The Pentagon has issued guidance that prohibits Department of Defense personnel in operational areas from using location-tracking features on devices, apps or services, such as fitness tracking technology.
Deputy Defense Secretary Patrick Shanahan wrote Friday in the new guidance that the “rapidly evolving market of devices, applications, and services with geolocation capabilities (e.g., fitness trackers, smartphones, tablets, smartwatches, and related software applications) presents significant risk to Department of Defense (DoD) personnel both on and off duty, and to our military operations globally.”
“These geolocation capabilities can expose personal information, locations, routines, and numbers of DoD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission,” he wrote.
In January, Secretary Jim Mattis called for a review of using such devices and apps after news broke that Strava, an exercise tracking company that calls itself “the social network for athletes,” published “Heat Maps” of military service members’ fitness routines, particularly in remote areas of foreign countries where their presence is often sensitive.
While the information didn’t have the users’ names attached to it, experts argued at the time that it’s quite easy to cross-reference the maps with other social media and public information to track them.
Shanahan has directed DOD CIO Dana Deasy and Undersecretary of Defense for Intelligence Joseph Kernan to develop risk management guidance and training for use of geolocation-tracking devices, apps and services.
“DoD CIO, in collaboration with USD(I), will update the annual Cybersecurity Awareness training to assist DoD personnel in identifying and understanding risks posed by geolocation capabilities embedded in devices and applications,” he wrote.
This guidance applies only to operational areas, where military operations are being conducted. In other locations, Shanahan orders, “the heads of DoD Components will consider the inherent risks associated with geolocation capabilities on devices, applications, and services, both non-government and government-issued, by personnel both on and off duty.”
Combatant commanders can override the guidance, the memo explains, on non-government devices in operational areas after “conducting a threat-based comprehensive Operations Security (OPSEC) survey.” For government devices, they can “authorize the use of geolocation capabilities on government-issued devices, applications, and services in OAs based upon mission necessity, taking into account the potential OPSEC risks.”
There are plenty of benefits associated with the ongoing mobile revolution and giving DOD personnel and service members access to these location-based commercial services, Dave Mihelcic, former CTO of the Defense Information Systems Agency, told FedScoop. “But there are certainly risks associated with all of those.”
“I think it really is incumbent upon not only the Department of Defense to come up with policies that balance the employees’ and the military members’ needs for access to technology with [operaitonal security, or OPSEC] as well as cybersecurity, but it’s gotta be incumbent upon the military member to be aware of these kinds of issues, and not just in their official capacity, but in their personal capacity as well,” said Mihelcic, now federal chief technology and strategy officer at Juniper Networks. “You don’t want to give away information on Facebook, like your home address and when you’re going to go on vacation because somebody could rob your house.”
And as mobile devices and other location-enabled technology become more and more essential in life outside of the Pentagon and off of military installations, it will be interesting to see how this policy affects both individual DOD personnel and service members as well as the larger institution as it works to keep pace with the commercial world.
“This does provide a little bit of tension in the system,” Mihelcic told FedScop. “It’s not as easy to get devices in people’s hands, and it’s not as easy, in particular, for their personal devices to be used in every way that they’d like.”