The Polar Fitness Tracker Episode and the Frustrating Pace of Military Cyber Policy Change

The US Navy fought and won the battle of Midway in June, 1942, just six months after the surprise attack at Pearl Harbor. Within six months, the Navy was able to recover from a crippling attack and mount a successful offense against the enemy. In those days, it seems, the military was able to move quickly. Today, not so much, it seems. At least, not in military cyber policy.

Though it wasn’t a Pearl Harbor level attack, the affair of the Strava fitness tracking app affair created quite a stir in cyber defense circles. In January, 2018, the public learned that the app’s online “heatmap” showed the locations of secret bases in Afghanistan and publicly displayed other military and intelligence secrets.

Questioned about the apparently lax policies regarding soldiers wearing insecure civilian fitness trackers in secret locations, US Army spokesman, Colonel Robert Manning III said, “We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of Department of Defense personnel at home and abroad…”

A month later, US Director of National Intelligence, Dan Coats, told the Senate Select Committee on Intelligence, “Frankly, the United States is under attack — under attack by entities that are using cyber to penetrate virtually every major action that takes place in the United States. From U.S. businesses, to the federal government, to state and local governments, the United States is threatened by cyberattacks every day.”

Coats’ statement reflected a consensus among military commanders and their political counterparts that the United States is engaged in a serious, ongoing cyber conflict. In the background, one could have assumed, the military was moving rapidly to bolster its cyber defenses and strengthen its cyber security policies for force protection. This turned out not to be the case, at least when viewed in the context of a subsequent embarrassing, worrisome disclosure.

In July, 2018, six months after the Strava incident, it was reported that the Polar Fitness app, which is used on mobile phones, could be hacked to show the movements and identities of American military personnel and intelligence officers around the world. Using the app’s developer API, hackers were able to demonstrate how they could identify, by name, the location and historical movements of over 6,000 people, including staff at Guantanamo Bay and other sensitive sites.

In July, 2018, six months after the Strava incident, it was reported that the Polar Fitness app, which is used on mobile phones, could be hacked to show the movements and identities of American military personnel and intelligence officers around the world.

It’s worth noting, too, that such a hack possibly aligns with other massive thefts of government personnel data, such as the breach of the Office of Personnel Management in 2015. It would be naïve to think that foreign adversaries were not correlating data on US military personnel with their locations and movements as discovered through apps like Polar.

Curious about why the DoD had not been able to stop military personnel from using the insecure and consumer-grade Polar app while on military business, I asked Colonel Manning the following question:

“[After Strava] Were any security policies changed or developed for military personnel regarding personal fitness trackers or other tracking devices? If so, do you have any comment on their effectiveness given the Polar breach?”

I heard back from Manning’s colleague, Major Audricia Harris, who said, “With regards to the Polar fitness App: We are aware of the potential impacts of devices that collect and report personal and locational data. Recent data releases emphasize the need for situational awareness when members of the military share personal information.”

I heard back from Manning’s colleague, Major Audricia Harris, who said, “With regards to the Polar fitness App: We are aware of the potential impacts of devices that collect and report personal and locational data. Recent data releases emphasize the need for situational awareness when members of the military share personal information.”

She then added, “Annual training for all DOD personnel recommends limiting public profiles on the internet, including personal social media accounts. Operational security requirements provide further guidance for military personnel supporting operations around the world.”

Finally, she noted, “The Under Secretary for Defense Intelligence is writing guidance to emphasize the risks of using global positioning system-enabled devices and to direct components to ensure local operations security policies are adequate. DOD is constantly reviewing our force protection methods to determine if any additional training or guidance is required in order to ensure the continued safety of DOD personnel at home and abroad.‎”

Six months after Strava, a breach that threatened the lives of military personnel, the DoD went from “We are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed,” to “DOD is constantly reviewing our force protection methods to determine if any additional training or guidance is required.” During this time, apparently, The Under Secretary for Defense Intelligence is writing new guidance.

According to a former US Army Intelligence officer I spoke with, The DoD’s statement on Polar reflects a plan to update the policy so that the guidance is clear. Then, base commanders and unit commanders will have to oversee compliance wherever they are deployed around the world. The specifics of the guidance are, of course, unknown and may remain classified.

Is six months enough time to rewrite cyber policy? Apparently, it isn’t. I’m sure the procedures are complex and the organizational issues quite challenging. However, it’s useful to contrast how long six months seems to be when you look at the US Navy’s ability to mount a winning battle plan in the first six months of 1942. One might think the DoD could do more to protect its forces in the six months after the revelation of a major vulnerability.

Photo Credit: The National Guard Flickr via Compfight cc