The U.S. Army does not have an "effective" cybersecurity program for mobile devices, says the Department of Defense's Inspector General, with some phones not appropriately configured to protect stored information or able to remotely wipe data if the phones are lost, stolen or damaged.
"The Army did not develop clear and comprehensive policy for CMDs (commercial mobile devices) purchased under pilot and non-pilot programs," wrote Alice F. Carey, assistant Inspector General, Readiness, Operations and Support, in an introduction to the report, released March 26.
"If devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DoD information."
The Inspector General's office conducted an audit from April 2012 through February 2013 at two sites, the United States Military Academy at West Point, N.Y., and the Army Corps of Engineers Engineer Research and Development Center in Vicksburg, Miss.
More than 14,000 mobile devices — including "BYOD" (bring your own device) Android, Apple and Windows phones — had not received the "appropriate authorizations" needed to secure them, the Inspector General found.
"Our objective was to determine whether the Department of the Army had an effective cybersecurity program that identified and mitigated risks surrounding commercial mobile devices (CMDs) and removable media," the Inspector General's report says.
"Specifically, at the sites visited, we verified whether Army officials appropriately tracked, configured and sanitized CMDs."
The Army's chief information officer "did not implement an effective cybersecurity program" for mobile devices, the Inspector General's report said. "Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army."
The Inspector General said the Army's CIO:
- Did not "ensure that Commands configured CMDs to protect stored information." Chief information officers at both locations "did not use a mobile device management application to configure all CMDs to protect stored information."
- Did not require mobile devices to be "properly sanitized." At the military academy and engineer research and development center, chief information officers "did not have the capability to remotely wipe data stored on CMDs that were transferred, lost, stolen or damaged."
- Did not control mobile devices "used as removable media," including SD cards. The chief information officers at both locations "allowed users to store sensitive data on CMDs that acted as removable media."
- Did not require training and use agreements that were specifically for commercial mobile devices.
"These actions occurred because the Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs," said the Inspector General's report. "In addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information. As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data."
The partial response so far — final comment is due by April 25 — from the Chief Information Office Cybersecurity Directorate says that appropriate security steps have been taken, including setting up a SharePoint portal to register and "document senior approval" of each device.
Beth Jones, senior threat researcher for Sophos Labs in the U.S., wrote on the company's Naked Security blog that "if the United States Army, with all the endless policies, is having a difficult time with BYOD, how is a small or medium-sized business going to cope?"
The Army, she said, has a good policy about geotagging, "realizing the risk that came with soldiers taking pictures that automatically had location information embedded in metadata."
But, she noted, "given the lack of management of the devices, how would the military know for sure that the geotagging has been disabled?"
Update, 1:30 p.m., Wednesday, April 3: The report had been available online April 2, but as of April 3, the Web link to it no longer works.