Public Web Sites Are a Treasure Trove of Sensitive Data
Every day there are hundreds, maybe thousands, of people searching the Internet for classified military data and the identities of military personnel and their families. However, they are not hacking into sensitive databases or trying to breach Pentagon networks. They are simply looking in locations that are filled of this type of free information: social networking sites and personal Web pages.
There is one small group of these data seekers that you would want to be the very first to find this kind of online treasure. They are the Army Web Risk Assessment Cell (AWRAC). The sole mission of AWRAC is to canvas the Internet looking for classified or personally identifying information. Unlike their criminal or terrorist counterparts, they are trying to find this information in order to remove it from the reach of prying keyboards. Unfortunately, they are kept very busy because the amount and content of sensitive information that is posted remains alarmingly large.
The number of attempted intrusions into military and government networks, not to mention critical private sector networks, is growing exponentially. Yet, these probes for sensitive data are often unnecessary because someone has very generously posted such information publically on the web. AWRAC can only catch a percentage of the information that is out there Even then, in some cases they do not have the authority to have it removed, but can only suggest that taking it down might prevent a security breach or identity theft.
Being at risk from posting sensitive data is not just a problem for the U.S. military and government. A review of the general media reveals a number of stories about military operation plans and data appearing on the Internet resulting in scrubbed or compromised missions. This kind of security breach is not only our worry, but that of our allies as well. Often this kind of data loss is not malicious, just very unwise. One would hope that such instances were only occasional isolated incidents. Yet, the stories like this that make it into the press are only the tip of the iceberg. There are more than a few situations where sensitive information is taken down quietly and one can only hope with little or no consequence.
Reinforcing the message of what can be safely posted or discussed on unsecured networks and sites can never be overdone or over emphasized. It is not only personnel working with highly classified material that need to be sensitive to this. Friends and families of military and government personnel are posting information all the time that could be used by criminals, terrorists and enemy states to compromise individuals, missions and entire strategic plans. Training and education are critical elements in preventing sensitive data loss. Also, those that receiving relevant training should appropriately pass it along or reinforce it to loved ones, friends, co-workers and fellow soldiers. No one is exempt from this security concern. Everyone has an important responsibility to keep classified and personal data secure.
Our success in protecting our country will be determined ultimately on how well we protect our information. We are committing millions of dollars in technologies and other resources towards this goal. However, until the awareness, attention and resolve of every single person that has access to any level of sensitive information is guaranteed, we will always be at risk.
As of now, the members of AWRAC and similar groups have rock solid job security. I’m sure that they would be pleased to have to look for other work. An excellent strategic objective would be to disband AWRAC because of lack of work. That would mean that all U.S. military and government personnel, government contractors, and their friends and families would have immediately and permanently ceased posting restricted information on the Web. No one anticipates that this will happen any time soon. So if we can’t put AWRAC out of work, we should all at least make a real effort to give them a few easy days now and then.
The On Cyber Patrol© cartoon and supporting articles are created and made available by the U.S. Army’s Office of Information Assurance and Compliance, NETCOM, CIO/G6. For more information on the OCP program or to submit ideas for upcoming cartoons/articles, contact email@example.com.