The Department of Defense (DOD) – which the Trump administration has rebranded as the Department of War – is not fully confronting security risks posed by the growing amount of publicly accessible digital information for its personnel and operations, according to a new Government Accountability Office (GAO) report.
Digital activity from personal and government devices, online communications, and defense platforms can generate volumes of traceable data – also referred to as digital footprints, GAO warned in the report.
“When aggregated, these digital footprints can threaten military personnel and their families, operations, and ultimately national security,” the report reads.
GAO acknowledged that three of five offices under the Office of the Secretary of Defense have issued policies and guidance on the risks associated with the public accessibility of DOD’s digital information. However, it found that the guidance does not cover all stakeholders or security areas.
“As a cross-functional governance body that includes stakeholders across DOD, the Defense Security Enterprise Executive Committee is well-positioned to lead a department-wide collaborative assessment of policies and guidance on digital footprint and profile risks,” the report states, adding that without such an effort, “DOD will have difficulty in determining whether risks are being sufficiently managed within the boundaries of their legal authorities.”
To illustrate the threat, GAO developed two scenarios showing how malicious actors could use data from brokers or public websites to target military personnel and their families, or combine online activity, social media posts, ship coordinates, and press releases to track and disrupt naval operations.
GAO also found that many DOD components are not consistently training personnel on risks of digital information or conducting comprehensive security assessments of those threats.
Specifically, nine of 10 components did not fully train personnel on risks tied to publicly available digital information. Eight of 10 did not conduct required assessments across force protection, insider threats, mission assurance, and operations security. Instead, they focused mainly on operations security.
GAO made 12 recommendations, including assessing policies, improving collaboration to reduce risks, providing training on the digital environment and its associated risks across security areas, and completing required security assessments.
DOD agreed with 11 recommendations and partially agreed with one. GAO maintained that “all recommendations are warranted.”