Random thoughts on cybersecurity

I promised in my last post on cybesecurity to make some suggestions on how DOD can better balance network security with practicality and openness. I have no training in Information Technology and no special knowledge of these things, so I am writing as a layman. Here are a few random ideas:

Tell us about the threats we're up against. I have seen a lot of draconian security measures come down from high, like thumb drive bans and the total shutdown of Internet in the billeting at a CENTCOM base where I was residing. What I have never seen is any accompanying explanation. Given the amount of frustration and anger these measures cause, a word of explanation would go a long way. Everything I learned about the thumb drive ban came from Wired's Danger Room. Apparently the ban came in response to a massive virus attack, but I didn't hear anything about this for several weeks. Like most people, I get frustrated by the ever-more-complex password rules, but I'm a lot more sympathetic now that I've learned a few things about password cracking techniques. I realize DOD wishes to protect sensitive information about enemy cyberattacks, but troops would be a lot more willing to put up with security measures if we had at least a general idea of the rationale. The reality is that we face cyberattacks all the time. Let the troops in on that; give them a sense of ownership of the fight. This will also give them more trust that leadership actually might know what it's doing.

Don't overclassify. It's essential that we protect sensitive networks from disruption or attack, but DOD often locks information behind secure portals for no logical reason. A good example is my attempt to get the promotion board schedule for the year. This might be because DOD is trying to make AKO and Air Force Portal one-stop shops for information, but because these sites require CAC logins, we are restricting information by default. Is there way to pull non-critical information out from behind the security fence and put it out in the open, where it belongs?

Make it easy for any servicmember to get an at-home CAC reader. From what I can tell, the Common Access Card actually makes a lot of sense from a security standpoint. It provides a standard logon for DOD websites and it can hold keys for encrypting and signing e-mails. The biggest problem is that CACs only work from CAC-enabled computers. If you're in a remote location (like me), you can't access most vital data and applications. The DOD does provide at-home solutions for using your CAC, but getting these solutions to work isn't always easy. You're on your own to order a compatible CAC reader. In the Air Force you have to download the home use software from Air Force Portal, which requires--you guessed it--CAC access.

So how about this: why doesn't DOD just create self-contained home use kits with an approved reader and the latest software, and make them available to anyone who wants to buy them? Put them in every BX and PX. Make them available for ordering online. Let units purchase them and distribute them to selected members.

Create a single username/password login as an alternative to the CAC. I have no idea the feasibility of this, from a security and technical standpoint, but here goes: Microsoft, Google, and others have created systems where you can use the same login and password for many different web applications. Could we do the same thing in the DOD? Could we have a username/password that works not just for AKO or Air Force Portal, but for virtually any military web app? Instead of trying to remember twenty usernames and passwords, we would just have to remember one. And this could provide an alternative login system for those in locations without CAC access.

Survey the human side of our current security model. I wrote yesterday that many members of my unit had to carry cards listing all our usernames and passwords because there were so many of them and the password rules were so complex. Is it possible that our stringent technical requirements are making us less secure because of the vulnerable human element? If the security bosses in DOD aren't looking at these sorts of habits, they should be. The habits of average users should factor into our security policies.

Make unrestricted Internet access available, off the main network. Again, no idea if this is feasible... but at every military base I have visited there are two ways to get on the Internet. First, you can log on to a US military computer, where you'll deal with security, firewalls, and everything else. Second, you can walk across the street to the Green Bean Cafe where you can pay a couple bucks an hour to use unrestricted wireless Internet access. (The Green Bean at Manas, Kyrgyzstan was hilarious... at least half of the US Army goes to war with orcs and goblins when it isn't fighting insurgents). Why can't DOD provide a service that a coffee shop can? I understand we need tight security on our primary network. But why can't local units subscribe to the local DSL or cable modem company, put a wireless router in the building, and simultaneously provide unrestricted Internet access to those who want/need it? Just an idea.

These are just a few ideas off the top of my head. If my readers have more, share them in the comments.