuous monitoring and incident response planning. By integrating advanced monitoring tools and regularly reviewing response plans, the DoD can better detect, respond to, and mitigate cybersecurity threats.
The IG made 40 recommendations to address the findings of its audit, including that DISA, USEUCOM, and USSOCOM authorizing officials conduct a review of their classified mobile device programs, identify deficient cybersecurity controls, and develop and implement a corrective action plan.
Disturbingly, the IG said 19 recommendations “are considered unresolved because the Director, Defense Information Systems Agency Joint Enterprises Services Directorate, did not fully address recommendations, and the Director for Command, Control, Communications, and Computer/Cyber, Chief Information Officer, USSOCOM, did not provide a response to the report,” the IG said. “We will track these recommendations until management has agreed to take actions that we determine to be sufficient to meet the intent of the recommendations and submit adequate documentations showing that all agreed-upon actions are completed.”
Article Topics
biometric authentication | cybersecurity | data privacy | data protection | Department of Defense | mobile device | smartphones | U.S. Government
Comments