U.S. soldiers used flashcard apps to study and store sensitive nuclear stockpile information. They failed to make their profiles private, exposing the information stored in the apps.
When it comes to the security of our country, we put a lot of faith in our government and military. Our armed forces are truly a force to be reckoned with, which is why the United States is looked to as a peacekeeper, why we are often called in to moderate discussions between adversarial countries. Our cyber-defenses are top-notch, too, fortified stronger than Fort Knox to give threat actors an incredibly infinitesimally small shot at getting past those defenses. However, if a hacker would get the credentials of a ranking military member, all of that security means nothing. Which is why it’s surprising to learn that U.S. soldiers used public-facing flashcard apps to study and store information on our nuclear stockpile.
According to Foeke Postma, a researcher with Bellingcat, Bellingcat discovered the problem when doing a routine search using military acronyms. The searches came back with flashcards from apps like Chegg, Cram and Quizlet, where the researchers found information about bases in Europe where U.S. nuclear weapons are likely located. They also found secret codes, passwords and other information about security processes and protocols. The soldiers would use the apps to study and memorize the information, but didn’t set their profiles to private so their usernames and photos were public-facing. When you can match profile information across platforms, it’s not hard to figure out who people are and what information they might have.
Bellingcat spoke with Dr. Jeffrey Lewis, founding publisher of Arms Control Wonk.com and Director of the East Asia Nonproliferation Program at the James Martin Center for Nonproliferation Studies, who said, “secrecy about US nuclear weapons deployments in Europe does not exist to protect the weapons from terrorists, but only to protect politicians and military leaders from having to answer tough questions about whether NATO’s nuclear-sharing arrangements still make sense today. This is yet one more warning that these weapons are not secure.”
The Pentagon scrubbed some of the flashcards from the web, but didn’t get all of them. Vice’s Motherboard says that many are still archived on the Wayback Machine.
This is a serious problem. Some of the flashcards had been publicly visible since 2013 and some were as recent as April 2021. Even after scrubbing what they could, it’s likely that the Pentagon forced all soldiers to obtain new credentials, forced units to alter code words and secret phrases, and reset anything that could possibly be attached to one of these cards. So now, everyone not only has to learn a new set of security protocols, but they have to figure out a new way to study and remember them.
Having our nuclear weapons exposed, especially those stored overseas, is a serious threat to our country’s security. This threat was brought to us by our own soldiers, and it could have been entirely prevented with proper monitoring and training. Our soldiers are really good at what they do. The best in the world, in fact. But cybersecurity is not their forte, which is why it is so important that they are trained properly. There should be set ways to study the sensitive information they need to know without using an internet-facing application. And if it must touch the internet, then the users should be taught how to protect that information.
Technology and its security are not new, but most people still do not understand the risks of using the internet. Most people do not know how to really secure their home networks, let alone that their mobile device doesn’t come with its own security or antivirus software. It’s likely that some do, and some will not use public-facing apps to store sensitive information. But it’s better to assume that no one knows what they are doing and train them than to assume they do and have a breach. This is applicable in every industry, not just the military.
Business leaders need to take note. If our military is making mistakes like this, it is incredibly likely that someone at your company is making your business insecure. They don’t even know they are doing it, either. So find an expert to come in and train them and you, make sure everyone understands what is okay and what is not. Write a new internet/cybersecurity policy and add it to your handbook. Do everything you can to keep your business safe from threats.