The Department of Defense (DoD) inspector general (IG) said it recently found several unauthorized applications running on DoD-issued mobile devices meant to be used for official business only, and recommended a range of policy actions to stop that practice.
According to the Feb 9. report from the IG, “personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies.”
Applications found running by the IG included fantasy football apps, dating apps, secret and encrypted messaging apps, apps for dealing with luxury yachts, and even apps developed by a Chinese commercial drone manufacturer.
“DoD personnel are downloading mobile applications to their DoD mobile devices that could pose operational and cybersecurity risks to DoD information and information systems,” the report explained.
However, while use of those applications violates DoD policy, they were readily available for download on those devices. In many cases, DoD personnel didn’t circumvent department device management controls to download unauthorized applications.
“DoD personnel violated policy and misused mobile applications because the DoD does not have a comprehensive mobile device and application policy that addresses the operational and cybersecurity risks associated with the mobile devices and applications,” the report states.
The Defense Information Systems Agency’s (DISA) DoD Mobility Unclassified Capability (DMUC) – a service that many DoD components subscribe to for mobile device management – allows users unrestricted access to public application stores and the app stores created by DISA for Pentagon-authorized applications, allowing personnel to download unauthorized and unmanaged mobile applications to their DoD mobile devices. As of late 2021, DISA claimed more than 140,000 users across the department use DMUC.
“DoD components allowed personnel to have unrestricted access to unauthorized unmanaged applications through public application stores that could pose operational and cybersecurity risks, offered authorized unmanaged mobile applications through application stores that pose known operational and cybersecurity risks to DoD information and systems, and lacked controls to ensure personal use of DoD devices was limited and did not pose operational and cybersecurity risks to the DoD,” the IG report says.
In its response to the report, DISA argued that it does run security assessments and risk determination on applications before adding them to the DoD store.
In addition, the report found that DISA and other DoD components fail to provide adequate training on the acceptable use of DoD mobile devices or applications. And adding to that issue is that DoD mobile device users cannot always identify which applications on their DoD devices the department has approved for official business.
The IG called for DoD to develop a comprehensive mobile device and application policy for components with common terminology for different applications – managed, DoD-controlled, authorized, official, unmanaged, non–DoD-controlled, unauthorized, non-official, and personal-use applications.
The IG also recommended that the DoD CIO direct DoD components to immediately “forward a complete copy of all official DoD messages generated over unmanaged electronic messaging applications to an official electronic messaging account” and remove any unauthorized apps, assess the security of any other authorized unmanaged apps, and finally “assess mobile device users’ access to public application stores and remove access of those without a justifiable need.”
In addition, the IG recommended that DISA update the DMUC service “to provide component mobile device managers reports and data regularly, at least quarterly, of the mobile applications downloaded to the mobile devices within the manager’s area of responsibility.” The watchdog also directed DISA to publish a clear list of applications approved for official DoD business and ensure the list is easily accessible.
In response to the IG’s recommendations, the DoD’s CIO said it drafted a memo before the report “to address the operational security risk posed by the unapproved use of mobile applications that may result in the unauthorized disclosure of DOD information.” The CIO also agreed to take corrective actions for any official messaging within unauthorized applications.