>
The Pentagon has discovered that Department of Defense (DoD) employees are engaging in unauthorized use of their corporate smartphones, endangering national security.
a report (opens in new tab) from the Department of Defense Inspector General (DoDIG), the agency responsible for overseeing the DoD, found widespread use of unauthorized apps and services on employees’ smartphones.
In addition, there was little infrastructure or policy that would allow the DoD to monitor and manage the use of these devices, and users were not adequately trained about their acceptable and safe operation.
Unauthorized apps
Unmanaged apps such as those related to shopping, gaming, VPNs and – bizarrely – “luxury yacht dealer applications” were installed on work phones and unapproved messaging apps were used for official communications, all of which violate DoD regulations and poses cybersecurity risks.
The main issue related to these apps, the report points out, is that they often have permissions that allow access to the other information stored on the phone, such as contact lists, photos, and GPS data.
Other apps also explicitly contain malicious features that were known about or contain potentially inappropriate content, such as content related to video streaming and gambling.
Perhaps more concerning was the lack of oversight cited in the report, which noted that the DoD was not effectively managing device use, nor was it warning employees of the potential dangers of misusing work devices.
“DoD personnel may inadvertently lose or intentionally delete important DoD communications on unattended messaging applications. In addition, mobile applications that are misused by DoD personnel or compromised by malicious actors may expose DoD information or introduce malware into DoD systems.”
The report’s recommendations for the future were to forward and delete messages from unapproved to approved messaging apps, and that access to public app stores should not be granted “without a justifiable need”.
It also recommended writing a list of approved apps for official business, and updating policies related to phone and app use, and training “on the responsible and effective use of mobile devices and applications” to give.
This is certainly not the first time the Department of Defense has been reprimanded for its lax stance on cybersecurity. In 2021, the former director of the Department’s Defense Digital Service wing had approved the use of “an unattended mobile application for official DoD business, in violation of DoD electronic messaging and document retention policies.”
Also, more recently, another audit, this time from the US Department of the Interior, found that password practices were pretty sad, and many of them could be cracked quite easily using standard hacking methods.