Network and cybersecurity matter every day, but October is National Cybersecurity Awareness Month, which is a particularly good time to review how cybersecurity relates to your mobile device or smartphone.
When I was a kid, the notion of a mobile phone was a pocketful of quarters, standing in the elements, talking to long-distance loved ones on a phone welded to a utility pole. My contact list was a six-inch-thick phonebook attached by a chain to a pole in the phone booth. A watch was simply used to tell time, and eyeglasses were used to see, not to pretend you were cool.
Today, technology is smaller, faster and smarter. We joked about seeing tiny devices (called communicators) on “Star Trek,” and now we have cell phones that are the same size or smaller than these fictional devices. The impossible has become possible with the invention of devices such as Google Glass, iPhones, smart watches, pocket recording devices, USB drives, and many other technological wonders. Their popularity makes it so that with each advance, our networks and workspaces have become more at risk to insider threats (willful or inadvertent), which ultimately increases the threat to compromising the integrity of Department of Defense sensitive information.
So, what are our responsibilities?
The pitfalls of using smart devices
Many devices today are equipped with advanced technology including GPS capability. We are constantly at risk of being monitored in our homes, riding to work, shopping, and when Internet browsing. If not properly secured and monitored, the devices we choose for convenience can be used for malicious purposes. For instance, adversaries can use intercepted information to determine patterns and estimate when you will not be home, steal your identity from intercepted data, or gain access to your financial records. These are just a few of the possible pitfalls of not securing smart devices.
In a news report last year for the Huffington Post, Adam Levin, technology writer, posed the questions: “For Americans concerned about their privacy… what about the data grabs happening inside your own home, perpetrated…by your coffee machine? Consider every appliance and every piece of home electronics that you own. Does it gather data about how you use it? Does it connect to the Internet?” Mr. Levin then went on to write, “If so, it could be used to spy on you.
Mobile devices, TVs, and various types of home appliances can be wired into a network that can track your actions. If these networks are hacked, information about your habits and behaviors could be available to individuals with nefarious intentions.
The same technological innovations that empower us also make us vulnerable to those who would exploit such advances against us,” wrote Levin.
These examples highlight why adhering to information security (INFOSEC) and operations security (OPSEC) guidance is so important.
Smart devices must be secured to protect national security. If information discussed over these smart devices should not be shared with the world, then use appropriate secure means. When using smart devices, you should do so with the expectation that someone could be listening.
If a device records, copies, communicates, takes pictures, connects, or processes data, keep it outside of the workplace. The choices you make are vital to protecting DoD sensitive information.
As more smart devices, such as smartphone watches, Bluetooth-enabled pedometers, and more, are introduced, remember they are not authorized for use in classified environments, per Defense Intelligence Agency Instruction (DIAI) 8460.002, Portable Electronic Devices.
If you have questions or need further guidance, please see your information systems security manager (ISSM), command security manager (CSM), or special security officer (SSO).
As we continue to focus on preventing information from being stolen and exploited, it is important to consider OPSEC and INFOSEC guidance. Smart devices pose a great risk; it is essential that you make wise decisions regarding the use of portable electronic devices/smart devices and adhere to the policies in place to safeguard against such risks.
All network users are required to sign the System Authorization Access Request Navy (SAAR-N), OPNAV 5239/14 (Rev 9/2011) agreement. The following statement is included on page four of the SAAR-N:
| I further understand that, when using Navy IT resources, I shall not: |
Use personally owned hardware, software, shareware, or public domain software without written authorization from the Local IA Authority.
Adhering to the SAAR-N user agreement and the following guidelines found in the Fleet Cyber Command Navy Network Discipline Quick Tips User Guide, should assist in managing the risk inherent to introduction of smart devices into controlled spaces:
- Safeguard Information and Information Systems from unauthorized or inadvertent modification, disclosure, destruction, or misuse. Protect Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), and classified information to prevent unauthorized access, compromise, tampering, or exploitation of the information.
- Report all security incidents, including PII breaches, to your Command ISSM immediately in accordance with applicable procedures.
- Access ONLY the data, controlled information, software, hardware, and firmware for which you are authorized access, have a need-to-know, and have the appropriate security clearance.
Assume only those roles and privileges for which you are authorized.
- Employ sound operations security measures IAW DOD, DON, Navy and Command directives.
Additionally, DIAI 8460.002 provides a matrix of allowed and prohibited Portable Electronic Devices.
Stay safe my friends, and remember, protecting DoD classified and sensitive information is dependent on making the right decisions. Do not be the weakest link!
Here are two final points to remember: Loose lips (and loose networks) can still sink ships — and the bad guys only work as hard as we make them.
DoD Manual 5200.01, Volume 3, Protection of Classified Information, February 24, 2012 – http://www.dtic.mil/whs/directives/corres/pdf/520001_vol3.pdf
SECNAV 5510.36, June 2006, Personnel Security Program – http://doni.daps.dla.mil/SECNAV%20Manuals1/5510.30.pdf
DIAI 8460.002, Portable Electronic Devices – http://www.dia.mil/
DoD 5205.02-M, Operations Security Program Manual – http://www.dtic.mil/whs/directives/corres/pdf/520502e.pdf
DoD 5205.02E, DoD Operations Security Program – http://www.dtic.mil/whs/directives/corres/pdf/520502e.pdf