The Defense Department continues to encounter cyber security vulnerabilities stemming from publicly accessible information shared across digital platforms, a recent report from the U.S. Government Accountability Office warns.
The report, released on Nov. 17, highlights security lapses across 10 DOD components linked to digital activity from personal and government devices, online communications and defense platforms that “generate volumes of traceable data.”
“Massive amounts of traceable data about military personnel and operations now exist due to the digital revolution,” according to the report, which highlighted ship and aircraft movements as examples of accessible information. “Public accessibility of this data enables malicious actors to exploit critical information and jeopardize DOD’s mission and the safety of its personnel.”
The report found that U.S. Cyber Command, the National Security Agency, the Defense Intelligence Agency, the Defense Counterintelligence and Security Agency, U.S. Special Operations Command and every branch of the military failed to adequately address two critical areas — training and security assessments — for reducing the risk of digital threats.
Of the components assessed, only U.S. Special Operations Command was found to have consistently trained personnel about the risks of digital information in the public across all relevant security areas.
The report also found that eight of the 10 DOD components did not conduct threat assessments across the required security areas of force protection, insider threat, mission assurance and operations security.
The GAO goes on to illustrate how threat actors can steal public digital information about DOD operations and personnel, thereby posing operational and national security risks.
Information transmitted through press releases, news sources, online activity, social media posts and ship coordinates could, in theory, be used to project a vessel’s route and disrupt an aircraft carrier’s operations, the report states.
The GAO noted that three of five offices under the Office of the Secretary of Defense have issued policies and guidance on risks associated with public access to digital information.
Those initiatives, however, are too “narrowly focused” and do not include all relevant security areas, the report states.
The Defense Security Enterprise Executive Committee is “well-positioned to lead a department-wide collaborative assessment of policies and guidance on digital footprint and profile risks,” according to the report’s authors.
“Without such an assessment, DOD will have difficulty in determining whether risks are being sufficiently managed within the boundaries of their legal authorities,” the report adds. “Also, DOD will face ever-increasing threats to personnel privacy and safety, mission success, and national security.”
The GAO report made 12 recommendations to DOD to assess its policies and guidance, collaborate to reduce risks, provide training on the digital environment and its associated risks across security areas, and complete required security assessments.
DOD concurred with 11 of 12 recommendations and partially concurred with one.
Among the recommendations in the GAO report are instructions for the service secretaries of the Army, Navy and Air Force to conduct “required assessments in the security areas of force protection, insider threat and mission assurance.”
The report also recommends that Defense Secretary Pete Hegseth oversee the implementation of security assessments for the other listed components.
On Capitol Hill, Congress has echoed similar security concerns targeting the Defense Department. In an effort to mitigate national security risks, both the Senate and the House have introduced legislation in recent years with recommended provisions to protect the digital footprint of DOD personnel.
J.D. Simkins is the executive editor of Military Times and Defense News, and a Marine Corps veteran of the Iraq War.
