October is National Cybersecurity Awareness Month, which is a great time to reflect on cybersecurity, including protecting sensitive information. Of course, cybersecurity is vital every day of the year. Throughout the year we have talked about topics that addressed real-world problems we face every day. We found that one of our best solutions is to educate you, the network user. If we are going to stay ahead in cyberspace, we must be vigilant, focused and report to appropriate personnel when we see something wrong, this includes preventing “data spillage.” So, let’s review.
What is the definition of data spillage?
Classified (or sensitive) data spills occur when classified data is introduced onto an unclassified information system, to an information system with a lower level of classification, or to a system not accredited to process data of that restrictive category, according to DoD Manual 5200.01-v3, Protection of Classified Information. Although it is possible that no actual unauthorized disclosure occurred, classified data spills are considered and handled as a possible compromise of classified information involving information systems, networks and computer equipment until the inquiry determines whether an unauthorized disclosure did or did not occur.
When a classified data spill occurs, the command security manager is responsible for ensuring the policy requirements for addressing an unauthorized disclosure are met. An inquiry, notification, investigation and damage assessment will be conducted. These responsibilities must be carried out in close coordination with the information technology and/or, information assurance staff, which has overall responsibility for the operation of the networks and systems, as well as the technical knowledge needed to address the spill. Security personnel have the overall lead for addressing data spills.
There are other types of data exposures other than classified data, such as Controlled Unclassified Information (CUI), which includes For Official Use Only (FOUO) and personally identifiable information (PII). The protection and reporting requirements for CUI are different from that of classified data. CUI exposures are reported through your chain of command and your command security office.
Loss of control over sensitive and protected data by organizations is a serious threat to business operations and national security. In recent years, attackers have exfiltrated over 20 terabytes of sensitive data from the Department of Defense, defense industrial base, and civilian government organizations, according to an October 2012 National Security Agency (NSA) report. Malware that propagates by way of removable media and phishing attacks designed for adversaries to gain access have increased the risk of large data transfers outside the defense network.
The October 2012 NSA report said that the trend for increased information sharing has weakened access controls, giving users without a need-to-know access to large volumes of sensitive or classified data. In the Department of the Navy (DON), access controls have not weakened. In fact, with SIPR PKI and other hardening initiatives, they are strengthening. The risk of data spillage is a problem largely because of inadequate end-users’ security awareness, and their failure to follow data handling policies. As a result, more often data spills occur from unintentional user error or negligence.
What should you do in the event of a data spillage?
Of course, trying to prevent one in the first place is key. It may happen; however, and so the first step for users who becomes aware that classified information is lost or compromised is that they must immediately notify their security manager or commanding officer of the incident, as well as their supervisory chain of command, according to SECNAV M-5510.36, Department of the Navy Information Security Program. If reporting individuals believe the security manager or commanding officer may be involved in the incident, they must notify the next higher echelon of command or supervision. If circumstances of discovery make such notification impractical, reporting individuals shall notify the commanding officer or security manager at the most readily available command or contact the local Naval Criminal Investigative Service (NCIS) office. It is important to note that different classifications require different mitigation methods.
Legal Requirements
A preliminary investigation (PI) is mandatory whether or not the data spillage meets higher level reporting criteria set forth in SECNAV M-5510.36. The PI must be completed within 72 hours of initial discovery of the electronic spill. The exception to the rule is Unclassified Navy Nuclear Propulsion Information (U-NNPI) spillages.
If the DoD component’s initial inquiry, investigation, or a defense criminal investigative organization investigation, identifies the person(s) responsible for an unauthorized disclosure of classified information via public media or the Internet, the DoD component shall notify the Director of Security, Office of the Under Secretary of Defense for Intelligence in accordance with SECNAV M-5510.36. This notification shall include responses to the Department of Justice (DoJ) Media Leak Questionnaire. The Under Secretary of Defense for Intelligence USD (I), in coordination with the General Counsel (GC) of the Department of Defense. The head of the DoD component having original classification authority shall decide whether additional investigation is appropriate and whether to refer the unauthorized disclosure to the DoJ for investigation and/or criminal prosecution. When the initial inquiry or investigation does not identify the person responsible, the head of the DoD component, in consultation with the USD (I) and the General Counsel and DoD, shall decide if further investigation is appropriate.
Reporting incidents immediately, in most cases, will help prevent spreading the data spill to other assets on the network or, in the case of most faxes and hard copies, minimize future risks.
When it comes to data spills, don’t be our weakest link
For the Electronic Key Management System, the term ”Practices Dangerous to Security” is defined as practices which have the potential to jeopardize communications security (COMSEC) material. Data spillages should be viewed in the same way because, in reality, they are practices dangerous to our national security.
Increased security awareness, at all levels in the chain of command, is a must. Information security discipline is reinforced by completing annual security awareness training. It is imperative that we all use this annual training to refresh our focus on information security.
Additionally, the following statements are included on page three of the System Authorization Access Request Navy (SAAR-N), OPNAV 5239/14 (Rev 9/2011) that all Navy network users sign.
I understand that to ensure the confidentiality, integrity, availability, and security of Navy Information Technology (IT) resources and information, when using those resources, I shall:
- Safeguard information and information systems from unauthorized or inadvertent modification, disclosure, destruction, or misuse.
- Protect Controlled Unclassified Information (CUI), to include Personally Identifiable Information (PII) and classified information to prevent unauthorized access, compromise, tampering, or exploitation of the information.
- Protect authenticators (e.g., Password and Personal Identification Numbers (PIN)) required for logon authentication at the same classification as the highest classification of the information accessed.
- Protect authentication tokens (e.g., Common Access Card (CAC), Alternate Logon Token (ALT), Personal Identity Verification (PIV) and National Security Systems (NSS) tokens, etc.) at all times. Authentication tokens shall not be left unattended at any time unless properly secured.
- Virus-check all information, programs, and other files prior to uploading onto any Navy IT resource.
- Report all security incidents including PII breaches immediately in accordance with applicable procedures.
- Access only that data, control information, software, hardware, and firmware for which I am authorized access by the cognizant Department of the Navy (DON) Commanding Officer, and have a need-to-know, have the appropriate security clearance. Assume only those roles and privileges for which I am authorized.
- Observe all policies and procedures governing the secure operation and authorized use of a Navy information system.
- Digitally sign and encrypt e-mail in accordance with current policies.
- Employ sound operations security measures in accordance with DOD, DON, service and command directives.
The bottom line is that data spillages are largely preventable and equate to negligent handling of classified information. The United States Central Command identifies data spillage as negligent discharge, and we must have the same serious mindset. There is no wiggle room. We must keep up our guard and take every precaution to prevent jeopardizing our national security.
For more information about Fleet Cyber Command/10th Fleet, please visit: http://www.fcc.navy.mil/.