Pentagon IG: The Army has thousands of unsecure smartphones

The Defense Department’s Inspector General called out the U.S. Army for the fact that thousands of those smartphones that troops buy off-the-shelves to use on the job aren’t properly secured.

"The Army Chief Information Officer (CIO) did not implement an effective cybersecurity program for" commercially purchased smartphones and tablets, reads a new announcement from the DOD IG. "Specifically, the Army CIO did not appropriately track [off-the-shelf devices] and was unaware of more than 14,000 [such devices] used throughout the Army."

(The IG investigated the Army’s use of phones and tablets running Google’s Android, Apple’s iOS, and Microsoft’s Windows Mobile operating systems in 2012. It didn’t look BlackBerrys since it did a 2009 investigation into their security.)

Troops are already using commercial smartphones and tablets to do things like file flight plans. As the utility and availability of such devices grows, so will the amount, and type of data stored on them. If spies can break into these devices, they can likely glean plenty of useful information. As the report notes, the CIO "inappropriately concluded that [these devices] were not connecting to Army networks and storing sensitive information. As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data." 

The IG goes on to say that the Army failed to: sanitize these devices; failed to install apps on the phones that would protect stored information; allowed troops to store sensitive data on the devices; didn’t implement the ability to remotely wipe data off of stolen or lost devices; and failed to make users sign agreements governing the security of their devices or to make them take training on how to keep their smartphones secure.

What’s interesting is that the Army’s CIO, Lt. Gen. Susan Lawrence, told yours truly last October that the service would be taking some of these very steps to protect the data on commercially purchased smartphones and tablets. Remember, the military — following the lead of plenty of private sector businesses — is starting to embrace the bring-your-own-device (BYOD) trend. It ultimately wants troops to be able to use one device for both personal and official use, barring all but the most classified data

Here’s what Lawrence said when Killer Apps asked how the Army would protect its information:

"At the end of the day, we’re really are going to become hardware agnostic. Whatever device you feel most comfortable with to do command and control, to be mobile with, is the device that you’ll have and that’s the one that we’ll work with."

"We’re in the RIM [Blackberry] environment, we’re in the Apple environment, and we’re in the [Google Android] already as we go through this."

"What you will agree to do is, if that’s the device you want to use, you’re going to sign an agreement with me that I get to scan you before you log on. I get to scan your device and then, you’re also going to let me monitor you so that I can look for an inside threat as well. So if you’re on the government network, you’re gonna let me scan you first and you’re gonna let me monitor you second."

DOD officials including Lawrence have said that enabling secure mobile computing is a top, if not the top, computing priority within the department. To enable this, Pentagon officials are hustling to field something called the Joint Information Environment, a massive cloud- based network that, over the next decade, will replace the dozens of networks that the DOD currently maintains. Officials say this will make it easier to defend and monitor data and make it easier to access from anywhere.

As Killer Apps quoted Lawrence as saying last October, one of the most important issues in the shift toward mobility and cloud computing "is in fact, ensuring that it’s you on the network and that we’ve got your certifications and accreditations so that when you log on, I say yes, that’s that person," said Lawrence.

How do you make sure users are who they say they are? Click here to read about how DARPA wants to monitor everything, from users’ typing patterns and sentence structure to the way they hold their phone, to ensure that the person using a computer, smartphone, or tablet is the person who is authorized to use that device.

The Army tells the IG that, as soon as this month, it will start buying software allowing it to "wipe or remove a device from the [Army’s networks] as well as monitor applications used, web sites visited, and data viewed, saved, or modified on the mobile devices." This satisfied one of the IG’s recommendations that the service develop the ability to make sure mobile device users are secure.

The IG also says the Army "should develop clear and comprehensive policy to include requirements for reporting and tracking all" such devices. "In addition, the Army CIO should extend existing" practices aimed at protecting sensitive information to all off-the-shelf smartphones and tablets.

The Army however, provided what the IG called "nonresponsive" answers to those suggestions.  Specifically, the Army says it already has a reporting program for mobile devices that may carry sensitive data. The IG says this reporting program for registering mobile devices isn’t good enough: thousands of unregistered and unauthorized devices were found to be in use.

In response to the IG’s recommendation that it do more to protect the data on its devices, the Army said that the DOD is already working on a plan to secure the information on "every managed mobile device" via its Commercial Mobile Implementation plan.  Again, the IG called this answer to its recommendation "nonresponsive," since off-the-shelf mobile devices aren’t designated "as information systems, users [of such devices] would not apply the appropriate information assurance controls to protect the devices and the data" on them. Furthermore, because there is no clear timeline to manage the security of these devices, "there’s an increased risk that Army networks could be vulnerable to data leakage."