Jul 04 2012

New USCENTCOM network policy punishes the innocent

Major General Karl Horst admits punishing the guilty isn't working
No Gravatar

Happy birthday, America! I hope you don’t mind if I take this opportunity to bash our men & women in uniform who give us the independence we so richly enjoy.

I’ve railed at the Pentagon for a few years now that “OPSEC and COMPUSEC are no longer two sides of the same coin.” To the very best of my knowledge, there is no formal punishment for COMPUSEC violations: violators simply retake DoD’s information assurance course so they can get their computer accounts unlocked.

“Rob, what’s a ‘COMPUSEC’ violation?” I’m glad you asked. The word itself is military shorthand for “computer security.” Violations of COMPUSEC often involve a classified data spill where the information ends up on a network not accredited for it. These days it probably means someone typed SECRET data into a NIPRNET email; in some cases TOP SECRET and/or SAP tidbits may get typed into a SIPRNET email. You’ll also find some rather embarrassing cases (plural) where public affairs offices published photos later identified as classified. And, of course, mishandled USB drives can lead to enclave barrier violations.

Everyone in DoD passes an IA test each year to use a com­pu­ter. Hordes of people screw up IA during their excur­sions to USCENTCOM. Why does USCENTCOM think this is their problem to solve?

At this point I’m working to confirm / debunk several hypotheses:

  1. No one in the USCENTCOM “AOR” (i.e. the war zones) received an Article 15 for a COMPUSEC violation since 2001.
  2. No one in the USCENTCOM “AOR” received a formal letter of reprimand for a COMPUSEC violation from 2001 through 2011.
  3. COMPUSEC violations are so widespread that multiple generals & “SES” civilians have committed them by now, regardless if in garrison or in the war zones.

And this leads me to vivisect a USCENTCOM policy document I obtained under the Freedom of Information Act. It confirms something I find astonishing:

USCENTCOM now punishes innocent people for classified data spills — because they admit punishing the guilty isn’t working!

If you attended military boot camp or high school football camp, you’ll recognize it as collective punishment. And, indeed, it’s exactly the kind of philosophy that must have brought this new policy into existence. Everyone in the violator’s chain of command, all the way up to colonel, now incurs the same punishment.

What is that punishment? Well, uh … they all temporarily lose their network accounts until they retake “information assurance” training.

Which they all must retake every year, anyway.

20120622 USCENTCOM FOIA excerpt, para 3C

“Our security is being compromised by an increasing number of network security violations which indicate a command-wide lack of understanding of the threats associated with improper handling of classified information on computer systems,” Major General Karl Horst laments in his new USCENTCOM policy. “Effective immediately … for each violation, the offender, and the chain of command up to the O-6 level, will be required to take the [new & more rigorous] course of instruction. The [O-6?] supervisor will reply by endorsement when the training has been completed. The goal is to ensure the entire chain of command fully understands the infraction.”


Okay, so General Horst sees “an increasing number of network security violations which indicate a command-wide lack of understanding.” He now punishes innocent people because punishing the guilty hasn’t worked.

Why does Horst still accept DoDD 8570 certs when he admits they foster a “lack of under­stan­ding” that re­quires “a more rigorous training program”?

Ask yourself: where does Horst’s “component command” get all of its soldiers, sailors, airmen, and marines?

Answer: from everywhere in the Department of Defense. Horst fills the “AOR” with folks temporarily assigned from sub-component commands: USAFCENT, USARCENT, MARCENT, NAVCENT, SOCCENT, and so on. Those sub-component commands get their folks from Air Force bases, Army forts, Marine posts, Navy ports, Special Operations Command pup tents, and so on.

This means Horst’s new policy confirms what I strongly suspected a few years ago (highlight added):

A systemic breakdown of COMPUSEC surety has crept into the Pentagon’s cyber operations like a noxious weed. Its roots must go all the way up & down the chains of command. It might be global in scope by now.

We already know everyone in uniform must pass a DoDD 8570 information assurance test each year so they can use a computer. And now we know hordes of people all across the military screw up during their excursions to USCENTCOM. So why does Horst think this is his problem to solve?

Wait, it gets worse. Horst’s new policy compels his sub-component commands to “implement a more rigorous training program” than the DoDD 8570 information assurance training they currently deliver. Implement it based on what, you might ask?

To use an old metaphor: Horst told his sub-component commands to “add clean water to dirty water.” Heaven help anyone who drinks from that fountain of knowledge!

Frankly, it would be more logical for Horst’s “J6″ advisor to recommend he stop accepting DoDD 8570 certs in favor of a more stringent USCENTCOM training program. I mean, if you’re going to make a DoD-wide problem your own, then for heaven’s sake go solve it DoD-wide!

(Maybe he could demand a CompTIA Security+ certification in lieu ofoops, too many virus myths in that cert. Don’t fret: I know who can solve this. “Hello, operator? Get me Rob Lee at SANS!”)

I dare say Major General Horst’s policy almost fits the mold of Major General Mireau in the movie “Paths of Glory“: a man who first dooms his own men, then up & kills some of his survivors just to assuage his bruised ego. “Oh come on, Rob! We’re not talking about life & death here.” YES WE AR

I’ll bet General Horst a soda his true O-6 manda­tory par­ti­ci­pa­tion is already halved.

—well, okay, yeah, we’re not really talking about life & death here. I mean, if it was life & death, we’d see courts-martial and Articles 15 galore. So it’s really just about a bunch of careless military folks who inadvertently type SPECAT into NIPRNET emails with a low risk of exfiltration. (“Good grief, Rob, where do you come up with all these bizarre words?” Hush, I’m on a roll!)

So let’s take death out of the equation and just focus on the failure.


Horst’s new policy will ultimately fail for two reasons. Of lesser importance, it’ll fail because it tackles the symptoms rather than the root cause.

Of greater importance, it’ll fail because lower-echelon bureaucracies will resist collective punishments for their top field grade officers. One general cannot take away “RHIP” from a glamour of colonels!

20120622 USCENTCOM FOIA excerpt, para 3E

Indeed, I’ll bet Horst a soda his true O-6 mandatory participation in “the course of instruction” is already halved. The other half by now pencil-whips it — especially for colonels who see this problem routinely, as must be the case at the USAFCENT CAOC.

Given enough time — and given no real investigative oversight from higher headquarters — we can expect lower-echelon bureaucracies will soon extend their pencil-whips to protect favorable foul-ups. A rising A6 squadron commander, say, or a special ops NCO back from a site survey. They won’t even remember, let alone care, if their pencil-whips “require approval of the first flag/general officer in the chain of command.” Instead, it’ll go something like this:

XO:
…so, yes, he spilled a TS code word, colonel, but it was on SIPRNET and both recipients are read in. It’s not like the enemy will read it. You have to decide if he chops to the LZ tonight or if he reports to IA tomorrow.
CC:
Did he show remorse?
XO:
Sir, he’s beating himself up over it more than you could do to him.
CC:
Okay, tell him he’ll answer directly to me if it ever happens again. Let’s close this.
XO:
You’ll need to sign some paperwork for USCENTCOM, sir.
CC:
I always do.
XO:
I’ll prep it for your sig…

Notice I said “given no real investigative oversight.” What if higher headquarters demands proof everyone got punishedtook “the course of instruction”? Does USCENTCOM demand a certificate of completion for “Retardial Information Assurance Course 098″?

If they do, then it will give all the more power to a horde of “J6/IA netmongers” who look down on their own users as a potential threat to the United States. Never underestimate these bigots. To them, “if you ain’t IA, then you ain’t Shiite.” Horst’s new policy will give them a bigger club to swing at their true enemies:

IA:
Now, sarge, I know your people meant well, but, what they did, in a different context, could very well threaten the life of your troop if that fitrep had been posted into his personnel records.
NCO:
Where the Chinese and Iranians can read it with impunity because you can’t keep them out of our networks, right?
IA:
Sarge, that’s not funny.
NCO:
You know what’s not funny? I had nothing to do with this.
IA:
Sarge, you failed to supervise the offender’s supervisor who failed to supervise the offender.
NCO:
And you don’t want us to “T-K” our own guys. I get it. Please, just log me into your computer so I can get this over with.
IA:
Sarge, don’t sit in that chair. That one belongs to that desk over there. I’m sure you wouldn’t like it if someone rubbed his butt sweat all over your seat, now, would you?
NCO:
Do you treat everybody like the enemy? ‘Cuz this isn’t Abu Ghraib, you know.
IA:
Sarge, you’re my POW until I sign this certificate saying you passed your remedial information assurance training.
NCO:
Like I said. Let’s get this over with.
IA:
Good. I just need to see your ID card.
NCO:
What, the access badge hanging around my neck isn’t good enough for you?
IA:
An access badge is not a valid form of identification in accordance with USCENTCOM policy letter dated 28 September 2011.
NCO:
You’re making that up.
IA:
I am not! We keep a copy of the policy letter on hand just for people like you who question why they’re being punished.
NCO:
Show me in that policy letter where it says I can’t ID myself with an access badge.
IA:
Sarge, are you going to keep stalling or are you going to take the remedial test? Because if you’re not going to do the CBT, then you’re wasting my valuable time.
NCO:
Time you’d just spend updating your LinkedIn resume, right?
IA:
Sarge, that’s not funny.
NCO:
This badge gets me into the SCIF that, by the color of your badge, tells me you’re not even authorized to enter.
IA:
It’s still not a valid form of identification, sarge, and you know it.
NCO:
You’ve never actually seen a JWICS terminal, have you?
IA:
Sarrrrrrrrrge…
NCO:
Like I said. Let’s get this over with.

{FYI: I based the “IA” character on the comm squadron NCOIC at Tallil AB, Iraq in mid-2003. That miserable person’s sole job was to make computing as miserable of an experience as possible for everyone on base (I don’t make this claim lightly). These people really do exist, folks. And many of them have found a niche in J6/IA where they can be Judge Dredd. Congrats to General Horst for giving them another club to swing at their true enemies.}

Memo to Major General Karl Horst: I’m glad you made it all the way to the bottom of this column. You’re not really the enemy here — you’re just hobbled by the collective J6 groupthink mentality. Click here.

Share
  • By Rob RosenbergerNo Gravatar, 5 July 2012 @ 2:04 pm

    General Horst himself signed the cover letter releasing the document I requested under FOIA. He redacted only one item, claiming it is “a clearly unwarranted invasion of personal privacy” to divulge the phone number for his J6/IA shop. I typically contest these things given the fact a headquarters function has no right to “personal privacy” for its official phone number. But in this case it’s the *only* thing Horst redacted, so I’ll keep it just to demonstrate the stupidity of it.

Other Links to this Post