STUTTGART, Germany — U.S. European Command and portions of U.S. Special Operations Command may have put sensitive information at risk by haphazardly handing out mobile devices to personnel for three years, according to Pentagon investigators.
A heavily redacted report released Monday contains the findings of an audit by the Defense Department Inspector General. EUCOM and two SOCOM segments didn’t maintain complete or accurate inventory records for classified mobile devices, it said.
Deficiencies were found in all the required elements related to device training and user agreements, annual reviews and so-called incident response plans.
Maintaining complete inventory records enables commands to ensure proper administration and quick intervention if a device is involved in a cybersecurity breach, the IG said.
Mobile devices are “a primary target for cyber threats which could compromise data and the national security landscape,” Inspector General Robert Storch said in a statement Monday. “Securing these devices is not merely a technical priority; it’s a critical operational mandate.”
Under certain circumstances, the military provides personnel with commercial off-the-shelf mobile devices such as laptops, tablets and smartphones that are configured to securely access classified information.
One of the driving factors in the lax distribution of mobile devices was the surge in demand for telework brought on by the coronavirus pandemic, according to the report.
The Pentagon components investigated in the audit between August 2021 and September 2024 included the Defense Information Systems Agency, which the report said had the same problems in issuing mobile devices.
The IG called for a corrective action plan and made dozens of recommendations focused on ensuring that the commands abide by cyber security protocols.
All Pentagon components should reevaluate their needs for classified mobile devices outside of secure spaces and recall ones that are no longer used or needed, the IG said.
Cyber security has been a top DOD issue for years. Troops and civilian employees must complete various training programs that highlight cyber vulnerabilities and the dangers of mishandling classified information.
The cyber realm has emerged as a major battleground, with Russia and China routinely trying to penetrate U.S. and allied networks.
Large chunks of the report were blacked out, making many of the circumstances and specifics related to mismanagement of the classified devices unclear.
EUCOM, DISA and SOCOM headquarters and Special Operations Command Central did not dispute the findings and indicated that steps would be taken to come into compliance with the various recommendations.