From: Wired
By Spencer Ackerman
The Army absolutely loves its new Android, iOS and Windows smartphones and tablets. Just not enough to properly secure the sensitive data it stores on them.
A spot check of mobile devices used by the Army at its West Point military academic and its corps of engineers shows inconsistent and outright poor data security. The Pentagon inspector general has found that the smartphones and tablets the Army buys at local electronics stores often aren’t configured to protect sensitive data, leaving it to individual users to safeguard their data. (.pdf)
Predictably, soldiers didn’t. At West Point, 15 out of 48 inspected mobile devices didn’t even have passwords set up. The Army’s Engineer Research and Development Center in Mississippi had more devices password-protected, but the smartphones and tablets used for two pilot programs “did not meet password complexity requirements,” the Pentagon watchdog found. And that’s leaving aside the bitter truth that passwords don’t provide adequate security.
“If devices remain unsecure,” writes assistant inspector general Alice F. Carey, “malicious activities could disrupt Army networks and compromise sensitive [Defense Department] information.”
It’s not just passwords. The Army’s chief information officer isn’t adequately tracking the non-BlackBerry mobile devices soldiers presently use: Carey’s team found more than 14,000 smartphones and tablets in use “without obtaining appropriate authorization” from the CIO. Accordingly, the Army isn’t keeping sufficient track of devices that are accessing its networks. “Risk increased that Army networks may become vulnerable to cybersecurity attacks and leakage of sensitive data,” the inspector general found. In some cases, the CIO “inappropriately concluded that [mobile devices] were not connecting to Army networks and storing sensitive information.”
At West Point, for instance, cadets put information about the academy’s honor-code hearings on their smartphones. That might be intuitive, given that it’s similar to how civilians use their phones for porting and sharing data. But it also means that the mobile devices are acting as removable media, like thumb drives or blank CDs, which the military has cracked down on ever since Army Pfc. Bradley Manning used them to transfer hundreds of thousands of military and government files to WikiLeaks.
Some of the data-security failings are more mundane. Commercially purchased devices should be set up so the data on them can be wiped remotely, according to Pentagon regulations, but because of the lax requirements on configuration, two devices stolen from the home of an Army Corps of Engineers employee couldn’t be remotely restored to its factory settings. (And again, don’t bother reminding them that there’s a bunch of data that stays latent even after a wipe.)
The U.S. military is set to make a major push into the mobile market. It’s talking with carriers, hardware and operating-system manufacturers to get what it refers to as a “family of devices” — hundreds of thousands of them — into troops’ hands.
The Army has been the most forward-leaning of any service branch in embracing new mobile technologies, and to its credit, it didn’t resist the inspector general’s findings. Not only has the Army got an app store in beta, it reconfigured its next-gen dismounted communications system around smartphones. But now the Army is learning that relatively early device adoption is no substitute for protecting the information it’s increasingly keeping on phones and tablets.
Leave a Reply