Is there any surprise that even high-ranking officials fall prey to basic cybersecurity mistakes? Defense Secretary Pete Hegseth’s password practices have sparked mass concern for cybersecurity experts and policy experts. His passwords, which were exposed in a series of cyberattacks, are listed online, with questions about using personal devices for military communication.
He is not the exception. Many people, seniors and juniors alike, reuse passwords for convenience. But the impact is more serious for someone who serves in a position of national security. One of Hegseth’s passwords, a simple lowercase alphanumeric sequence, was shared on several personal email addresses and was compromised during hacks in 2017 and 2018. Does that imply he had renewed these passwords, especially prior to his use of his personal phone in March to share classified material about U.S. military actions in Yemen?
The implications of password reuse are profound. Through the bypassing of personal email account passwords, hackers can reset other passwords, even breaking into more secure systems. This is far more ominous because Hegseth shared complex attack plans on an invite-only Signal group involving non-Defense Department members such as his brother and wife. This issue highlights the need for extremely secure controls when dealing with classified material.
The recent audit by the Department of Defense Inspector General audit continues to highlight the vulnerabilities in cybersecurity policies that are in place for classified mobile devices. The audit revealed enormous privacy, security, and authentication vulnerabilities that endanger sensitive information. The findings continue to emphasize the need for increased training, enforcement of compliance, and advanced monitoring systems to protect national security interests.
The audit further recognized systemic weaknesses driven by telework boom brought about by the COVID-19 pandemic. They included ad-hoc encryption, weak physical security controls, and lack of proper training of users. These shortcomings have drastic implications since they promote heightened exposure to illicit access to classified information. The report recommends for end-to-end redesign of cybersecurity controls, such as the modernization of inventory systems, regular audits, and effective practices of access controls.
The need to safeguard mobiles can hardly be overemphasized. As DOD IG Robert P. Storch said, “security for DOD mobile devices is essential for safeguarding national security, protecting classified data, and ensuring the integrity of the DOD’s missions.” Mobiles are valuable assets but most desirable targets for hackers. Safeguarding them is not an entirely technical necessity but a critical operational imperative.
The audit findings reveal endemic fails in maintaining accurate records of classified mobile devices. The poor records hinder the accounting for the devices and the tracking of their unauthorized use. Such a failure would allow unauthorized individuals to use unmonitored devices to access sensitive information, which would bring about further breaches of national security.
In addition, the report indicates there are deficiencies in monitoring user activity, a critical component of effective cybersecurity. Without effective practices in monitoring, tracking malicious access or suspicious activity is difficult, and it defeats efforts to prevent insider attacks. Proper authentication should also be implemented to protect only authorized users can access classified information and equipment. The audit found colossal disparities in user authentication processes and access control procedures.
The audit includes several suggestions of how these problems can be addressed, such as revising the inventory systems, auditing, and incorporating large user training procedures. These are fundamental steps in ensuring the operating environment is safe and users become informed of their part when running classified devices.
In light of evidence outlined here, the call for assistance to enhance cybersecurity practice in the Department of Defense can be seen. Mitigating vulnerabilities demonstrated here can enhance the capability of the DOD to protect national security interests and carry out its mandate securely and with greater efficiency. Hegseth’s password practice is a chilling reminder that cybersecurity awareness must remain at all levels.
