A new report finds that the Department of Defense needs to find more productive ways to address and mitigate risks associated with publicly available digital data of military personnel that could potentially harm service members and their families.
The report was publicly released Nov. 17 by the U.S. Government Accountability Office (GAO) and stems from prior testimony before the Senate Committee on Armed Services' Subcommittee focused on risks of publicly available data about DOD personnel and operations, and DOD’s own approach to address security-related risks.
Broader recommendations for more stringent guardrails to protect personnel and their families, in addition to national security as a whole, have been put forward by GAO to DOD— the latter of which was presented 12 recommendations to assess its policies and guidance; collaborate to reduce risks; provide training on the digital environment and its associated risks across security areas; and complete required security assessments.
DOD concurred with 11 of 12 recommendations and partially concurred with one as GAO maintains that all recommendations are warranted.
This illustration shows how digital risks can quickly accelerate and be aggregated into an online profile. (Government Accountability Office)
GAO found that digital activity from personal and government devices, online communications, and defense platforms such as ships and aircraft can generate volumes of traceable data, commonly known as digital footprints.
Malicious actors can take rather innocuous digital information and use it to their advantage, be it DOD press releases, news sources, online activity, social media posts, or ship coordinates.
Risks That 'Exploit Weaknesses'
Joseph Kirschbaum, director of Defense Capabilities and Management at the nonpartisan GAO, told Military.com[1] that the full 63-page report was spurred by congressional members’ interest in understanding where DOD stood on the issue of risk associated with the vast amount of data and information in the public sphere.
“The increasing amount of this data and information and the changes in associated technologies have also increased the degree to which it is vulnerable,” Kirschbaum said. “Just as in the cyber realm, nefarious actors are increasingly interested—and able—to exploit weaknesses.”
The figure shows how a malicious actor could use digital information purchased from data brokers or collected from the web to identify and harm DOD personnel and their families. (GAO)
A Pentagon spokesperson, in a statement to Military.com, deferred comment to the GAO.
Risk mitigation includes understanding policy, technology and culture. GAO requires regular employee training and awareness on the vulnerabilities of publicly available data and information, Kirschbaum said, as part of a well-rounded effort where every relevant agency and official is in the know.
Asked whether the report was issued due to heightened security risks or concerns, Kirschbaum said it’s more about the combination and overlap of risks and vulnerabilities.
“There have been increased examples of data brokers selling information about DOD personnel."
“There have been increased examples of data brokers selling information about DOD personnel,” he said. “There have also been examples of the potential risks of digital footprints, including the 2018 revelation that fitness trackers worn by military personnel were an operational security risk.
"GAO warned DOD about this in a 2017 report. Different parts of DOD have recognized these threats but have not considered them holistically.”
What The Report Says
A 16-page report detailing testimony from Kirschbaum provided to the Subcommittee on Emerging Threats and Capabilities, within the Committee on Armed Services in the U.S. Senate, says there are multiple actions that need to be undertaken by DOD to mitigate future security risks.
They include steps the DOD itself can take, such as assessing existing departmental security policies and identifying digital risk gaps; better collaboration across the agency; U.S. Cyber Command training; and ensuring that digital profile issues are considered in all security areas such as counterintelligence, force protection, insider threat, mission assurance, OPSEC and program protection.
This illustration shows how a malicious actor could use digital information to project the route of a vessel and disrupt naval carrier operations, or even target a vessel and its crew members that are in port. (GAO)
GAO determined that three of five offices under the Office of the Secretary of Defense (OSD) already have issued policies and guidance on risks associated with DOD’s digital information.
“However, the policies and guidance are narrowly focused, do not include all stakeholders, and do not include all relevant security areas,” the report states.
Shoring Up Loose Ends
GAO also determined that 10 DOD components were not fully addressing two essential areas in accordance with risk management: training and security assessments.
Nine of 10 DOD components’ training materials did not consistently train personnel on risks of digital information in the public across all relevant security areas, while eight of 10 components did not conduct assessments of threats across the required security areas of force protection, insider threat, mission assurance, and operations security.
Most components focused assessment efforts solely on operations security, per GAO.
“The recommendations we make in the full report[2] reflect the fact that although divided among a number of security disciplines, DOD has an existing structure to assess and manage these kinds of risks,” Kirschbaum said. “Ensuring that the vulnerabilities and risks of publicly available information is part of that structure is the goal.
“The individual recommendations divide out specific elements, but it is the broader goal that will be the biggest benefit to the department.”
