Information security Archives

Navy Chief Information Officer Rob Carey approved an electronic signature policy for the Navy and Marine Corps on Aug. 27 in a move designed to save paper, improve security and save money.

Carey said the policy is not a mandate to replace hand-written signatures but rather a policy to adopt electronic signatures as the preferred means of conducting business transactions within the Navy and Marine Corps.

Electronic signatures will be certified by using the Common Access Card issued to all military personnel and qualified contractors, he said.

Ironic side note: Cary signed his new electronic signature policy with his old-fashioned hand-written signature.

I think tracking lost Veterans Affairs Department BlackBerry gadgets may become a regular feature here, with reports on Wednesday and in June -- and, here now, Thursday's roundup of the number of the gizmos lost so far this year by VA employees.

Veterans Chief Information Officer Roger Baker told me on Thursday that as of June 30, 129 VA BlackBerrys have gone astray compared with 189 in all of 2009. Since that works out to a monthly Berry loss rate of 21.5 in 2010 versus a monthly loss rate of 15.75 in 2009, VA is well on its way to losing more of the gadgets this year than last.

But Baker said I need to apply another statistic: VA has about 35,000 BlackBerrys in use, increasing at a rate of more than 20 percent a year. Simply put: More BlackBerrys mean more are lost. "My calculation [using the 2009 number] says that's about half a percent lost annually," Baker said.

Oh well, I guess it's better (and cheaper) than losing MRI scanners at that rate.

That's a question that 13 employees of the Veterans Affairs Department would have a hard time answering, said VA Chief Information Officer Roger Baker said in a call with reporters on Wednesday. The unlucky 13 reported they lost their portable gizmos in the month of May.

How do you lose a BlackBerry, I asked Baker. "Someone gets into a New York cab, puts it down, it slides into a crack in the seat, and stays there for years," he replied.

Baker added that this scenario was, of course, hypothetical and had nothing to do with personal experience.

Baker related the BlackBerry loss in his monthly call with the media to go over any potential data and information breaches at VA in the previous month. He said he was not concerned about any data loss from the misplaced BlackBerrys because the devices electronically die within five minutes of separation from their owner.

Last month, VA also had five encrypted laptops stolen, and Baker again said he was not concerned by the loss because the data was secured. An unsecured laptop also took a hike, but he said since the box was used for patient entertainment, it did not result in a data breach.

VA ships 7.5 million prescriptions a month by mail or United Parcel Service. UPS informed VA that its investigators had discovered an employee helped himself to a prescription package rather than delivering it. Susan Rosenberg, a UPS spokeswoman, said the employee has been arrested.

Baker prefaced this month's data breach call by saying it would be boring, but at the end said, in the name of transparency, he intended to continue the practice.

I'll continue to call in - even at the risk of boredom.

Army Gen. Keith B. Alexander, the head of the new U.S. Cyber Command, estimates that bad actors now probe Defense Department networks and systems 250,000 times an hour -- or some 6 million times a day. Or this: 2.19 billion times a year.

Alexander, who also runs the National Security Agency in his spare time, said in a speech on Thursday at the Center for Strategic and International Studies in Washington that operations in cyberspace have become a critical element of national and military power and protecting the networks is essential to national security.

Based on statistics Alexander presented, the number of probes Defense experiences a day almost matches the number of military computers, some 7 million machines connected to 15,000 networks, with 21 satellite gateways and 20,000 commercial circuits.

Alexander said that at the moment "our front line defenses are up to this challenge." But he said he has concerns about threats to network security from a growing array of foreign actors, terrorists, criminal groups and individual hackers.

"Our data must be protected. . . . We have an enormous challenge ahead of us as a nation, as a department and as a command," he said.

The Senate Armed Services Committee wants to make it easier to transfer medical information from the Defense Department to the Veterans Affairs Department without the need for prior authorization from a service member.

The committee said in its version of the fiscal 2011 Defense authorization bill that it plans to accomplish this by aligning Defense regulations with the Health Insurance Portability and Accountability Act to permit the interdepartmental release of such information without going through a lot of hoops to get the OK from everyone who leaves the service.

I can (sort of) understand the need for the change to ensure a continuum of care. But how hard would it be to have someone check a box when being discharged authorizing that release?

My health care information belongs to me - and only I should have the right to authorize its release.

Despite rules and regulations requiring contractors to encrypt data on laptops, 578 vendors have refused to abide by this common-sense approach to protect veteran data, as I reported last week.

Reps. Steve Buyer, R-Ind., and Phil Roe, R-Tenn., expended a lot of effort on Wednesday at a hearing on information security at the Veterans Affairs Department trying to get Jaren Doherty, associate deputy assistant secretary for information protection and risk management at the VA; Jan Frye, deputy assistant secretary for acquisition and logistics at the Office of Acquisition, Logistics and Construction; and Frederick Downs Jr., chief procurement and clinical logistics officer, to say what action, if any, they intended to take against vendors disinclined to adhere to VA security policies.

Buyer and Roe also wanted to know if the VA planned to take action against a contractor who had a laptop stolen that contained personal information on 644 veterans.

After an exasperated Buyer said he detested the finger pointing and bureaucratic wrangling on this simple question, Frye finally said if any of those 578 vendors remained recalcitrant, VA could terminate the contracts.

Frye also said VA has sent a show cause letter to the vendor that lost the laptop that contained veteran information and may terminate the contract.

Buyer, who praised VA Chief Information Officer Roger Baker at the hearing for taking ownership of a problem that was not of his making, said the department's latest data breach resulted from a flawed procurement system at the agency, not a problem in the VA IT shop headed by Baker.

"I have long held concerns over the procurement contracting process at VA," Buyer said. "It is highly decentralized, with limited contract review or oversight. I hope that this incident will serve as a wakeup call to VA, and I hope that we can now have a serious discussion about reforming VA's broken procurement system."

Roe identified the contractor which had its laptop stolen as Heritage Health Solutions, based in Flower Mound, Texas. Michael Kussman, who served as undersecretary of health at VA until he resigned in April 2009, serves on Heritage Health's advisory board.

The company has not responded to e-mails I sent on May 13 and again on Wednesday containing questions about the stolen laptop.

How bad is the threat of an insider attack against military information systems?

The Defense Advanced Research Projects Agency answers that question in stark terms in its request for industry help to counter insider electronic moles:

Trusted insiders ... are targeting the U.S. information infrastructure for exploitation, disruption, and potential destruction. [Emphasis included.]

National Counterintelligence Strategy of the United States of America (2008).

DARPA says protecting information systems against bad insider actors is often difficult
because the defenses must be perfect and comprehensive, while the attacker needs to find only one flaw.

That's why the agency said it has kicked off a project called Suspected Malicious Insider Threat Elimination, which we all know stands for SMITE, a lovely play on words for fighting back against an enemy.

Detecting insider threats, DARPA said, remains a challenge because it requires unearthing subtle indicators of malicious behavior buried in enormous observational data of no immediate relevance, or zeroing in on one key signal out of a lot of background noise.

One way to detect insider threats is to focus on deceptive behavior, which is characteristic of malicious intent - which, by the way, leads to the problem of assigning intent to observed behaviors.

But DARPA added that in both the real and virtual world, it is very difficult to do anything without leaving some evidence behind. Attempts to conceal or remove evidence generally create new evidence that, if detected, could be a strong indication of the perpetrator's intent.

Forensic-like techniques can be used to find clues, gather and evaluate evidence and combine them deductively, and DARPA says it needs industry help in developing these techniques.

The agency wants vendors to provide it with white papers that include, but are not limited to, techniques to derive information about the relationship between deductions, the likely intent of inferred actions and suggestions about what evidence might mean and then dynamically forecast context-dependent behaviors.

The agency also would like ideas on how to use information sensors and algorithms to help it determine the scale and complexity of current and projected insider threats and novel approaches based on social behavioral science.

Anyone interested in tackling this challenge needs to respond to DARPA by May 26.

Shh, the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network, and any federal agency can get a copy free -- no box tops or coupons required.

The NSA provided a brief tantalizing description of its USBDetect 3.0 Computer Network Defense Tool in the unclassified part of its fiscal 2011 budget request.

The software, the NSA said, provides "network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals."

I figured the NSA might like to tell a digit-stained wretch more about this success story, but alas, the agency declined to unburden itself. An image therapist up at Fort Meade, Md., told me what I found in the budget documents about the detection tool is all the info NSA cares to share with me -- or the rest of the world.

USBDetect evidently has been around for almost two years and has been successfully used by the Homeland Security Department to sniff out flash media gizmos, according to a report on the use of thumb drives and similar gadgets on DHS networks.

The Defense Information Systems Agency makes a brief mention of the USB detection software on its information assurance Web page but buries the details behind a firewall.

I have a hunch that a bunch of other agencies use the detection software, and so before you stick a thumb drive into your government computer to copy a 100 slide PowerPoint brief, beware that Software Big Brother may be watching.

Oh my, when will they ever learn at the Veterans Affairs Department?

I have heard from well placed sources that an employee at the VA medical center in Atlanta downloaded patient clinical data to a personal laptop, and an investigation may be pending.

Details are sparse on this breaking story, but I was told the employee -- a physician assistant nurse practitioner -- downloaded 18 years worth of clinical data on an unknown number of patients to conduct research.

If this all sounds eerily familiar, it is. In 2006 a VA data analyst downloaded information on 26.5 million records -- or practically every living veteran -- onto the hard drive on his personal laptop, which was later stolen.

The good news in the current situation is that the laptop was not stolen. The bad news is that none of the downloaded data in 2006 included clinical information, while all the current case involved a whole mess of medical data.

The timing on this could not be worse. The Obama administration is trying to sell the American public on the need for a national electronic health record system. That's a tough sell if folks find out that their supposedly private electronic records are subject to downloads for research.

Does VA have policies and procedures that bar the download of veteran data to personal laptops? You bet. But the best policies and procedures don't do much in the face of human ignorance.

The U.S. Strategic Command says that military units in Afghanistan soon will start receiving thumb drive kits that meet its >new flash media policy for Defense Department networks and computers.

STRATCOM said on Feb. 18 that flash media such as thumb drives should be used only as a "last resort" to meet operational requirements -- and Afghanistan, where network bandwidth is at a premium, sure meets that last resort requirement.

But it's hard to get an answer from STRATCOM on what exactly is in a flash media kit because it has not publicly released details, a STRATCOM spokesman told me.

Meanwhile, legions of PR folks continue to flood my e-mail with pitches for companies that make stuff they think meets the Defense requirements, even though STRATCOM is mum on the subject.

I think these folks get paid by the number of e-mails they send out.