Reporting Data Loss: Tough Choices, One Answer

June 18, 2010

When military data is lost, stolen or compromised, the potential dangers are obvious.  Lost personal data can lead to identity theft, lost operational data can lead to mission cancellation or failure and lost technical data can lead to other compromised systems and even further damage.  While loss of data is bad enough, sometimes the loss is not mitigated in a timely fashion.  When this happens, it is often not because of a stealthy hacker or a missing hardware audit.  It is because somebody did not report the incident out a fear of potential personal consequences.  We need to change that mindset.   Not accepting responsibility and warning others of a network or data breach can put missions and lives at risk. 

So if you are the cause or you discover a loss of data or a hacked network, it’s decision time.  Report it or cover it up.  What’s worse?  A chewing out from your CO or knowing that letting your error go unreported resulted in an ambush or the identities of fellow soldiers and their families being stolen?  Even if the person that discovers the loss is not personally responsible for the incident, they might be reluctant to report it because it would reflect badly on friends or the unit. 

Military personnel tend to have the not on my watch mindset.  This is a great attribute when it comes to the defense of a position or ensuring that everyone makes it back from a patrol.  However, when such dedication to that statement means that fellow soldiers are at risk because of an unreported breach of network security, it is unacceptable.  Neither is taking a “not my problem” attitude.  Loss or compromise of military data is everyone’s problem.

Most soldiers will take responsibility if they are at fault.  But many of these same soldiers will cover for a buddy’s mistake.  Covering for someone is often considered being a team player.  That’s fine, if you help Bill get ready for inspection after a tough night of leave or taking on more work because Ed needs to deal with a family matter. However, covering for someone in the case of data loss is as risky as not reporting your own error.

Fear is often the motivation for not reporting an incident.  Nobody wants to get chewed out or written up.  But think about what could happen if data has been compromised and nobody that can do something to eliminate or reduce the problem is ever told.  The punishment for not reporting a network security problem that is found out later will be much greater than reporting it in the first place.  It’s like when you were a kid.  Do you tell your parents?  It’s basically the choice between a scolding and being grounded for a month.  In the military, grounding can take the form of docking your pay or sending you to someplace you really don’t want to be.  But the real issue is not a personal one.  The fact is that delay in reporting lost or stolen data can result in lost identities, compromised missions and possibly risk to soldiers in theater.

If you discover a network security breach you should report it to the proper authorities immediately. That’s a regulation.  Take what steps you can to discover the details of the breach and make those known as well.  Do not be influenced by anyone trying to prevent you from taking those steps.  It will still be you on the line.  Nobody’s hard feelings are worth a black mark on your service record.  If anyone thinks this is kissing up or not being a team player, imagine what you would think if you were caught in an ambush or had your personal data stolen because someone didn’t report a data loss.

In the end, discovering an information loss incident gives you three options.  Cover yourself, cover for someone else or be a soldier and take responsibility“Be a soldier and take responsibility is the only one right answer!

The On Cyber Patrol© cartoon and supporting articles are created and made available by the U.S. Army’s Office of Information Assurance and Compliance, NETCOM, CIO/G6. For more information on the OCP program or to submit ideas for upcoming cartoons/articles, contact oncyberpatrol@hqda.army.mil.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts:

This is a GREAT article despite the dismay of the breach. In David Scotts words, everyone needs to be a mini-Security Officer today. I think Mr. Scott, the author, is right: Most individuals and organizations enjoy Security largely as a matter of luck. For some free insight (and free is good!), check out his blog, The Business-Technology Weave you can Google to it, or search on the site IT Knowledge Exchange which hosts it. Anyone else here reading I.T. WARS? It reflects much of what is said here. I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary an eCulture for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS check out a couple links down and read the interview with the author David Scott at Bostons Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). In the realm of risk, unmanaged possibilities become probabilities. Keep security front and center! Great stuff.

Janice, Thank you for your comment. I passed it along to the folks at the Office of Information Assurance and Compliance and they were very happy to hear from you and that you enjoyed the piece. Thanks for sharing the info on Mr. Scott's book as well.