Army Fails to Properly Secure iPhones, DroidsIG: Lack of Controls Leaves Army Networks Vulnerable to Attacks
The United States Army has failed to properly secure commercial smart phones and tablets running on the Apple iOS, Android and Windows mobile operating systems, according to an Army inspector general's report.
The report, Improvements Needed with Tracking and Configuring Army Commercial Mobile Devices, criticizes Lt. Gen. Susan Lawrence, the Army's chief information officer, for failing to implement an effective cybersecurity program for commercial mobile devices, which the Pentagon refers to as CMDs. Specifically, the IG report says, the CIO did not appropriately track the mobile devices and was unaware of more than 14,000 devices used throughout the Army.
"These actions occurred because the Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs," Assistant Inspector General Alice Carey writes in the 26-page audit report. "The Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information. As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data."
In 2009, the Army - like many businesses - began experimenting with commercial mobile devices when the Army vice chief of staff directed the CIO to begin purchasing inexpensive smart phones such as Apple iPhones and Google Androids with the aim to replace much more costly custom-made portable mobile devices.
As part of its audit, the IG identified more than 14,000 commercial mobile devices. IG examiners visited two sites - the United States Military Academy at West Point, N.Y., and the United States Army Corp of Engineers Engineer Research and Development Center in Vicksburg, Miss. - to verify whether the Army appropriately tracked, configured and sanitized the Apple and Android mobile devices, and followed policy for using them as removable media. The findings weren't encouraging.
Among the report's findings, the Army failed to:
- Ensure that commands configured the devices to protect stored information. The CIOs at the military academy and research center did not use a mobile device management application to configure all commercial devices to protect stored information.
- Require the commercial devices to be properly sanitized. CIOs at the military academy and research center did not have the capability to remotely wipe data stored on devices that were transferred, lost, stolen or damaged.
- Control the commercial devices used as removable media. The CIOs at both visited sites allowed users to store sensitive data on commercial devices that acted as removable media.
- Require training and use agreements specific to the devices. The academy and research center CIOs did not train commercial device users and require them to sign user agreements.
The IG recommends that the Army CIO develop clear and comprehensive policy to include requirements for reporting and tracking all commercial mobile devices purchased under pilot and non-pilot programs. Another recommendation: Designate commercial mobile devices as information systems and extend existing information assurance requirements to these devices.
Maj. Gen. Stuart Dyer, the Army's chief information security officer, in a written response, concurs with the IG's recommendations. Yet, he suggests such steps have been taken. For instance, Dyer says the Army maintains a SharePoint portal and directed all Army organizations entering into pilot projects to register and provide project documentation. And, he says, commercial mobile devices are considered an extension of the Army's information system and did not require a separate designation.
The IG finds Dyer's reply to both recommendations to be unresponsive.
Carey says Army Commands used more than 14,000 commercial devices without receiving appropriate authorizations from the Army CIO. Of those devices, she says, the IG identified 566 of them used by the research center and 96 at the academy as not being registered. "The SharePoint Portal would not be useful in accounting for the Army Commands using unregistered CMDs and devices that are not part of a pilot program," she says.
The IG also contends that users of the commercial smart phones and tablets would not apply the appropriate information assurance controls to protect the devices and the data contained on the devices without specific requirements to designate the devices as information systems.
The IG and the Army were in full agreement on a third recommendation: Develop a process to verify that users of commercial mobile devices follow Army and Defense Department information assurance policies and implement the appropriate security controls to protect commercial mobile devices.