A number of U.S. military commands failed to keep a complete and accurate inventory of mobile devices used to store and transmit classified information, according to a heavily redacted Defense Department oversight report.
The findings from the DOD Office of Inspector General also say that the defense entities did not list all technical requirements in their devices’ user training programs or user agreements, nor did they annually review or approve mobile phone incident response plans.
Several other findings from the audit are redacted due to their classified nature, but indicate the DOD has identified several problems with how the U.S. military and intelligence nexus handles the security of its servicemembers’ mobile phones.
The DOD audit scanned dozens of devices active between January 2020 and December 2021. It included phones used in the Device Information Systems Agency and three DOD combatant commands. Investigators visited bases in Germany and Florida, as well as DISA’s headquarters in Fort Meade, Maryland.
The examiners made 40 recommendations to technology officials at the DOD and Pentagon, including chief information officers. One unredacted recommendation advises them to “immediately revalidate and document the user justification for their devices and recall the devices if the user no longer has a valid mission need” and “revise existing access policies to require detailed written justifications for obtaining classified mobile devices.”
Officials, think tanks and academics have grown increasingly concerned about cyberspies tethering onto U.S. mobile devices and exploiting them to track the locations of servicemembers.
Cybersecurity officials are investigating Salt Typhoon, a Chinese espionage group believed to still be inside U.S. telecommunications and wiretap systems, as its reach has been slowly uncovered in headlines since October. In response, a pair of senators earlier this month called on the DOD’s watchdog agency to examine the military’s efforts to secure unclassified voice, video and text communications.
A 2023 oversight report said the Defense Department “does not have a comprehensive mobile device and mobile application policy” and that device security programs available to the armed forces “also vary widely in the operational and cybersecurity risk they pose to the DOD.”
According to Monday’s oversight report, the DOD issues secure mobile devices to certain personnel to handle classified information, following strict technical standards set by the National Security Agency.
These guidelines — called “capability packages” — aim to ensure devices are configured for secure use. Key packages include Mobile Access for secure connections outside facilities, Multiple Site Connectivity for classified networks, Campus Wireless for secure on-site communications and Data-at-Rest for storing classified data.
Some devices, depending on their purpose, are also programmed to not have any internal storage capabilities, or are restricted to use only in certain settings.
The Department of Defense may soon be required to conduct a broad assessment into the cybersecurity of internal mobile devices used by servicemembers and analysts, under a provision of a sweeping must-pass defense policy package the Senate is likely to vote on early this week. The sweeping defense bill also includes a measure that aims to shield military servicemembers and diplomats from ensnarement by commercial spyware programs.