Officer Brings Security Flaw To Army's Attention; Army Threatens Him With Jail If He Talks About It
from the good-deeds-won't-go-unpunished,-not-in-this-man's-Army! dept
It’s a common, but regrettable, reaction. Person A discovers flaw in computer security. This is brought to the attention of Persons B-whatever. Person A is threatened, bullied, fined, expelled, etc. for daring to highlight a potentially damaging security issue. In extreme cases, some even throw the highly-flawed CFAA at the person, accusing them of hacking, “exceeding authorized access.”
Why? Who knows? Apparently nothing fixes a security flaw faster than acts of intimidation and the resultant bad press. The US Army presumably holds the power to actually shoot the messenger, but thankfully, it didn’t take things that far.
A soldier was made to sign a non-disclosure agreement by the US Army after pointing out a security flaw which allowed accounts on shared PCs to be accessed without proper authentication…
Army staff authenticate on shared computers on bases and in the field using Common Access Code (CAC) smart ID cards. On completing a session the card is removed from the reader and the session should be terminated. However, it appears that the logoff process is often slow and can easily be cancelled by the next user, who can then continue to access the system under the previous user’s account.
While I can almost see the rationale for this action (don’t talk about this until we can fix it), it’s severely undercut by the fact that the US Army a) had no intention of fixing it and b) had previous knowledge of the flaw’s existence.
The issue has been known about for over two years, with one Army lieutenant who spotted it facing all manner of troubles when he tried to report it to senior staff. Having been told that the problem was too tricky to fix, he was then allegedly made to sign a non-disclosure agreement and told he could face imprisonment if he broke it.
Others who pointed out the flaw to superiors were faced with silent inaction.
I guess the Army figured it could just wait it out. Maybe the system would mend itself, using some sort of nanobot AI or something. I’m pretty sure I read something in Omni about in back in ’81… In the meantime, it applied the most minute of Band-Aids to the problem.
A statement issued by senior Army IT security staff after the problem appeared in the news has advised soldiers to be more careful when logging out of shared PCs.
Right. Because that “be careful” statement works so well at libraries, schools, offices… basically anywhere anyone shares computers. Of course, most shared computers won’t have access to information that could potentially pose a threat to a nation’s military if it made it out into the wild. The Army seems to somewhat feel this non-solution might be inadequate, so it’s applying another set of “be careful” Band-Aids in a way only a large government entity can: with handbooks and motivational posters and weeklong events.
In response to the problem they are planning an “Information Assurance/Cybersecurity Awareness week” in October as a follow-up measure to their new handbook, released last February, which stresses the importance of individual responsibilities to protect information. According to Lundgren, the handbook “augments current policy, training, and inspection processes and aims to raise awareness and change culture.”
I’m guessing the effectiveness of this program will be in the 0% range. It’s tough to get anyone to care about an issue you can’t be bothered to fix, no matter how many reminders clog up soldiers’ inboxes or how many commanding officers read the mandatory “IA/CA Week” announcement in a low, perfunctory monotone.
And once again, we’re back to the crux of the issue: the Army won’t fix the problem. It doesn’t seem impossible or even extraordinarily difficult. There is the matter of scale, which does complicate things, but refusing to tackle the root problem means the hole in the system will remain open and exploitable, no matter how many soldiers are forced into signing NDAs or threatened with jail time or bored to death by “awareness” presentations.
Considering the recent NSA leaks, you’d think the Army would be hammering away at the problem with alacrity, rather than throwing updated policies and freshly-printed handbooks at its personnel.