LT John Smith looked up from his iPhone, his eyes wide with shock. He looked quickly to his left and right, checking to see whether anyone around him in the coffee shop could see the screen of his smartphone. Looking down again, he read the email through. His thumb hovered over the delete button, uncertain and trembling. Should he delete the email? Should he forward it to somebody? But to whom? What is a good Sailor supposed to do with an email that contains controlled unclassified information (CUI) sent to his personal email account, especially personally identifiable information, or PII?
Once the information was out there on the open network—as it now was through his commercial email address—there was no bringing it back. Anywhere between his iPhone and the sender’s computer back at SNAFUCOM the message could have been easily intercepted.
It was the Office of Personnel Management (OPM) breach all over again—on a micro scale, of course.
The problem was that LT Smith didn’t really know what to do. What was the policy? What was the right thing to do? The television on the wall caught his eye. A reporter, wearing a wet gray rain jacket over a dark suit was standing in front of the Pentagon, talking into a microphone sporting the logo of a national news affiliate.
“A senior government official admitted to using his personal email account for official business, adding he knew what he did was wrong and taking full responsibility for his actions,” the reporter said. “The government is launching a full investigation into the three emails the official is alleged to have sent.”
Only three emails and he’s subject to a government investigation? What would happen to lowly LT Smith? He saw himself standing trial in a court-martial. The scene crossed his imagination like newspaper headlines: Convicted! Bad conduct discharge! Clearance revoked!
He quickly pressed the delete button and the email was gone. Was this the right thing to do?
We live in a mobile world. Take a moment to look around the next time you’re on public transportation, in a coffee shop, or standing in line at the bank. Chances are nine out of 10 people within sight are engaged with their personal portable electronic devices (PPEDs)—smartphones, smartwatches, and tablets. The ubiquity of PPEDs—including in the form of wearable technology—has increased dramatically since the introduction of wearable heart rate monitors in the 1980s—and even since the introduction of the first smart phone in 2007.
Today’s portable electronic activity, fitness, communication, and medical (such as blood pressure, glucose, electrocardiography, and posture monitoring) devices offer a wide range of personal, professional, and health benefits. But the wireless transceivers and other previously-prohibited technologies now being embedded into these devices may introduce new risks to Department of the Navy information. How do we allow for maximum use of mobile technology with minimum risk to security?
As we move forward with the Navy Enterprise Mobility initiative, protecting information will continue to be a challenge for cyber and traditional security professionals. How do we navigate the mobile environment to access information "anytime, anywhere, and from any device" while ensuring the safety of our networks and the information residing on them?
The only way to secure anything is by using a defense-in-depth approach.
First and foremost, we must acquire technology that appropriately provides access and ensures security. Our IT acquisition workforce continues to work with academia, industry and other government agencies, identifying new and emerging technologies that best support the DON’s cyber and traditional security requirements. However, with the expansion of the Department of the Navy’s (DON) mobile environment, access anytime, anywhere to CUI, such as personnel records, medical records, and training materials, will rise. Therefore, emphasis must be placed on acquiring technologies that limit, where appropriate, the downloading, storage and processing of CUI to a mobile device. This would mitigate the unauthorized disclosure of DON information to include the potential of an electronic spillage or privacy breach. This should be the new mindset as the DON pursues future iterations of a wireless and mobile environment.
Next, our existing policies must reflect this new environment, clearly stating what is authorized and what isn’t; moreover, policy must lay out the procedures for handling information in a mobile environment. Forthcoming guidance will provide some details on authorized use of PPEDs in the DON. However, moving forward we must include wireless computing in our consideration of traditional and cybersecurity policy requirements. And rather than outlining the current systems that may or may not be used, policy guidance should focus on capabilities and the risks associated with those capabilities when accessing DON information remotely and interacting within a mobile environment.
Finally, personnel must be made aware of and trained on these policies. And more practically, individuals must be trained in recognizing situations where information may have been compromised and what exactly to do about it. This is an all-hands effort and every user of DON IT resources—including mobile device users—must understand their responsibility for protecting DON information to include when to report policy violations. This ensures all users operating in a mobile environment understand their responsibilities for the protection of information. As with the violation of any public law, order or regulation, ignorance is not an
With the right technology, well-defined policy, and proper training, the LT Smiths of the world will understand the what, when, and how of using mobile devices. They will understand and act on policy for safeguarding DON information, ensuring information is not disclosed without proper authorization. They become the informal front line of security personnel for the DON as a whole—the equivalent of the “sentry at the keyboard.” Taking personal responsibility to knowledgeably safeguard DON information in the mobile environment, these frontline users will lessen the vulnerability to information that supports our operations and capabilities. In the case of LT Smith, he took the appropriate action in deleting the email and not further disseminating it using his commercial email. With proper training he would have known this was the right action and who to contact within this command to report the incident, according to DoDM 5200.01 Vol. 4, DoD Information Security Program: Controlled Unclassified Information (CUI) .
As we move away from a paper environment and wired networks (legacy mentality) and become more reliant on mobile computing (“wireless by default, wired by exception” philosophy) there is an increased risk to our information when operating away from DON spaces.
If we want to be successful and secure in the future, we need to be more than prepared. Cyber and traditional security practitioners need to work cooperatively to adequately cover the risks associated with mobile computing and develop security policies to adequately address the requirements. This is necessary for the end user to have a reference framework for compliance, to properly access and protect the information, and to hold personnel accountable for noncompliance.
The increased operational demand, coupled with staying relevant with technological advances, necessitates a need to adapt.
The future is wireless.
The future is mobile.
The challenge is balancing technological advances with the requirement to protect our information from unauthorized disclosure. As in everything we do as a Department, we must each do our part to lead the way forward.
To address some of the questions regarding collaborative DON information and cyber security, in the coming months, updated Department level issuances will be released including:
- A newly revised SECNAV Instruction 5239.3C, Cybersecurity
- An updated memorandum subject: Acceptable Use of DON Information Technology
- An ALNAV message subject: Acceptable Use of Authorized Personal Portable Electronic Devices (PPEDs) in Specific DON Spaces
- A memorandum subject: Security and Operational Guidance for Classified Portable Electronic Devices (CPEDs), and
- A newly rewritten SECNAV Manual 5510.36, DON Information Security Policy.
Teague de La Plaine is a security specialist in the Security Directorate, Deputy Under Secretary of the Navy (Policy).