The United States Army's Deputy of Cybersecurity Roy Lundgren has confirmed with BuzzFeed the existence of a major computer security flaw that enables unauthorized access to users without proper security clearance. They say the best fix is to make soldiers aware of proper conduct, instead of fixing the technology itself.
Countless computers, and the soldiers who use them, remain vulnerable to a simple hack, which can be executed by someone with little or no security expertise.
The hack allows users with access to shared Army computers to assume the identities of other personnel, gaining their securities clearances in the process, and having their activity logged as that user.
In order to log into a shared Army computer you need to insert your personal Common Access Code military ID. Each card contains a chip that has the individual soldier's permissions and security details, and which helps the military track your activity. Once you remove the card, you are fully logged out. But the hack overrides that system during the shut down period.
"There are instances where the log-off process does not immediately complete upon removal of the CAC. This occurs when the system is running logoff scripts and shutting down applications," Lundgren told BuzzFeed. "The period of time that a system can be accessed following CAC removal before system logoff completes is normally not sufficient to gain unauthorized access."
The U.S. Army has been aware of the flaw for at least two years. One officer, a lieutenant, reported the flaw in 2011, to his superiors — a middle-ranking officer, and another in computer communications. He was made to sign the Army's version of a nondisclosure agreement. Keep quiet, or face jail time, he was told. Another soldier, who went to his superiors and even Congress, got no results.
When asked about the lieutenant's nondisclosure form, the Army did not comment.
"If an issue is reported to our cybersecurity directorate, we would normally contact the system owner and ask them for an assessment," the Army told BuzzFeed, not commenting on the response to this specific report. "Often the risk is known and mitigating factors are already being applied and/or the organization has developed a plan of action to correct the issue."
The lieutenant, who spoke to BuzzFeed on condition of anonymity, was told that there was nothing they could do. It would cost too much to fix it, they told him. It would require redoing too many contracts. "The term they used is that it would be 'impractical' to try and fix it," he says.
"The government and industry must manage numerous risks each day. We look at each situation and decide if it is a low risk or high risk situation. Then the decision must be made how the risk will be managed," Lundgren says. "Often software and/or hardware solutions are not available, supportable, or necessary. In the case of many risks, they are managed via other mitigations such as modifying policy, procedures, or training."
The Army contends that instead of improving the security flaw itself, individual soldiers should make sure they are properly logged off. "The government and industry must manage numerous risks each day," says Lundgren. "Often software and/or hardware solutions are not available, supportable, or necessary. In the case of many risks, they are managed via other mitigations such as modifying policy, procedures, or training."
In response to the problem they are planning an "Information Assurance/Cybersecurity Awareness week" in October as a follow-up measure to their new handbook, released last February, which stresses the importance of individual responsibilities to protect information. According to Lundgren, the handbook "augments current policy, training, and inspection processes and aims to raise awareness and change culture."
"Commanders and other leaders are reemphasizing the importance of protecting our information and systems, and key processes to ensure this," says Lundgren. "The Army is also emphasizing that cybersecurity is the business of all leaders and that we cannot ignore information assurance/cybersecurity requirements due to a lack of knowledge and/or convenience."
Knowledge of the flaw has spread to low-level soldiers who don't work in technology, as confirmed with BuzzFeed by more than one source.
Since many military computers have stuffed, cluttered hard drives as the result of long-term use by large numbers of soldiers, they often hang while shutting down. When soldiers sharing computers are in a rush, this identity swap can easily happen by accident.
BuzzFeed sources say it is easy to accomplish on both secure and non-secure computers. The officer who reported the flaw has tested the exploit to see if it would allow a user to gain access to SIPRNet, the classified DoD network from which Chelsea Manning acquired some of the files she then leaked to the press. It could.