Information Environment: DOD Faces Risks with Publicly Accessible Information
Fast Facts
This testimony before the Senate Committee on Armed Services' Subcommittee discusses our work on DOD’s efforts to mitigate national security risks and assess DOD components’ efforts to protect the digital footprint of DOD personnel.
It summarizes the pending report titled
Information Environment: DOD Needs to Address Security Risks of Publicly Accessible Information
The Department of Defense identifies publicly available data as a growing risk. We found ways DOD could better assess these risks and improve collaboration and training. Our recommendations address these issues.
Ensuring the cybersecurity of the nation is on our High Risk List.
Highlights
What GAO Found
DOD and others recognize that publicly accessible data presents a growing threat to the security and privacy of DOD personnel and their families, military operations, and national security. GAO developed multiple possible threat scenarios illustrating these risks. (See fig. 1 for an example.)
Figure 1: Scenario of Threat Outcomes from Exposure of DOD Personnel Information
Sources of the data making up the digital profile include:
- Online activity, such as web browsing and the use of social media
- Personal mobile devices that transmit location data and share data about the owner
- Data brokers that aggregate and sell data
- DOD press releases and other public communications
- Sensors that broadcast the location of military vessels
Malicious actors could collect and analyze this readily available data to identify and harm DOD personnel or their families or track and disrupt DOD operations.
While DOD has an established approach for managing security risks, it has not ensured additional actions to address the risks associated with this publicly available digital data. For example, DOD officials have issued some policy and guidance, administered training, and developed awareness campaigns related to the digital profile. However, there has been limited cross-departmental collaboration on this issue that spans all key DOD security disciplines.
Further, DOD components have not consistently assessed the risks to their operations associated with the public accessibility of digital information. By taking additional actions, DOD has an opportunity to address these risks.
Why GAO Did This Study
Throughout the day, people—including DOD service members, employees, contractors, and family members— leave behind massive amounts of data through online activity that can be collected and aggregated by the public, data brokers, and malicious actors. All of this digital activity generates volumes of traceable information—also known as a digital footprint. Over time, multiple footprints can create a digital profile that can reveal potentially sensitive or classified information. GAO was asked to review the risks associated with this data and efforts DOD has made to address the associated risks.
This testimony summarizes GAO’s pending report titled Information Environment: DOD Needs to Address Security Risks of Publicly Accessible Information and focuses on (1) risks of publicly available data about DOD personnel and operations, and (2) DOD’s approach to address security-related risks.
To inform the report, GAO reviewed DOD documentation and information, analyzed publicly available data, and interviewed department officials. More detailed information on the scope and methodology of this work can be found in our report.
Recommendations
In the forthcoming report, GAO made 12 recommendations to DOD to better assess and mitigate risks associated with publicly available digital data.