The Pentagon has found that employees at the Department of Defense (DoD) are guilty of using their business smartphones in unauthorized ways, putting national security at risk.
A report (opens in new tab) from the Department of Defense Inspector General (DoDIG), the agency responsible for auditing the DoD, uncovered the use of unauthorized apps and services across workers' smartphones on a huge scale.
Moreover, there was little infrastructure or policies in place which allowed the DoD to control and manage the use of these devices, and users were not given adequate training on their acceptable and safe operation.
TechRadar Pro needs you! (opens in new tab)
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey (opens in new tab) and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.
D. Athow, Managing Editor
Unmanaged apps such as those related to shopping, gaming, VPNs and - bizarrely - "luxury yacht dealer applications" were installed on work phones, and unapproved messaging apps were being used for official communications, all of which contravenes DoD regulations and poses cybersecurity risks.
The main issue regarding these apps, highlighted the report, is that they often have often have permissions allowing access to the other information stored on the phone, such as contact lists, photos and GPS data.
Other apps also explicitly had malicious features that were known about, or contained potentially inappropriate content, such as that related to video streaming and gambling.
More worrying was perhaps the lack of oversight cited in the report, commenting that the DoD did not manage device use effectively, nor did it warn employees of the potential dangers of misusing work devices.
"DoD personnel may inadvertently lose or intentionally delete important DoD communications on unmanaged messaging applications. Additionally, mobile applications that are misused by DoD personnel or are compromised by malicious actors can expose DoD information or introduce malware to DoD systems."
> US government agencies are falling victim to some very obvious attacks (opens in new tab)
> US government launches Bureau of Cyberspace and Digital Policy (opens in new tab)
> The US government is building an AI sandbox to tackle cybercrime (opens in new tab)
The report's recommendations going forward was to forward messages from unsanctioned to sanctioned messaging apps and delete them, and that access to public app stores should not be granted "without a justifiable need."
It also advised that a list of approved apps for official business be written, and that policies be updated relating to phone and app usage, as well training "on the responsible and effective use of mobile devices and applications" be given.
This is certainly not the first time the DoD has been reprimanded for its lax attitude to wards cybersecurity. In 2021, the former director of the department's Defense Digital Service wing had sanctioned the use of "an unmanaged mobile application for official DoD business, in violation of DoD electronic messaging and records retention policies."
Also, more recently, another audit, this time of the US Department of the Interior, found that password practices were pretty woeful, with many able to be cracked fairly easily with standard hacking methods.
- Keep your organization safe with the best endpoint protection