The Secret Service failed to adequately secure mobile devices used by employees during protective operations, putting protectees and agency personnel at greater cybersecurity risk, according to a June 22 report from the Department of Homeland Security (DHS) Office of Inspector General (OIG).
The report found that government-furnished mobile devices lacked capabilities needed for overseas missions because they did not include “required security applications to ensure real-time, continuous protection from cyberattacks by foreign adversaries or individuals.”
These issues led Secret Service employees used personal devices for official business during overseas and domestic protective operations. Because the agency does not manage or secure those devices, the practice created security vulnerabilities and violated government policy, the report said.
“As a result, adversaries could have intercepted and exploited Secret Service information, placing at risk our Nation’s leaders, other protectees, and employee – especially when unsecured devices were used overseas,” the report warned.
Secret Service officials initially resisted the investigation, the report said, by delaying for more than 130 days DHS OIG’s access to the agency’s asset management and travel systems and also delaying the production of requested documents. These actions “limited our planned work and analysis and negatively impacted the review timeline,” the OIG wrote.
The Secret Service concurred with all five OIG recommendations, including developing a formal policy governing mobile device security capabilities and requiring employees to complete cybersecurity awareness training.
“We take seriously the OIG’s work in this report, and consequently made several comprehensive enhancements to Secret Service communications policies and protocols to both mitigate the potential for adversaries to intercept and exploit Secret Service information, as well as further strengthen the protective environment,” Secret Service Director, Sean M. Curran, said in a memo contained in the report.
Curran disputed the OIG’s contention that his agency delayed document production and access to Secret Service systems.
The investigation began because OIG officials learned that Secret Service personnel frequently used personal cell phones for official business during other reviews of the agency stemming from the July 2024 assassination attempt of then-former President Donald Trump in Butler, Pa. Such personal use created serious security risks, the report said.
The Secret Service manages about 8,000 government-furnished mobile devices, such as smartphones and tablets, the report said. But it found that these devices “lacked the capabilities employees needed to perform their mission, including mobile messaging required for operations outside the United States.”
Without the necessary capabilities, “Secret Service employees were driven to use their personal mobile devices to communicate with stakeholders, law enforcement partners, and colleagues in violation of Secret Service policy,” the report added. “Because the Secret Service does not manage or secure employees’ personal devices, communicating through these devices increased risks to protectees and employees.”
Among the risks of using personal devices identified in the report: If adversaries gain access to the devices or intercept communication, “they could obtain mission-related data, including contacts, user history, geolocation, and photos.”
“Adversaries could use this information to plan attacks against protectees or Secret Service employees,” the OIG warned.