Military Inspector General report states bluntly: The Army’s chief information officer “did not implement an effective cybersecurity program for commercial mobile devices.”
A report from the Inspector General of the U.S Department of Defense that’s critical of the way the Army has handled mobile-device security has been inexplicably yanked from the IG DoD public website but can still be found in the Google caching system.
The IG DoD report No. DODIG-2013-060, entitled “Improvements Needed With Tracking and Configuring Army Commercial Mobile Devices,” dated March 26, flatly states the Army’s chief information officer “did not implement an effective cybersecurity program for commercial mobile devices.” The Inspector General of the DoD is the independent oversight division in the DoD that investigates whether the DoD is operating effectively and efficiently.
The report was apparently removed from the IG DoD website after a handful of news organizations wrote about it, but so far the IG DoD hasn’t responded to questions about the report’s sudden disappearance.
The report is highly critical of the way the Army in terms of weakness in its cybersecurity program as pertains to commercial mobile devices, aiming the brunt of its criticism at the Army CIO.
Lt. General Susan Lawrence was named Army CIO in 2011.
The report, prepared by Alice Carey, Assistant Inspector General of Readiness, Operations and Support in the DoD’s Inspector General office in Alexandria, Va., summarizes what IG DoD found as it sought to discover how the Army was managing and securing smartphones and tablets, specifically those based on the Apple iOS, Android or Windows mobile operating systems.
The IG DoD report says it received a list of more than 14,000 of these types of commercial mobile devices (CMD) used throughout the Army between October 2010 through May 2012, and went directly to two sites to “verify when the CMDs in use were appropriately tracked, configured, and sanitized, and followed policy for using CMDs as removable media.”
The two sites were the U.S. Military Academy at West Point, N.Y. and the U.S. Army Corps of Engineers Engineer Research and Development Center in Vicksburg, Miss.
The mobile devices in question were used in both a pilot mode and in non-pilot mode, the report says. The IG DoD concluded the Army CIO has failed to implement an effective cybersecurity program for these, however. “Specifically, the Army CIO did not appropriately track more than 14,000 CMDs purchased as part of pilot and non-pilot programs,” the report states.
In addition, the devices weren’t configured to secure data stored on them, nor were the devices required to be “sanitized” before transfer or in the event of loss. There was also said to be inadequate training and user agreements specific to the devices.
“In addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information; and therefore, did not extend current IA [information assurance] requirements to use of the CMDs. Without an effective cybersecurity program specific to CMDs, critical IA controls necessary to safeguard the devices were not applied, and the Army increased its risk of cybersecurity attacks and leakage of data,” the report says.
The report notes that a specific DoD memorandum from two years ago laid out security objectives for commercial mobile devices, including using an enterprise management system, encrypting and sanitizing sensitive DoD information stored on them, e-mail encryption and installing “designated authority-approved software and applications,” plus training.
At the two sites the IG DoD visited, no mobile-device management application had been put into use by the CIOs there, and password configuration of devices often left to individual users. It noted sometimes cadets at the U.S. Military Academy used the mobile devices they’d been given as personal devices and as “removable media to transfer and store sensitive case files and evidence related to Cadet Honor Committee hearings.”
In one instance at the U.S. Army Corps of Engineers, the IG DoD found one user with a non-pilot CMD using it to transfer research documents and personally identifiable information from a networked computer.
The report concluded the Army CIO hadn’t adequately tracked the devices in question, noting in several hundred cases it looked at, the Army CIO was unaware of the devices in use and maintained faulty accounting about it all.
Army and Command CIOs have taken some actions to improve, the report states, either by ordering the activities such as using CMDs as removable media to cease or placing a moratorium on acquisition of new CMDs The report mentions use of the AirWatch MDM software to address some of the IG DoD concerns.
The report concludes the CIO of the Army needs to develop a clear and comprehensive policy for reporting and tracking all commercial mobile devices. The head of the Army CIO Cybersecurity Directorate responded to the IG DoD that it maintained a SharePoint Portal and directed all Army organizations entering into a pilot to register and provide pilot documentation, among other steps. It also said it was working to manage mobile devices through an MDM system. Though expressing some dissatisfaction, the IG DoD indicated it approved of the Army CIO’s response that the Defense Information Systems Agency and the Army would have every mobile device and the applications on them under management—as well as have a Mobile Application Store–at full operating capability before the end of fiscal year 2014.