The CIO of the U.S. Army failed to put in place a comprehensive security program capable of protecting data stored on commercial mobile devices such as iPhones and Androids, leaving sensitive information in key Army installations exposed. The Inspector General of the Department of Defense took the Army CIO to task in a new report, saying that the CIO “did not implement an effective cybersecurity program for [commercial mobile devices]”.
The Office of the Inspector General for the DoD set out to see how certain parts of the Army were handling the challenge of protecting sensitive data in the era of mobile computing. The OIG went to the U.S. Military Academy and the U.S. Army Corps of Engineers Engineer Research and Development Center to look at the facilities’ security programs and see whether they had safeguards in place to mitigate the risks of mobile devices in their environments, essentially the same risks that enterprises face with the BYOD problem.
What the OIG found was not encouraging.
“Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army,” the OIG report says. “These actions occurred because the Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs. In addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information. As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.”
The OIG found that at the USMA and ERDC the systems were not set up in order to protect any sensitive data stored on mobile devices and also didn’t have an application installed that was capable of remotely wiping data from lost or stolen devices. The OIG also found that the two installations didn’t have a policy in place for handling mobile devices that are used as removable media and didn’t require users to sign an agreement or train them in methods for handling data on these devices securely.
The report also says that the commands visited by the OIG were unaware of hundreds of mobile devices on their networks and had used more than 14,000 such devices without getting authorization from the Army CIO. The OIG recommended that the affected commands develop specific policies for mobile devices and follow the current DoD requirements.
“The Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs. Although the Army intended the current guidance to apply to all CMDs, the Army CIO specified requirements only for pilot programs and did not define what constitutes a CMD pilot program. The lack of clear and comprehensive guidance contributed to Army Commands not reporting and configuring CMDs to protect Army networks and data. As a result, risk increased that Army networks may become vulnerable to cybersecurity attacks and leakage of sensitive data. The Army CIO should develop clear and comprehensive policy to include requirements for reporting and tracking all CMDs purchased.”
These issues are not unique to these military environments, and are in fact the same sort of mobile device security challenges that many enterprises are running into. Managing mobile devices, whether issued by the company or owned by the employee, is a major problem, given the difficulty of monitoring the apps users download and the way that they use the devices.