There are a handful of rules that govern what Defense Department staffers can do with their government phones, but not nearly enough to adequately preserve communications and prevent unauthorized access to sensitive information, according to an inspector general audit released Thursday.
That includes the text messages from and among Trump administration officials wiped from government phones after they left their jobs in early 2021, according to the audit, a key reason why their communications during the Jan. 6, 2021, riot at Capitol Hill can’t be recovered.
But, even communications from current DoD officials can’t be monitored if they’re sent on one of several unmanaged apps, the report added, which can be used on government phones and for which there aren’t strict rules governing their use for official business.
“This poses the risk that DoD personnel may inadvertently lose, intentionally delete, or fail to preserve important DoD communications sent over these applications in violation of Federal and DoD records retention policies,” the report found. “It also creates the opportunity for DoD personnel to conceal communications and circumvent the creation of official DoD records, sheltering them from scrutiny or oversight.”
The Defense Information Security Administration has a portal, called the DoD Mobile Application Store and Personal Use Mobile Application, or PUMA, where government phone users can download authorized apps.
However, there are apps available that run the gamut from monitored messaging and data platforms to communications, gaming, dating and shopping apps that are supposed to be for personal use only.
“Examples of applications with potentially inappropriate content include applications for the creation of short-form videos; communication applications that have been exploited by violent extremists, hate groups, and sexual predators; and sexually themed games,” according to the audit. “Examples of applications that represent possible unacceptable use of DoD mobile devices include applications for live streaming crimes, police scanners, and gambling.”
From a security standpoint, while policy dictates that users go through PUMA to download their apps, the audit found, not every app is vetted for whether it solicits or transmits personal information, for example, or whether it stores communications.
“Specifically, we determined that DoD personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies,” the audit found. “In addition, DoD personnel are downloading mobile applications to their DoD mobile devices that could pose operational and cybersecurity risks to DoD information and information systems.”
DoD first announced the audit in August 2021, but a year later, the issue made headlines after the department and the Army were unable to provide Jan. 6 communications in response to a Freedom of Information Act request.
At that point Deputy Defense Secretary Kathleen Hicks issued a memo to the department to preserve all of communications, and directed the creation of a plan to address the issue going forward.
RELATED
“Today’s report raises more questions than it answers,” Sen. Dick Durbin, D-Illinois, said in response to Thursday’s audit release. “Was the disappearance of critical information related to the January 6 insurrection a result of bad faith, stunning incompetence, or outdated records management policies? We still do not know. But this report illustrates the key vulnerabilities and failures that the Defense Department needs to immediately address.”
There are 16 recommendations included in the audit to help DoD clean up its government phone policies.
The first is to require all government phone users to download and forward copies of their official communications sent over unmanaged apps, then delete the apps.
Next is to create a comprehensive policy for the use of apps on government phones, rather than disparate policies that exist within organizations now, and to require regular training on approved use.
DoD officials agreed with the recommendations, saying that they will be incorporated into the plan they owe Hicks, but no deadline is given.
Meghann Myers is the Pentagon bureau chief at Military Times. She covers operations, policy, personnel, leadership and other issues affecting service members.