DOD ordered to evaluate mobile device cybersecurity in 2025 defense bill

The Department of Defense may soon conduct a broad assessment into the cybersecurity of internal mobile devices used by servicemembers and analysts, under a provision of a sweeping must-pass defense policy package due by the end of the year.

Draft text of the 2025 National Defense Authorization Act includes a measure requiring the Secretary of Defense to assess products and services available to DOD that can help the U.S. armed forces and national security entity secure mobile devices used by its hundreds of thousands of staff.

It directs the evaluation to consider anonymizing technologies like dynamic selector rotation, a technical protocol that allows location identifiers like IP addresses to be regularly switched out at certain time intervals to prevent cyberspies from latching onto a specific device. 

It would also weigh more basic tools like on-device virtual private networks that encrypt internet traffic over a connection, a mechanism used frequently by everyday people to protect themselves when browsing online.

If adopted in the final version of the defense bill, the DOD would have around nine months to submit its findings to Congress. The evaluation would need to include a timeline to implement the technologies.

Officials, think tanks and academics are increasingly concerned about how malicious actors could tether themselves to mobile devices and use them to track the locations of servicemembers or other national security officials.

A 2023 oversight report said the Defense Department “does not have a comprehensive mobile device and mobile application policy” and that the device security programs available to the armed forces “also vary widely in the operational and cybersecurity risk they pose to the DOD.”

More broadly, the FCC is trying to reduce vulnerabilities in the Signaling System No. 7 — or SS7 — protocol, as well as the Diameter protocol, a pair of wireless signal functionalities that enable phone communications to travel across different network layers uninterrupted but have have frequently made headlines for flaws that could potentially let hackers tap into Americans’ conversations.

The State Department has been making acute efforts to reduce the proliferation of spyware tools that have been planted on officials’ devices by governments around the world to quietly track their location and siphon communications.

DOD device security drew renewed interest last year when the Pentagon issued a directive to ban TikTok on staff devices amid concerns that the China-linked app was transferring sensitive user data back to Beijing, as part of a broader effort taken by the U.S. to scrutinize and potentially jettison the app altogether.