I read a C4ISR.net article this morning, which covered the fact that Department of Defense (DoD) personnel, mainly from the US Army, were given access to classified material at home via their telework portals due to COVID.
And, I take serious issue with this…three words come to mind: private email server.
During my time in the US Air Force, especially after 9/11, information security (INFOSEC) was of the utmost priority. So much so, there was an instance when I was ordered to investigate the misplacement of very simple classified communications coding materials from one of the fighter squadrons I was a part of. Following a week long investigation, I found that the materials most likely had been properly disposed of, but without the required documentation of the action to ensure the chain of custody had been maintained. But, I couldn’t be sure. I was not part of the decision tree for what punishment the individuals received for the breach of security protocols, if any. However, I came away with a slightly better understanding of the monster that is INFOSEC.
Major General Maria Barrett of the Army’s Network Enterprise Technology Command, or NETCOM, started a program a few months ago when the COVID pandemic hit hard. The program allows a limited number of individuals the ability to access up to SECRET level classification materials while at their telework areas, be that their homes or another space. This includes access to Secret Internet Protocol Router (SIPR) Network information which previously was only accessible in specialized areas and on highly compartmentalized workstations. As cited in the article, she also went as far as to allow classified materials to be stored on the end users devices so that members could work offline, if needed.
Let us count the ways in which this is an awful idea:
1) They are using commercial solutions. Not to say this is a horrible choice since we use commercial off the shelf (COTS) products all the time in the DoD. But, when it comes to INFOSEC, COTS materials should not be a go-to source, in my opinion.
2) Up to SECRET level information spans a massive amount of materials that reveal our capabilities, plans, and basic national security flaws. The information contained could give a broad picture of the military and its plans and programs if enough information is gathered. Additionally, by the time we find a breach, it could be far too late for us to stop the damage.
3) Some end user devices will have data storage. This opens a can of worms no one wants. Even if this data storage isn’t compromised physically, what happens if the person using it is compromised? All it takes is someone who has this type of access allowing another individual to leverage them and simply view the materials, let alone get their hands on it. No matter what, the information will be compromised.
Presently, the Navy is investigating utilizing this lunacy. Chris Cleary, the US Navy’s Chief Information Security Officer, was quoted as saying, “Anybody who had to do…work on a high side machine still had to go into the building FOR THE MOST PART.”
I’m sorry, what? “For the most part?” This tells me there is still highly classified material being handled outside normal, traditional, and vetted protocols and that leaves the DoD vulnerable to a whole host of cyber-intelligence gathering entities around the globe. If we think China is not looking for ways to exploit our data, national security, and military information for later use, we are deluded. This whole situation is low-hanging fruit ripe for picking by the most novice of cyber-warriors or spies.
Reality Politics 