In the past, the Army has pushed its information technology specialists to watch its networks for attacks and intrusions. Now, the Army has released a new manual for nontechie soldiers, hoping they will make cybersecurity their mission, too.
Intended to be a guide for the average soldier and leader, the 16-page manual emphasizes the importance of widespread training and good habits. The Army distributed the manual online in June.
Lt. Gen. Susan Lawrence, the chief information officer/G-6, said that in spite of automated filters that screen tens of thousands of cyber attacks each day, soldiers themselves are compromising Army networks and systems.
“We’re finding that 80 percent of our security infractions are happening at the desktop by the soldier,” Lawrence said. “It’s poor security practices, poor passwords, going to sites that they shouldn’t be going to, using thumb drives, those things that are against policy.”
Such mistakes can jeopardize a soldier’s security clearance, Lawrence said. A growing number of commanders are taking the matter seriously and holding soldiers accountable.
Much of the new handbook is an overview of vulnerable areas and links to information assurance resources, all intended to prompt leaders at every level to institute strengthened training and enforce standards. Army Secretary John McHugh, in a February memo to leaders across all commands, called for them to identify and improve their weakest areas using the Army’s self-assessment tool, an online survey.
“We’re bombarded, with Cyber Command coming online and stories in the media, about how we need to protect our information and the systems that transport it and store it,” said Leroy Lundgren, deputy director of the Army Cyber Security Directorate. “We wanted to make sure ... its importance is emphasized throughout the Army and that there’s a good healthy culture throughout the Army.”
The manual, titled “Leader’s Information Assurance/Cyber Security Handbook,” covers topics such as phishing email scams, prohibitions against commercial phones on classified networks and the need for soldiers to have anti-virus software on their home computers.
Lundgren said noncommissioned officers should not be inhibited about telling soldiers to safeguard their home computers against identity theft.
“If we take more cybersecurity hygiene steps at home, we’re more likely to do it in the workplace,” he said.
Succumbing to phishing at work, “you could be granting somebody access into the network,” Lundgren said. With access, someone could take information, “delete things, take someone’s identity and their information and pretend to be them.
“A lot of people don’t realize, they think it’s my thumb drive and it’s one time, but that’s all it would take,” he said.
In January, a Defense Science Board report decried the military’s “permissive” cybersecurity culture, citing the 2008 “Buckshot Yankee” cyber attack in which a flash drive believed to have been infected by a foreign intelligence agency uploaded malicious code onto a network run by the military’s Central Command.
The report called for mandatory Defense Department-wide cybersecurity education and for leaders to hold policy violators accountable. The report said, “Cyber culture must become as important as weapons handling or physical fitness to our military service members and DoD personnel.”
The idea behind the Army’s education efforts is to stymie sophisticated enemies scanning the Army’s networks for weaknesses. The same simple techniques criminals use to obtain personal information in phishing attacks can be used to access military networks.
“We’re trying to get people to a certain level of understanding,” Lundgren said. “If you wouldn’t give [personal information] to a stranger in the street, why are you even considering giving it to them on the network?”
The handbook’s release coincides with other efforts in the Army. The Cybersecurity Directorate is sponsoring the Army’s first cybersecurity awareness week in October, it has promulgated the self-assessment tool, and it has launched comics and YouTube videos on the topic.
In one “On Cyber Patrol” video, a soldier who is about to leave a room with his smart card plugged in to his computer is tackled by a commando. The commando, clad in black, warns the soldier to be more conscientious.
Lundgren said each Army command has been asked to complete the information assurance self-assessment tool as part of operational inspections. The commanders are supposed to identify where they are weakest, report to the CIO/G-6 and use that information to create training events during Cyber Awareness Week.
How to hold soldiers accountable has been tricky because it is not always easy to trace how violations occurred or the motivations behind them.
“Already, we have increased awareness throughout the community,” Lundgren said.