Patrick Shanahan, deputy secretary of defense, has only been on the job for six months, but he’s quickly learning that seemingly innocuous gadgets can pose a security risk at the Pentagon. Which gadgets? Innocent things like his Fitbit.
“I’m guilty. I used to wear a Fitbit up until this last week,” Shanahan said while delivering the opening keynote at a top defense conference in San Diego on Tuesday.
The line seemed to get some nervous laughter from the audience, and for good reason. It was revealed last week that Strava, a popular fitness app, had inadvertently exposed sensitive military bases by releasing supposedly anonymized data. The presence of US defense personnel who linked their fitness trackers like Fitbits to Strava could be seen around the world, giving foreign adversaries an amazing snapshot—the kind of snapshot that intelligence agencies would literally kill for.
“We leave digital footprints all over the place,” Shanahan, a former executive at Boeing, told the audience. “Our men and women with their cellphones... I’m guilty myself.”
“As we start to think about being operationally unpredictable we’d hate to put into place all these other safeguards and capabilities and not have the common sense to keep from exposing ourselves,” he added.
“The vulnerability of cyber is significant,” said Shanahan before suggesting defense contractors sign a futuristic, (and completely hypothetical) cyber disclosure statement, kind of like a financial disclosure statement, to assure the Pentagon that its contractors were all running a tight ship. But Shanahan acknowledged that nobody in the defense-contractor world wants that level of paperwork and accountability.
“Your secrets, our secrets, are exposed,” Shanahan said. “And the culture we need to get to is that we’re going to defend ourselves and just like with security clearances or that anytime information is compromised, we want the bar to be so high that it becomes a condition of doing business.”
Strangely, Shanahan assured his audience of defense contractors that they wouldn’t be too hard on anyone right away.
“We won’t drop that safe on anyone’s head right away, but that’s where we want to get to,” he said. “It’s too important.
Or perhaps it’s not at all strange, given Shanahan’s long history of being the one in the audience at the Armed Forces Communications and Electronics Association’s West 2018 conference rather than the one on the government side. Given the chumminess between the Pentagon and the defense industry that stands to make a profit, it’s obviously hard to tell the difference.
You can watch the entire keynote on YouTube. Shanahan’s discussion of cybersecurity starts around the 30-minute mark.