U.S. Army, Sgt. RJ Koreis, assigned to 3rd Psychological Operations Battalion, edits on laptop in “Technical Lanes” event, during the 2023 Spc. Hilda I. Clayton Best Combat Camera Competition at Fort A.P. Hill, Virginia, May 24, 2023. (U.S. Army photo by Spc. Noah Martin)
WASHINGTON — On June 1, the Army rolled out a new mandate requiring a virtual desktop for all soldiers to access Microsoft Office 365 platforms — the systems the soldiers use to read their emails, write memos, have virtual meetings via Teams or produce the Pentagon’s all-important PowerPoint slides.
The move, the Army said, will increase cybersecurity at a time when America’s enemies are looking for digital vulnerabilities. But though it was meant to keep foreign hackers out of the suite known as Army 365, some legitimate National Guard or Army Reserve users say a clumsy rollout with inadequate warning meant that they, too, were locked out of their official accounts.
It’s a somewhat embarrassing IT issue — but not easy to dismiss, as it is emblematic of the kind of system challenge that could have real-world implications if the US were suddenly thrown into a conflict.
The fluke “exposed a potential gap in the seem that, should there be a crisis situation, would have been a real challenge,” according to Katherine Kuzminski, deputy director of studies and program director of military, veterans and society at the Center for New American Security.
“It would be highly challenging if there were a crisis situation and there wasn’t a way to get a hold of [Reservists or Guardsmen], or that the service was only depending on one form of communication with them,” Kuzminski told Breaking Defense.
The Army, for its part, expressed confidence that the system ultimately has worked the majority of users and said that its ready to help if issues arise for users.
The Reservists And Guards Left Behind
Before the COVID-19 pandemic, Army Reserve and Guard soldiers could access DoD sites and related Microsoft suites using an identity verification CAC (Common Access Card) reader on their own devices without downloading a virtual desktop.
When the pandemic happened, the Army decided to grant this access service-wide as many active-duty soldiers stayed away from base. But at the beginning of this June the Army decided proper cybersecurity required a more controlled virtual desktop system for remote work, and they required everyone — National Guard and Reserves included — to download a virtual desktop.
The service’s new mandate especially impacts Guard and Reserve soldiers, as they specifically rely on personal devices and remote access because they don’t frequently go into DoD offices or have access to DoD equipment.
The Army told Breaking Defense it did warn all its network users about the change, but several reservists and Guard members said it wasn’t adequate notification — especially since it came through to their official emails that they don’t access often or spend very much much time with when performing official duties.
So, when the deadline passed early last month, some users said they found themselves locked out of their own systems.
“I think they put it out in April that this change was going to be made. That’s enough time for active duty to register and go through all the onboarding steps, but definitely not enough for [Reserve]/ NG [National Guard] people especially if you’re not near a base that has NIPR access,” wrote one LinkedIn user, who said they were an active duty Army soldier, referring to the military’s unclassified network.
A handful of impacted users, posting on LinkedIn or in interviews with Breaking Defense, indicated this situation is typical of how the active component treats the Reserve and Guard components as afterthoughts.
“It is time for Army Reserve and Guard Soldiers to be given the basic IT tools we need to do our job. We have endured years of frustration with doing the most simple tasks – checking email, signing forms, processing pay and more. [… The] well intended decision to limit CAC access to email has crippled an overwhelming part of the Army Reserve and Guard, and made us LESS secure. This decision needs to be reversed until many issues are addressed,” one LinkedIn user who identified themselves as in the Army Reserves wrote.
Another, who said they were a Senior Cyber Net Defender in the National Guard, wrote, “I don’t think most of the responders get it, most of the NG and Reserve soldiers are only on-duty for one weekend a month and much is expected to happen outside of that time. Restrictions to access collaboration tools only exacerbates the already burdensome reliance on Reserve/NG soldiers to use their time the most valuable of all resources to ensure the unit’s mission is fulfilled.”
Kuzminski said that one solution for keeping Reservists and Guardsman better in the loop would be for Army leadership, down the chain, to be in contact with them more often.
“If I were to make a recommendation, it would have been to also make sure that, for those who are assigned to units, that those unit level commanders and COs were getting in touch with all of their reservists, to make sure that they were tracking the changes,” she said.
“I think fundamentally, it comes down to the unit-level leadership and making sure that we have points of connectivity with Reservists and Guardsmen who may not be [as active] to make sure that they are tied to the overall position, which will now be really important if there is a crisis in the future that they are also as equally incorporated into the force” as active servicemembers, she added.
Virtual Desktop Speedbumps
Even putting aside the question of whether the active component did a good enough job of explaining the change that was coming, the systems appear to be challenging, according to one reservist, who is also a technology professional, and a separate technology executive who does government contracting with the Army.
The newly implemented software has proven not always to work due to bandwidth limitations and other glitches with the platforms, Maj. Jim Perkins, an officer in the Army Reserve and a civilian software product manager, told Breaking Defense.
Brad Sollar, the chief technology officer of Mainsail Industries, a company that does government contracting with the Army, said he was also affected by the change. Sollar said the virtual desktop is a safer environment, in theory, but he noted it’s also much more complex. To comply with this virtual desktop mandate, soldiers must create accounts on Azure Virtual Desktop (AVD), or Hypori for mobile devices.
In its statement to Breaking Defense, Army Network Enterprise Technology Command (NETCOM) said the decision to grant commercial access to Army 365 services was a “calculated measure taken during the onset of the COVID-19 pandemic to ensure uninterrupted operations.”
“However, as our security landscape evolves and threats become more sophisticated, it’s imperative to transition to more secure alternatives such as AVD, Hypori, or Intune Mobile Access Management (MAM),” the statement said, reiterating the June 1 deadline.
Army NETCOM also said that when it initially allowed non-virtual desktop access remotely during COVID, the remote capabilities in AVD and Hypori were not developed yet, adding in a later statement that adoption of the new security measures was coming along adequately.
“After the initial release of the information regarding the end of commercial web-based access to A365, we experienced a significant increase in the adoption of both Hypori and AVD Army-wide,” a spokesperson for the command told Breaking Defense. “Currently the adoption of these security measures continues at steady pace by Army personnel worldwide. If issues arise the Army Enterprise Service Management Platform (AESMP) quickly address and resolves the issue for the servicemember.”
The issue is that to create these virtual desktop accounts users must confirm their military emails, which is where some soldiers are running into a dead end as they no longer have CAC access to their emails, Perkins said.
Perkins said his user experience with Hypori has been difficult, noting that once he did get it to work, he enjoyed having access to his military email on his mobile device. But it’s still not foolproof.
In regards to the AVD platform, Perkins noted that his experience has been less than ideal, attributing this to an overload of users.
“The Azure Virtual Desktop experience, it really just seems to be [that] the server performance is kind of weak. My guess is that the original estimates for how many users were going to be using Azure Virtual Desktop and the throughput was just […] they underestimated it,” he said.
Perkins gave an example of this overload, saying that when he was logged into the AVD and trying to take a Microsoft Teams meeting, it bogged down the server and he was unable to use the video and voice features on the call.
Both Perkins and Sollar noted that a few weeks after the mandate took effect, the lags seemed to get better. However, there continue to be problems with speed.
With limited access and at times ineffective programs, some soldiers resorted to “wild workarounds,” Perkins said. That means, ironically, this attempt by the Army to be more secure backfired, causing users to develop what is known as “shadow IT,” the use of software within an organization without the approval of the IT department.
Related: Zero trust is breaking things at the DIA, and ‘that’s good’: CIO
“In the interest of ENHANCING security, it actually made us less secure as work went back into the shadows, with people texting screenshots and using aforementioned commercial apps,” the Army reserve member included in his initial LinkedIn post.
“The truth is that, if you annoy a user enough with security requirements, it’s a matter of WHEN (not if) shadow IT is introduced and workarounds are found to ignore the security measures,” another user commented.
Glitches And Culture
Perkins and Sollar, and even a handful of the frustrated LinkedIn members all agree that the Army’s decision to limit remote access to the Army’s Microsoft 365 platform was done in good conscience. The general consensus was that neither the service nor the users were to blame.
“Some senior leaders are saying that [the virtual desktop] should totally work, and it’s just user error. I think, regardless of whose fault it is, the problem is there, and so we have to figure out how to, you know, take care of these soldiers and make sure everyone has access to essential productivity tools,” Perkins said.
Instead, Perkins said, it’s a cultural problem in the government, which hinders ambitious yet promising technological advancements.
“One of the consistent messages that you’ve probably seen in this is, there’s a certain level of expecting and accepting of mediocrity, like, ‘Hey, stop complaining that your IT doesn’t work. You’re in the army. That’s the norm,” he said. “It’s 2024, and we’re not talking about, like, my satellite communications in the western Pacific aren’t working perfectly. We are talking about my access to email from my home network on a personal device, which is the only device I have access to on a regular basis. That doesn’t work.
“How do we think that we’re going to, you know, do any of the JADC2 (Joint All Domain Command and Control) stuff that we want to do if we can ensure that our standard soldier has access to email?”
