Strengthening Regulations Governing Use of Portable Media. Captain Stuart C. Smith Jr. Major Amy B. Irvin

Similar documents
Report No. D September 25, Controls Over Information Contained in BlackBerry Devices Used Within DoD

Cyber Attack: The Department Of Defense s Inability To Provide Cyber Indications And Warning

Independent Auditor's Report on the Attestation of the Existence, Completeness, and Rights of the Department of the Navy's Aircraft

Report No. D May 14, Selected Controls for Information Assurance at the Defense Threat Reduction Agency

Contemporary Issues Paper EWS Submitted by K. D. Stevenson to

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

Mission Assurance Analysis Protocol (MAAP)

Social Science Research on Sensitive Topics and the Exemptions. Caroline Miner

Unexploded Ordnance Safety on Ranges a Draft DoD Instruction

Required PME for Promotion to Captain in the Infantry EWS Contemporary Issue Paper Submitted by Captain MC Danner to Major CJ Bronzi, CG 12 19

terns Planning and E ik DeBolt ~nts Softwar~ RS) DMSMS Plan Buildt! August 2011 SYSPARS

Information Technology

White Space and Other Emerging Issues. Conservation Conference 23 August 2004 Savannah, Georgia

Department of Defense INSTRUCTION. SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems

Redefining how Relative Values are determined on Fitness Reports EWS Contemporary Issues Paper Submitted by Captain S.R. Walsh to Maj Tatum 19 Feb 08

Incomplete Contract Files for Southwest Asia Task Orders on the Warfighter Field Operations Customer Support Contract

The Need for NMCI. N Bukovac CG February 2009

DoD Scientific & Technical Information Program (STIP) 18 November Shari Pitts

Improving the Quality of Patient Care Utilizing Tracer Methodology

Aviation Logistics Officers: Combining Supply and Maintenance Responsibilities. Captain WA Elliott

The Affect of Division-Level Consolidated Administration on Battalion Adjutant Sections

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

Infantry Companies Need Intelligence Cells. Submitted by Captain E.G. Koob

Defense Health Care Issues and Data

Biometrics in US Army Accessions Command

The Marine Corps Physical Fitness Test: The Need to Replace it with a Combat Fitness Test EWS Contemporary Issue Paper Submitted by Captain E. M.

The Need for a New Battery Option. Subject Area General EWS 2006

Military to Civilian Conversion: Where Effectiveness Meets Efficiency

AFCEA TECHNET LAND FORCES EAST

ASAP-X, Automated Safety Assessment Protocol - Explosives. Mark Peterson Department of Defense Explosives Safety Board

The Fully-Burdened Cost of Waste in Contingency Operations

Opportunities to Streamline DOD s Milestone Review Process

Department of Defense DIRECTIVE

Fiscal Year 2011 Department of Homeland Security Assistance to States and Localities

The Security Plan: Effectively Teaching How To Write One

712CD. Phone: Fax: Comparison of combat casualty statistics among US Armed Forces during OEF/OIF

Munitions Response Site Prioritization Protocol (MRSPP) Online Training Overview. Environmental, Energy, and Sustainability Symposium Wednesday, 6 May

SSgt, What LAR did you serve with? Submitted by Capt Mark C. Brown CG #15. Majors Dixon and Duryea EWS 2005

Exemptions from Environmental Law for the Department of Defense: Background and Issues for Congress

PRIVACY IMPACT ASSESSMENT (PIA) For the

CRS prepared this memorandum for distribution to more than one congressional office.

Blue on Blue: Tracking Blue Forces Across the MAGTF Contemporary Issue Paper Submitted by Captain D.R. Stengrim to: Major Shaw, CG February 2005

Chief of Staff, United States Army, before the House Committee on Armed Services, Subcommittee on Readiness, 113th Cong., 2nd sess., April 10, 2014.

DDESB Seminar Explosives Safety Training

Wildland Fire Assistance

Report No. DODIG December 5, TRICARE Managed Care Support Contractor Program Integrity Units Met Contract Requirements

Report No. DODIG March 26, Improvements Needed With Tracking and Configuring Army Commercial Mobile Devices

U.S. ARMY EXPLOSIVES SAFETY TEST MANAGEMENT PROGRAM

August Initial Security Briefing Job Aid

DoD Countermine and Improvised Explosive Device Defeat Systems Contracts for the Vehicle Optics Sensor System

Battle Captain Revisited. Contemporary Issues Paper Submitted by Captain T. E. Mahar to Major S. D. Griffin, CG 11 December 2005

Panel 12 - Issues In Outsourcing Reuben S. Pitts III, NSWCDL

MAKING IT HAPPEN: TRAINING MECHANIZED INFANTRY COMPANIES

Report No. DODIG Department of Defense AUGUST 26, 2013

Report Documentation Page

The Landscape of the DoD Civilian Workforce

ALLEGED MISCONDUCT: GENERAL T. MICHAEL MOSELEY FORMER CHIEF OF STAFF, U.S. AIR FORCE

JAN ceo B 6

UNITED STATES MARINE CORPS LEGAL SERVICE SUPPORT TEAM POSTAL SERVICE CENTER 8007 CHERRY POINT, NORTH CAROLINA

Electronic Attack/GPS EA Process

United States Military Casualty Statistics: Operation Iraqi Freedom and Operation Enduring Freedom

Tim Haithcoat Deputy Director Center for Geospatial Intelligence Director Geographic Resources Center / MSDIS

PERSONALLY IDENTIFIABLE INFORMATON (PII)

Rapid Reaction Technology Office. Rapid Reaction Technology Office. Overview and Objectives. Mr. Benjamin Riley. Director, (RRTO)

World-Wide Satellite Systems Program

Veterans Benefits: Federal Employment Assistance

Integrated Comprehensive Planning for Range Sustainability

2011 USN-USMC SPECTRUM MANAGEMENT CONFERENCE COMPACFLT

U.S. Military Casualty Statistics: Operation New Dawn, Operation Iraqi Freedom, and Operation Enduring Freedom

Laboratory Accreditation Bureau (L-A-B)

Report No. D June 17, Long-term Travel Related to the Defense Comptrollership Program

Engineered Resilient Systems - DoD Science and Technology Priority

DOD Native American Regional Consultations in the Southeastern United States. John Cordray NAVFAC, Southern Division Charleston, SC

Office of Inspector General Department of Defense FY 2012 FY 2017 Strategic Plan

Infections Complicating the Care of Combat Casualties during Operations Iraqi Freedom and Enduring Freedom

Sustaining the Marine Corps Martial Arts Program. EWS Contemporary Issues Paper. Submitted by Captain G.S. Rooker. Major Gelerter / Major Uecker, CG#3

The Coalition Warfare Program (CWP) OUSD(AT&L)/International Cooperation

Staffing Cyber Operations (Presentation)

Small Business Innovation Research (SBIR) Program

United States Army Aviation Technology Center of Excellence (ATCoE) NASA/Army Systems and Software Engineering Forum

at the Missile Defense Agency


Fleet Logistics Center, Puget Sound

Report No. D February 22, Internal Controls over FY 2007 Army Adjusting Journal Vouchers

PERSONNEL SECURITY CLEARANCES

DoD Architecture Registry System (DARS) EA Conference 2012

Report No. D September 22, Kuwait Contractors Working in Sensitive Positions Without Security Clearances or CACs

USMC Identity Operations Strategy. Major Frank Sanchez, USMC HQ PP&O

User Manual and Source Code for a LAMMPS Implementation of Constant Energy Dissipative Particle Dynamics (DPD-E)

Afloat Electromagnetic Spectrum Operations Program (AESOP) Spectrum Management Challenges for the 21st Century

Shadow 200 TUAV Schoolhouse Training

Make or Buy: Cost Impacts of Additive Manufacturing, 3D Laser Scanning Technology, and Collaborative Product Lifecycle Management on Ship Maintenance

Systems Engineering Capstone Marketplace Pilot

PRIVACY IMPACT ASSESSMENT (PIA) For the

The Need for a Common Aviation Command and Control System in the Marine Air Command and Control System. Captain Michael Ahlstrom

US Coast Guard Corrosion Program Office

Software Intensive Acquisition Programs: Productivity and Policy

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

DOD Leases of Foreign-Built Ships: Background for Congress

Transcription:

Strengthening Regulations Governing Use of Portable Media Captain Stuart C. Smith Jr. Major Amy B. Irvin 20 February 2009

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 20 FEB 2009 2. REPORT TYPE 3. DATES COVERED 00-00-2009 to 00-00-2009 4. TITLE AND SUBTITLE Strengthening Regulations Governing Use of Portable Media 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) United States Marine Corps,Command and Staff College, Marine Corps Combat Development Command,Marine Corps University, 2076 South Street,Quantico,VA,22134-5068 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 11. SPONSOR/MONITOR S REPORT NUMBER(S) 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Same as Report (SAR) 18. NUMBER OF PAGES 14 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

INTRODUCTION Twenty-first century man lives in a world in which eight gigabytes (GB) of data can be stored on a device with dimensions of a little more than three centimeters by a little more than one centimeter. This device weighs less than six grams, costs less than twenty-four dollars, is highly portable, widely available, and easily accessible using a universal serial bus (USB) interface. These devices are also referred to as thumb drives, flash media, USB flash drives, memory sticks, removable storage media 1, or portable media. Although incredibly useful at home or work, they pose a significant risk. This form of media can easily be lost, stolen, or compromised. It can also be used to introduce, intentionally or unintentionally, malicious code and to infect a targeted system or series of systems on any given network. As technology develops at such a rapid pace, often emerging solutions become mainstream before sufficient testing is completed to determine risks associated with a new product. Additionally, users are so enamored with the convenience of a new solution that they ignore the dangers connected with its use. Such is the case within the Department of Defense (DoD). Military regulations governing the use of portable media must be strengthened to prevent compromise by improving training and 2

awareness, limiting individual discretion, and imposing stiff penalties when violations occur. HISTORICAL BACKGROUND When personal computers first became popular and affordable, the portable media of the day was a five and a quarter-inch floppy disk. With improvements in technology and a demand for greater storage capacity, the three and half-inch floppy dominated the market in portable media for several years. The most common were capable of storing up to 2.88 MB. After about ten years of mainstream service, the floppy disk was replaced by compact disks (CDs). The most common CDs are capable of storing 680 MB of data. After CDs, digital versatile discs (DVDs) became an attractive option. DVD storage capacity varies between 4.7 GB and 17 GB. In 2000, when thumb drives were introduced, they were only capable of 8 MB of storage. Eventually, with advances in technology, 64 MB became available, then 128 MB, 256 MB, 512 MB, 1 GB, 2 GB, 4 GB, 8 GB, 16 GB, 32GB, and now 64 GB. Other portable devices are capable of storing data-at-rest (DAR); 2 external hard drives are the most common, which are capable of storing terabytes of data. In March 2006, MARADMIN 143/06 was released notifying, "...enlisted Marines, active and reserve, on active duty between January 2001 and December 2005 of the loss of Privacy Act 3

information." The "...thumb drive contained Privacy Act data to include, name, social security number, marital status, and enlistment contract information." 3 In April 2006, the New York Times reported, "American investigators have paid thousands of dollars to buy back the stolen drives, according to shopkeepers outside the major military base here..." 4 In response to these reported incidents, and many others, MARADMIN 348/06 was released stating, "Privacy Act data will not be stored on a removable storage device, thumb drive, floppy, CD-ROM, DVD, or laptop unless encrypted and password protected." 5 Additionally, "Privacy Act data will not be maintained on personal computers/devices." 5 In July 2007, ALNAV 057/07 was released indicating, "during the past 18 months, the DoN has reported over 100 incidents involving the loss of PII 6, impacting over 200,000 Navy and Marine Corps personnel, including retirees, civilians, and their dependents. The most common causes of loss/compromise have been the loss or theft of laptop computers, thumb drives, and other portable removable media." 7 In response to these documented reports of sensitive data being lost, stolen or compromised, the DoD Chief Information Officer (CIO) revised policy governing portable media in July 2007 to include the following statement: 4

All unclassified data at rest that has not been approved for public release and is stored on mobile computing devices such as laptops and personal digital assistants (PDAs) or removable storage media such as thumb drives and compact discs, shall be treated as sensitive data and encrypted using commercially available encryption technology. Minimally, the cryptography shall be National Institute of Standards and Technology (NIST) Federal Information Processing Standard 140-2 (FIPS 140-2) compliant... 8 This statement essentially requires sufficient encryption on all mobile computing devices, whether it contained Privacy Act data or not. Nonetheless, as result of ineffective policy, poor enforcement, and several instances of lost, stolen and compromised data, effective 18 November 2008, and in accordance with Marine Corps Enterprise Network (MCEN) Operational Directive 293-08, "all MCEN users must immediately suspend use of memory sticks, thumb drives and camera flash memory cards on all classified and unclassified USMC networks until further notice." 9 However, this directive does not prohibit the use of 5

external hard drives that perform a function similar to memory sticks. IMPROVING TRAINING AND AWARENESS One area in which significant progress must be made is training and awareness. The danger associated with using portable media is not resonating with the average service member. According to DoDD 8570.1, Information Assurance Training, Certification, and Workforce Management, dated 15 Aug 2004, "...requires annual information assurance training." 10 Per paragraph 4.2.5.4.1. of SECNAV M5239.1, dated November 2005, "IA training shall be monitored and reported as an element of mission readiness and as a management review item. The status of awareness and training provision and certifications shall be reported to DON CIO as an element of mission readiness." 11 For the average service member, by established policy our military training consists of personally identifiable information (PII) 12 training and information assurance (IA) 13 training. These requirements are typically completed via an online computer-based training module. Although computer-based training has come a long way, more attention must be devoted to this particular subject. Refresher training for users is mandatory once a year, but this is insufficient. Three methods of inoculating the user 6

population with information regarding portable media include expressed, implied, and informed consent. Expressed consent is satisfied by signing an end user agreement, which details regulations governing the use of DoD information systems. Service members typically complete an end user agreement before access is granted to a particular system. Implied consent is satisfied by the DoD warning banner. MARADMIN 714/07, dated 6 December 2007, modifies the DoD warning banner. Unfortunately, many users are so accustomed to the DoD warning banner, they are prepared to click, "Ok," before the text box appears on the screen. Informed consent is satisfied by completing the computer-based training modules. One example of a routine violation includes a recent email received from a senior officer which contained social security numbers for more than two dozen commissioned officers from three different services. The purpose of the email was to provide a roster; however, social security numbers were unnecessary. Although intrusive and manpower intensive, a return to classroom instruction with a low student to teacher ratio is necessary in order to impart the risks associated with the use of portable media effectively, and to instruct users about safe methods to store data at rest. 7

LIMITING INDIVIDUAL DISCRETION Until recently, DoD policy governing portable media, although strict, allowed for significant individual discretion. Few checks and balances and limited technical enforcement existed. Unfortunately, when a perceived operational necessity presents itself, a service member will often knowingly or unknowingly compromise policy and place sensitive, unauthorized material on portable media with or without approved encryption. This results in convenience becoming the rule of the day at the risk of personal information being exposed to unauthorized recipients. In April 2006 in Bagram, Afghanistan thumb drives were stolen on multiple occasions from U.S. forward operating bases and sold in local Afghani markets. Information retrieved from these devices included content classified at the secret level, photos, and phone numbers of people described as Afghan spies working for the U.S. military, as well as social security numbers and names of U.S. service members. 14 An example of a strict policy can be found at the Gray Research Center (GRC). Although the GRC is not part of the Marine Corps Enterprise Network (MCEN), it does fall under DoD. The GRC restricts USB ports by introducing a physical barrier to the port. Although the port is not technically disabled, users 8

are unable to use targeted USB ports because a device prohibits physical connection. The only two USB ports in use are for the keyboard and mouse. IMPOSING STIFF PENALTIES Military leadership is a significant part of the problem. Often, military leadership encourages violations as they are unaware of the consequences or policy governing portable media. As with all facets of leadership, uniformed leaders must lead by example with regard to the use of portable media. As it stands, current policies are routinely violated by members of all ranks. Common violations include using personal thumb drives to store PII, failing to use approved encryption software to protect PII, using thumb drives to transfer selfapproved content from a network with a higher classification to a network with a lower classification, and, as of December 2008, using any thumb drive on any Marine Corps network. When violations occur, stiff penalties are called for. Otherwise, the policy will have no traction within the military community. COUNTERARGUMENTS Many believe the risk of compromise is limited. These users believe that limiting discretion will only stifle initiative and create an additional burden on an already 9

overburdened workforce. While this policy will create an additional burden, but just like wearing a seatbelt in the car, it is a necessary burden in order to preserve the force. The alternative has far worse consequences. CONCLUSION Learning, following, and enforcing portable media policy is a force protection measure. Additional effort must be made to prevent compromising sensitive data. The consequence of data at rest getting into the hands of the enemy gives them a marked advantage. Plausible results range from strategic implications to loss of life. Lost portable media containing sensitive information in custody of an insurgent is equally as dangerous as the pull of a trigger from an enemy s well-aimed service weapon. 10

GLOSSARY Removable Storage Media - Refers to cartridge and disc-based removable and portable storage media devices that can be used to easily move data between computers. Examples of removable storage media include, but are not limited to, floppy disks, compact discs, USB flash drives, external hard drives, portable media, and other flash memory cards/drives that contain nonvolatile memory. See DoD Memorandum, 3 July 2007. Data-at-rest (DAR) Any data residing on hard drives, thumb drives, laptops, etc. In some cases, this data can be Controlled Unclassified Information or it can be what's called FOUO, For Official Use Only. It can be called Critical Program Information, CPI; or it can be called Personally Identifiable information. Encrypting data at rest will strengthen our security posture and mitigate the impact of lost or stolen data. See DoN CIO DAR FAQ, 26 September 2007. Personally Identifiable Information (PII) Any information that can be used to distinguish or trace an individual's identity, such as his or her name or social security number, alone, or when combined with other identifying information that is linkable to a specific individual, such as date, a place of birth, or mother's maiden name. See DoN CIO DAR FAQ, 26 September 2007. Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. See SECNAV M5239.1. 11

NOTES 1. See Glossary 2. See Glossary 3. MARADMIN 143/06, Lost Privacy Act Data, 24 March 2006. 4. Carlotta Gall, U.S. Investigates Sale of Secret Data in Afghan Market, New York Times, 13 April 2006, sec. A. 5. MARADMIN 348/06, Use of Data Protected by the Privacy Act, 26 July 2006. 6. See Glossary 7. ALNAV 057/07, Safeguarding Personally Identifiable Information (PII) from Unauthorized Disclosure, July 2007. 8. Department of Defense Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing, 03 July 2007. 9. MCNOSC User Alert email, Immediate Suspension of Thumb Drives, Memory Sticks, and Camera Flash Memory, 18 November 2008. 10. DoDD 8570.1, Information Assurance Training, Certification, and Workforce Management, 15 Aug 2004. 11. Department of Navy, Secretary of the Navy Manual 5239.1, Department of the Navy Information Assurance (IA) Policy, 20 December 2004. 12. See Glossary 13. See Glossary 14. Carlotta Gall, U.S. Investigates Sale of Secret Data in Afghan Market, New York Times, 13 April 2006, sec. A. 12

BIBLIOGRAPHY All Navy Message (ALNAV) 057/07, Safeguarding Personally Identifiable Information (PII) from Unauthorized Disclosure, July 2007. Washington, D.C. All Navy Message (ALNAV) 070/07, Department of the Navy (DON) Personally Identifiable Information (PII) Annual Training Policy, 4 October 2007. Washington, D.C. Carlotta Gall, U.S. Investigates Sale of Secret Data in Afghan Market, New York Times, 13 April 2006, sec. A. Commandant of the Marine Corps, All Marine Message 143/06, Lost Privacy Act Data, 24 March 2006. Washington D.C. Commandant of the Marine Corps, All Marine Message 348/06, Use of Data Protected by the Privacy Act, 26 July 2006. Washington D.C. Commandant of the Marine Corps, All Marine Message 714/07 Mandatory Requirement to Use Standard Department of Defense Information Systems (IS) Consent Banner and User Agreement, 6 December 2007. Washington D.C. Commandant of the Marine Corps, All Marine Message 732/07, Data at Rest Encryption for Mobile Computing Devices and Removable Storage Media, 14 December 2007. Washington D.C. Commandant of the Marine Corps, All Marine Message 333/08, Mandatory Requirement to Use Standard Department of Defense Information Systems (IS) Consent Banner and User Agreement, 5 June 2008. Washington D.C. Commandant of the Marine Corps, All Marine Message 647/08, Immediate Discontinued Use of Removable Flash Media Storage and Memory Devices on Marine Corps Networks, 20 November 2008. Washington D.C. Commandant of the Marine Corps, All Marine Message 692/08, Department of Defense Warning Banner and User Agreement, 3 December 2008. Washington D.C. 13

Department of Defense Directive 8570.1, Information Assurance Training, Certification, and Workforce Management, 15 Aug 2004. Washington, D.C. Department of Defense Memorandum, Withholding of Personally Identifying Information under the Freedom of Information Act (FOIA), 9 November 2001. Washington, D.C. Department of Defense Memorandum, Protection of Sensitive Department of Defense (DoD) Data at Rest on Portable Computing Devices, 18 April 2006. Washington, D.C. Department of Defense Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing, 03 July 2007. Washington, D.C. Department of Defense Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 19 March 2008. Washington, D.C. Department of Navy, Secretary of the Navy Manual 5239.1, Department of the Navy Information Assurance (IA) Policy, 20 December 2004. Washington, D.C. Department of Navy, Secretary of the Navy Instruction 5239.3A, Information Assurance Manual, November 2005. Washington, D.C. Department of Navy, Chief Information Officer Message, DON Encryption of Sensitive Unclassified Data at Rest Guidance, 09 October 2007. Washington, D.C. Major Bret M. Hyla, S3 Future Operations Officer, Marine Corps Network Operations and Security Center (MCNOSC), 703-432- 6853 MCNOSC User Alert email, Immediate Suspension of Thumb Drives, Memory Sticks, and Camera Flash Memory, 18 November 2008. Word Count: 1657 14

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback