Defense Department employees are downloading mobile applications to their work telephones that pose “operational and cybersecurity risks,” the department’s inspector general said in a report that stemmed from concern about the Chinese-owned video service TikTok and other messaging apps.
Employees are conducting official business on their work devices “using mobile applications in violation of Federal and DoD electronic messaging and records retention policies,” the inspector general’s management advisory said.
The activities ranged from online dating to games, cryptocurrency reviews and scouting for luxury yachts, according to the “management advisory” released Thursday.
Pentagon agencies “lacked controls over personal use of DoD mobile devices to ensure that personal use was limited, complied with DoD policies and regulations, and did not pose operational and cybersecurity threats to the DoD,” the watchdog agency said.
The report said the Defense Department provides off-the-shelf mobile phones and cell service to “select” department personnel to conduct official business but doesn’t say how many employees qualify.
The unauthorized applications “included photo and video editing, telehealth, weather, maps, and fitness applications,” the inspector general said. It said some of the apps pose cybersecurity risks or have “potentially inappropriate content.”
The report was the result of an investigation that stemmed from questions by Senate Judiciary Chairman Dick Durbin last year about texts that may have been deleted by departing Trump administration defense officials concerning the Jan. 6, 2021, attack on the US Capitol.
“Today’s report raises more questions than it answers,” Durbin, an Illinois Democrat, said in a statement Thursday. “Was the disappearance of critical information related to the Jan. 6 insurrection a result of bad faith, stunning incompetence, or outdated records management policies? We still do not know.”
Representative Ken Calvert, chairman of the House defense appropriations panel, said in a statement the advisory “highlights a concerning lack of urgency when it comes to the Defense Department’s protection of sensitive information.”
“Americans concerned about a Chinese spy balloon should also be alarmed by the increasing dangers posed by the Chinese government on their cell phones,” Calvert said.
The management advisory didn’t mention any apps by name. But the Pentagon and military services have expressed worries about TikTok, banning the Chinese-owned short video app from installation on government-issued smartphones in late 2019.
Still, two of the applications the inspector general discovered “were from a Chinese commercial off-the-shelf drone manufacturer that allow users to fly drones and capture edit, and share images.” These were after the Pentagon disclosed in 2021 that the Defense Department had issued a ban in 2018 on the purchase and use of all commercial off-the-shelf drones, regardless of manufacturer, due to cybersecurity concerns.
Even seemingly harmless commercial applications pose a threat to Defense Department “information and information systems when they require unnecessarily invasive permissions on DoD mobile devices,” the inspector general’s office found. Video games, shopping and weather applications “routinely require access to a device’s contact list, messaging platforms, location data, or other personal information, and often lack sufficient security or encryption standards.”
The report contained a number of instances in which key details were blacked out after the Pentagon declared the information “Controlled Unclassified Information.” These included the number of devices examined and number of times various unauthorized, unmanaged applications were installed.
The review included applications that were or could be loaded on any DoD mobile device mobile at the Pentagon in Virgina, across the US and overseas locations. Auditors interviewed officials from the Chief Information Officer, National Security Agency, Defense Information Systems Agency and Defense Digital Service “to understand the processes and procedures related to the use of mobile applications across the DoD,” the IG said.