Department of Defense personnel are using unauthorized mobile applications on their government-issued mobile devices, potentially jeopardizing sensitive national security information, according to a report released by the agency’s Office of Inspector General on Feb. 9.
The partially redacted management advisory found that Pentagon employees are “downloading mobile applications to their DOD mobile devices that could pose operational and cybersecurity risks to DOD information and information systems,” including apps used for dating, gaming, encrypted messaging and purchasing luxury yachts. This type of unfettered access to unsanctioned mobile apps on government devices, the IG noted, increases the risk “that personnel will download compromised applications that can expose DOD information or introduce malware to DOD systems.”
The report noted that DOD components “procure commercial off-the-shelf mobile devices and cellular service and provide the mobile devices to select personnel to conduct official DOD business.” The IG’s management advisory did not publicly disclose how many Pentagon employees had received government-issued devices or name any of the specific apps that it discovered, but it outlined concerns about the level of access these unsanctioned downloads can have to DOD information.
“Many of the unauthorized unmanaged applications required access to the camera, microphone or GPS; examples included photo and video editing, telehealth, weather, maps and fitness applications,” the report said, adding that some of the downloaded apps “had known cybersecurity risks, operational security risks, potentially inappropriate content or represent unacceptable use of DOD mobile devices.”
The report said that even “seemingly harmless commercial applications” pose a threat to DOD data and related information systems because they “require unnecessarily invasive permissions on DOD mobile devices.”
“Video games, shopping or weather applications routinely require access to a device’s contact list, messaging platforms, location data or other personal information, and often lack sufficient security or encryption standards,” the report noted.
The management advisory also said that IG officials identified two applications that were downloaded “from a Chinese commercial off-the-shelf drone manufacturer,” which the report said “appears to be counter to DOD policy and could pose cybersecurity concerns.”
As the IG’s report noted, DOD issued a ban in 2018 on “the purchase and use of all commercial off-the-shelf drones, regardless of manufacturer, due to cybersecurity concerns,” and Congress passed a provision in the fiscal year 2020 National Defense Authorization Act that banned the purchase and use of drones and related components manufactured in China.
Concerns about global adversaries using mobile apps to collect sensitive national security information have already resulted in a crackdown on government employees’ use of TikTok on their work phones over worries about the video app’s ties with the Chinese government. The government spending bill signed by President Joe Biden in December included a provision banning federal personnel from downloading TikTok onto their government-issued mobile devices. The Army previously banned soldiers from downloading TikTok onto government devices in 2019, following the issuance of DOD guidance that warned of the potential risks associated with the app.
The IG’s report noted that, while Pentagon personnel downloaded the unauthorized apps in violation of DOD policy, the department “lacked controls over personal use of DOD mobile devices to ensure that personal use was limited, complied with DOD policies and regulations and did not pose operational and cybersecurity threats to the DoD.” This included finding that Pentagon components that subscribe to the DOD Mobility Unclassified Capability—a mobility management service operated by the Defense Information Systems Agency—were not blocked from accessing unsanctioned applications, since it “offers users unrestricted access to public application stores.”
In a statement, Sen. Dick Durbin, D-Ill.—who chairs the Senate Judiciary Committee—noted that the report was conducted in response to questions that he previously raised about missing text messages from DOD officials following the Jan. 6, 2021 Capitol insurrection. As the report stated, the use of unauthorized messaging applications on government-issued devices violates the Pentagon’s electronic messaging and records retention policies, and makes it difficult for DOD to track or retain necessary data.
“Today’s report raises more questions than it answers,” Durbin said. “Was the disappearance of critical information related to the January 6 insurrection a result of bad faith, stunning incompetence or outdated records management policies? We still do not know. But this report illustrates the key vulnerabilities and failures that the Defense Department needs to immediately address.”