Mobile devices run amok in the Army, report says
- By Kevin McCaney
- Apr 03, 2013
The military’s steady march toward widespread use of mobile devices could take a wrong turn if the security of those devices isn’t accounted for. And a recent report from the Defense Department’s inspector general could serve as an early warning.
The IG’s office checked up on the Army’s use of commercial mobile devices (CMDs) and found that the Army CIO was “unaware of more than 14,000 CMDs used throughout the Army," according to the report. As well, the Army had not taken steps to protect the data on the devices, to be able to wipe them remotely if they were lost or stolen or to prevent users from storing sensitive data on devices that amounted to removable media.
The report addressed the use of iOS, Android and Windows smart phones and tablets (BlackBerrys excluded) and found that many devices were unmanaged and lacking in basic security. Additionally, users hadn’t received training on how to use mobile devices securely.
At two sites -- the U.S. Military Academy at West Point and the Corps of Engineers’ Research and Development Center (ERDC) in Vicksburg, Miss. -- auditors found a total of 842 devices, a majority of which were purchased without authorization from the Army CIO. At the Corps’ research center, for example, the center’s CIO was aware of only 180 out of 276 mobile devices in use, the report said.
Investigators also tested 133 of the devices and found many of them lacking in security. CIOs at the two sites hadn’t implemented mobile device management applications for all of their devices, leaving the users on their own to secure access with passwords. But at West Point, for instance, 14 of the 48 devices tested didn’t even require that much, according to the report. At the Corps’ facility, 12 of 62 devices in general use didn’t require passwords, and the passwords used on devices in pilot programs didn’t meet complexity requirements.
DOD in June 2012 released its Mobile Device Strategy, a broad plan that identifies three main goals, including building out a wireless infrastructure to support voice, video and data communications between mobile devices and developing mobile and Web applications. The second of those three goals calls for instituting polices and standards “to support secure mobile device usage.”
Enforcing those policies is where the Army has come up short, the report states.
In February, the department released its Commercial Mobile Device Implementation Plan, which includes 16 pilot programs throughout the department, the Army App Store among them, that are to be evaluated on how they affect mobile services.
The IG report won’t slow DOD’s move to mobile, but exposing the lax security in the Army could help ensure that security policies are in place before devices are added to the enterprise. In its response to the report, the Army promised to ensure that all mobile devices are managed by DOD. Additionally, the Army said it would manage and track mobile devices and apps in use and would have the ability to wipe data from devices when necessary.
Kevin McCaney is a former editor of Defense Systems and GCN.