Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Technology newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (August 31, 2020, 12:34 PM EDT )
 |
| Eric Leckie |
Similarly, virtual private network and commercial virtual remote environment use also have increased dramatically. That helps DOD personnel collaborate securely from any location.
Obviously, the DOD takes security seriously amid this initiative, which brings a rapid and urgent pace to efforts that previously were intended to take years. However, allowing remote operations does decrease control over the information, and the rapid pace leaves open the potential for mistakes or unforeseen consequences.
Those working for the DOD would do well to take extra precautions to protect themselves from liability.
Swinging the Liability Door Wide Open
It's not entirely clear how sensitive the data is that will be accessed remotely. The U.S. Army's remote classified access capability will connect users with nonclassified but sensitive information, along with classified information up to the secret level, according to C4ISRNET.[2]
As far as how to handle the data that's being created — preserve it, move it, destroy it — the Army and U.S. Air Force mostly will use online computers that can't store information on their systems; employees will get specific computers with the appropriate operating systems, according to ClearanceJobs.[3]
The government says it has found commercial solutions[4] that simplify the process of adequately protecting information while working remotely. Yet much relies on individuals and their clear understanding of policies — which may continue to rapidly evolve thanks to coronavirus. Some functions still may have to take place on secure sites.
Typically, individuals who access secure information do so in very controlled environments — a sensitive compartmentalized information facility, or SCIF. When on base or in a secured facility, entry is monitored. Laptops and documents do not leave the secure area. Cellphones are turned off and stored; such devices, often made outside the country, pose the risk of being hacked and used as the eyes and ears of foreign intelligence agencies. Individual users also could, wittingly or not, record images or videos of secure information and remove it from the SCIF.
But in the current situation, imagine that a colonel is given a laptop to take home and use for his work, which includes accessing secure information. If he's married and has children, every cellphone in that house poses a risk — including his own. Who knows for sure what could happen if he's working on classified information in one room while his 16-year-old spends three hours on TikTok — which government leaders already worry is a security threat[5] — in the room next door? Guests, along with their cellphones, introduce additional risk.
Months of time and thousands of dollars have been put into background investigations to determine who can look at the secure information, but no family members or home visitors have gone through similar vetting processes. The potential spillage increases exponentially, with no effective way to safeguard against it. The key question: Who would be on the hook?
Here's another concern: If the laptop is lost or stolen, this hypothetical colonel (any active-duty service member) could face criminal charges under the Uniform Code of Military Justice and could have his clearance revoked — potentially career-ending events. Likewise, supervisors in these scenarios could be accused of failing to supervise properly and face damaging consequences.
Service Members, Hit Pause
Given the incredible difficulty of effectively mitigating all the additional risks of accessing secure information outside of SCIFs, employee service members and security clearance holders are put in horrible positions if they're given the impression that everything is OK.
The threat is very real and growing: The DOD has reported a surge in spear-phishing and other hacking attempts related to COVID-19. There's a litany of possible negative outcomes in terms of misplaced or lost gear or information — the chance goes from basically 0% at a SCIF to a big unknown.
Here's where service members should hit the pause button: Before they ever leave a secure area with a laptop or other remote work device, they should get in writing from their immediate supervisor a list of specific protocols and procedures for accessing that information from outside a secure facility. A simple email requesting it from the service member to their boss should be sufficient and would establish a record to protect the service member as long as they adhered to the protocols and procedures.
There must be consensus across the board about the protocols, and the supervisors need to enlist the help of the security managers to ensure that there is a formalized training plan and that it is executed with 100% attendance and participation from all subordinate service members and employees.
Beyond that, apply best practices:
- Protect work equipment. Keep work-issued laptops, phones or other devices securely stored, and don't let anyone else use them. Don't transport the devices apart from work or home unless absolutely necessary, and in those instances, keep them close (i.e., don't leave them in the car). Don't use public Wi-Fi. And be sure to log out when not using the devices.
- Avoid the temptation to use personal devices to access work information. They are not equipped with the same safeguards and thus add risk. There's been plenty of coverage of high-profile figures making this mistake.
- Given the surge in spear-phishing and other COVID-19-related fraud, be wary of any emails or other communications that seem at all suspicious. Essentially, spear-phishing emails appear to be from trusted sources but are aimed at manipulating targets to click on websites that would cause them to reveal confidential information (passwords, identification numbers, personal information, etc.). Check out emails that demand a response by separately looking up contact information for the supposed sender and contacting that entity for verification that the request is legitimate.
- Establish a secure home office. Be mindful of whether unauthorized people may be able to see the computer screen or overhear sensitive phone conversations — some people speak loudly on the phone without realizing it.
- Be aware of home network security measures. This may require the help of a tech expert at the office; that expert may be able to suggest additional safeguards beyond the ideas listed here. Consider aspects such as having encrypted Wi-Fi connections with secure passwords, making sure any antivirus or intrusion protection features on home firewalls are turned on, adjusting network security settings to make sure work devices aren't affected by unsecured devices used by others in the household, install system updates regularly, and make sure any virtual private network is configured securely.
The Department of Defense views its remote work efforts as an investment in the future, expanding its agility and capabilities in the case of future pandemics or other crises.
However, the huge red flag of security must be adequately addressed to ensure that risks have been identified before the rapid rollout. And individual service members shouldn't be left to become collateral damage.
Eric Leckie is a principal attorney at Invictus Law.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://www.defense.gov/Explore/News/Article/Article/2288854/dod-schedules-second-annual-cio-global-virtual-town-hall-meeting/.
[2] https://www.c4isrnet.com/2020/06/22/the-army-will-soon-allow-users-to-access-classified-info-from-home/.
[3] https://news.clearancejobs.com/2020/06/29/u-s-army-takes-classified-and-sensitive-information-home/.
[4] https://www.nsa.gov/resources/everyone/csfc/.
[5] https://www.cnn.com/2020/07/09/tech/tiktok-security-threat/index.html.
For a reprint of this article, please contact reprints@law360.com.
