Digital Footprints and National Security: GAO Warns DOD on Publicly Accessible Information

The Government Accountability Office’s testimony, Information Environment: DOD Faces Risks with Publicly Accessible Information (GAO-26-108771), presented by Joseph W. Kirschbaum before the Senate Armed Services Committee, offers a stark assessment of how ordinary digital activity has become an extraordinary national security risk.

Kirschbaum explains that service members, civilian employees, contractors, and even family members continuously generate “digital footprints” through online searches, social media, personal devices, and commercial services. When aggregated by data brokers or hostile actors, these footprints form digital profiles that can disclose sensitive information about identities, unit locations, patterns of life, and even operational movements. The illustrative scenarios in the testimony—showing how an elementary school commute or a carrier strike group’s route can be inferred from publicly available data—drive home that no traditional “classified” label is needed for this information to be dangerous.

GAO notes that these risks extend across multiple security disciplines: counterintelligence, force protection, insider threat, mission assurance, operations security, and critical program protection. DOD has a complex security architecture and has taken steps such as limiting the use of personal email for official business, issuing social-media guidance, and incorporating digital-profile topics into cybersecurity and OPSEC training. GAO also highlights practical tools such as identity-protection smartcards that walk users through tightening privacy settings on social platforms, fitness trackers, and other everyday applications.

Yet the testimony concludes that DOD’s response remains fragmented and overly centered on OPSEC, leaving other security communities without clear policy direction on publicly accessible data. GAO found limited cross-office collaboration, incomplete security assessments among components, and training that only partially addresses the broader threat. Consequently, GAO makes twelve recommendations, including updating departmental policy, strengthening collaboration through the Defense Security Enterprise Executive Committee, expanding training across all security areas, and ensuring required security assessments are actually conducted. DOD concurred or partially concurred with all recommendations and has begun initial implementation steps.

Credit to Authors: Based on testimony by Joseph W. Kirschbaum, PhD, Director, Defense Capabilities and Management, with contributions from Marisol Cruz Cain and the GAO team identified in GAO-26-108771.

Disclaimer: This blog post is provided for general informational and educational purposes only and reflects a summary of a GAO publication as of its stated date. It does not constitute legal, compliance, or security advice. Readers should consult qualified counsel or advisors before acting on any information discussed here.