A report from the Inspector General of the U.S Department of Defense that's critical of the way the Army has handled mobile-device security has been inexplicably yanked from the IG DoD public website but can still be found in the Google caching system.
The IG DoD report No. DODIG-2013-060, entitled "Improvements Needed With Tracking and Configuring Army Commercial Mobile Devices," dated March 26, flatly states the Army's chief information officer "did not implement an effective cybersecurity program for commercial mobile devices." The Inspector General of the DoD is the independent oversight division in the DoD that investigates whether the DoD is operating effectively and efficiently.
The report was apparently removed from the IG DoD website after a handful of news organizations wrote about it, but so far the IG DoD hasn't responded to questions about the report's sudden disappearance.
The report is highly critical of the way the Army in terms of weakness in its cybersecurity program as pertains to commercial mobile devices, aiming the brunt of its criticism at the Army CIO.
The report, prepared by Alice Carey, Assistant Inspector General of Readiness, Operations and Support in the DoD's Inspector General office in Alexandria, Va., summarizes what IG DoD found as it sought to discover how the Army was managing and securing smartphones and tablets, specifically those based on the Apple iOS, Android or Windows mobile operating systems.
The IG DoD report says it received a list of more than 14,000 of these types of commercial mobile devices (CMD) used throughout the Army between October 2010 through May 2012, and went directly to two sites to "verify when the CMDs in use were appropriately tracked, configured, and sanitized, and followed policy for using CMDs as removable media."
The two sites were the U.S. Military Academy at West Point, N.Y. and the U.S. Army Corps of Engineers Engineer Research and Development Center in Vicksburg, Miss.
The mobile devices in question were used in both a pilot mode and in non-pilot mode, the report says. The IG DoD concluded the Army CIO has failed to implement an effective cybersecurity program for these, however. "Specifically, the Army CIO did not appropriately track more than 14,000 CMDs purchased as part of pilot and non-pilot programs," the report states.
In addition, the devices weren't configured to secure data stored on them, nor were the devices required to be "sanitized" before transfer or in the event of loss. There was also said to be inadequate training and user agreements specific to the devices.
"In addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information; and therefore, did not extend current IA [information assurance] requirements to use of the CMDs. Without an effective cybersecurity program specific to CMDs, critical IA controls necessary to safeguard the devices were not applied, and the Army increased its risk of cybersecurity attacks and leakage of data," the report says.
Sign up for MIS Asia eNewsletters.