By Chuck Gallagher — Business Ethics Keynote Speaker and Trainer
TL;DR: A new Government Accountability Office report (GAO 26-107492, October 2025) warns that the Department of Defense is bleeding intelligence through ordinary social media posts, press releases, job ads, and photo metadata. Chuck Gallagher, business ethics keynote speaker, argues that this is not a technology problem — it is an ethics problem, because every small act of oversharing is a choice, and adversaries are counting on defense personnel to assume those choices do not matter.
A soldier takes a selfie at a training range. A recruiter posts a job listing that happens to name three obscure avionics systems. A public affairs officer uploads a photo of a handshake at a ribbon cutting. A program manager updates a LinkedIn profile with a new certification. None of those things feel like a breach. None of them trip a security wire. None of them would ever show up in an incident report. And yet, when a foreign intelligence service finishes assembling them into a picture, they tell a story that no one in that organization meant to tell.
That is the uncomfortable message at the heart of GAO 26-107492, the report released in October 2025 on digital footprints across the defense ecosystem. The GAO examined ten Department of Defense components and found that publicly accessible information — what the report calls a growing “strategic attack surface” — is being aggregated and exploited faster than the institutions creating that information can keep up. Fitness apps like Strava and games like Pokémon Go have, in documented cases, already revealed geolocation patterns of deployed military personnel. The vulnerability is not a zero-day exploit. The vulnerability is us.
Why this is a choices-and-consequences story, not a tech story
As a business ethics keynote speaker, I have spent the better part of three decades watching good people make small decisions that produce outsized consequences. The defining pattern in every case I have studied — including my own, years ago — is that nobody thinks the individual act matters. The entry in a ledger. The favor for a client. The photo at a training exercise. The innocent post from a conference. Each moment is evaluated in isolation, so each moment feels safe. But harm does not happen one post at a time. Harm happens at the aggregation layer, which no single person can see.
That is why the GAO report reads, to me, less like a cybersecurity audit and more like an ethics diagnostic. The report finds that most DoD components still rely on what it politely calls “basic social media awareness” — avoid posting locations, think before you post, do not share sensitive photos. That kind of training tells personnel what not to do. It does not teach them why their instinct to share exists in the first place, or how an adversary will use a decision that feels harmless. Training that only prohibits behavior, without explaining the moral stakes of the behavior, does not change culture. It just creates guilt.
I have argued at ChuckGallagher.com for years that cybersecurity is a human behavior issue long before it is a technology issue. The GAO findings vindicate that argument in a specific way: people overshare not because they are careless, but because the reward system of modern professional life actively encourages it. A recruiter is rewarded for posting detailed job descriptions. A public affairs officer is rewarded for generating engagement. A program lead is rewarded for being visible. When the visible behavior is rewarded and the invisible risk is ignored, you do not have a security culture. You have a vulnerability factory.
Does the ethics live in the post, or in the pattern?
Here is the question that changes how leaders should think about this: where exactly does the ethical failure live? In my work across defense contractors and federal agencies, I have watched teams get stuck on the wrong side of that question. They debate whether a specific tweet was appropriate. They investigate a specific photo. They argue about a specific LinkedIn post. And while they are doing that, the next eighteen posts go up unreviewed. The ethics does not live in any single post. It lives in the pattern — the organization’s posture toward what it shares, who decides, and what questions are asked before content leaves the building.
The GAO report identifies a pattern I see constantly: eight of the ten components it reviewed relied heavily on Operations Security (OPSEC) assessments, with minimal input from counterintelligence, cybersecurity, insider threat, or mission assurance. That is siloed governance, and siloed governance is a moral hazard dressed up as a process chart. When four teams each think one of the other three teams is watching, nobody is watching. And the people creating the content have no way to know that the review they assume exists does not actually exist.
The fix is not more training slides. The fix is a culture where every content creator — from the commander to the contractor marketing director — understands that their choice is not a communications decision. It is a security decision, a counterintelligence decision, and a mission assurance decision happening simultaneously. As a business ethics keynote speaker, my strongest recommendation to leaders reading the GAO findings is this: do not treat your digital footprint as a communications function with security implications. Treat it as a security function with communications implications. Those are not the same sentence, and the difference is where the ethics of your organization actually live.
Frequently Asked Questions
What is GAO report 26-107492 and why does it matter? GAO 26-107492, released in October 2025, is a Government Accountability Office review of how the Department of Defense manages publicly accessible digital information across ten DoD components. It matters because it documents that adversaries are aggregating ordinary public data — social media posts, job listings, press releases, and metadata — into a coherent intelligence picture, and that current DoD policies are fragmented and inconsistent in addressing that risk.
Is the digital footprint problem really an ethics issue or just a cybersecurity issue? It is both, but the ethics layer sits underneath the cybersecurity layer. Chuck Gallagher, business ethics keynote speaker, argues that the decisions to post, share, or publish are individual human choices shaped by organizational incentives, not just technical settings. If leadership rewards visibility and ignores invisible risk, no technical control will fully solve the exposure.
What are real-world examples of digital exposure harming the military? Documented examples include the 2018 Strava heat map incident, which revealed the outlines of forward operating bases through aggregated fitness tracker data, and the early Pokémon Go period, in which location-based gameplay briefly revealed movement patterns inside sensitive facilities. The GAO report notes these patterns have continued as consumer apps have grown more sophisticated in collecting location and behavioral data.
What should individual defense personnel and contractors do differently today? Treat every outward-facing post, photo, profile update, or job listing as an intelligence contribution rather than a communications act. Before publishing, ask whether the content — combined with what is already public elsewhere — reveals a pattern, a routine, a capability, or a relationship. If the answer is uncertain, the content should be reviewed by someone with cross-functional visibility, not a single OPSEC officer working in isolation.
Why does the GAO criticize existing DoD training on this topic? The GAO found that many DoD components still rely on basic social media awareness training focused on what not to post, rather than threat-informed education showing how adversaries aggregate, correlate, and interpret public data. Without understanding the exploitation chain, personnel cannot accurately judge what is safe to share, and training becomes a compliance ritual rather than a security capability.
Your turn to weigh in
I would like to hear from you directly. If you have worked inside a defense organization or contractor in the last five years, what has changed in the way your team thinks about what gets posted, shared, or published externally — and what has stayed exactly the same? Drop a comment below and tell me what you are seeing. I read every response, and I am happy to reply. Before you do, let me leave you with five questions worth sitting with for a few minutes.
Five Questions for Further Thought and Consideration
- When was the last time your organization reviewed a public post, photo, or press release with counterintelligence at the table and not just communications?
- If an adversary had six months to study your people’s public profiles, what pattern would they see that you have never consciously looked at?
- What behavior does your organization reward publicly that quietly increases its digital footprint risk?
- Who owns the decision to publish, and who owns the consequences if that decision goes wrong — and are those the same person?
- If every one of your personnel understood exactly how their posts get exploited, what would they change tomorrow without being told?
