Sep 19 2010


OPSEC and COMPUSEC are no longer two sides of the same coin
No Gravatar

From: Rob Rosenberger, SMSgt (ret.), formerly of the 609th Information Warfare Squadron; one of USAF’s first four fully certified IW crew chiefs, and the first authorized to run an IW ops floor without an on-site crew commander; also the historian who documented McAfee’s and Symantec’s clandestine cyber-arming of China.

Subj: Systemic breakdown of COMPUSEC surety in A6 & J6 communities

An open letter to U.S. Air Force senior commu­ni­ca­tions officers



In his recent commentary on “Moral Courage & Ethical Behavior,” Brig. Gen. Darryl W. Burke makes a crucial observation:

“Does speaking up when a general officer, colonel or chief presents a questionable idea involve some personal risk? Sure it does—that’s why it’s called moral courage. With few exceptions, though, people don’t reach those senior levels by consistently ignoring good advice and making bad decisions. Instead, they are typically successful because they listen to smart people, adjust their vision and move forward.”

I will now display my moral courage … and, ultimately, I will test yours as well. In my latest column, I ask two philosophical questions:

  1. If “Buckshot Yankee” ended so long ago, then why didn’t the reason for INFOCON 3 change with it?
  2. If 1,872 troops didn’t even get an Article 15 for violating enclave barriers … then what is the punishment for these offenses?

I then go on to derive some important conclusions in my latest column:

  1. There is no formal punishment for turning a USB device into a rogue cross-domain solution.
  2. An institutionalized failure of CRM in the A6 & J6 communities led to a systemic breakdown of COMPUSEC surety in the Pentagon’s cyber operations. This breakdown must be occurring in ways similar to the recent breakdown of NUCSEC surety at B-52 bomber wings.
  3. This breakdown of COMPUSEC surety must have re-manifested itself by now in the form of waivers for senior officers.
  4. Enclave barrier violations and classified data spills must be rising again thanks to waivers. Corollary: such violations must now take place on average at a higher rank level.
  5. Shallow thinkers inside the Pentagon purposely left the INFOCON set for an invalid reason — perhaps even set for an invalid level! — because they don’t know how else to enforce COMPUSEC among military computer users.

(Brig. Gen. Burke is a former chief of flight safety. He can bring you up to speed if you don’t understand the life-and-death significance for an institutionalized failure of CRM.)

Now, gentlemen, comes the test of your moral courage. Do you care if the informal punishment for using a USB device has replaced the formal punishment for unauthorized transfers from SIPRNET to NIPRNET? Do you worry about an institutionalized failure of CRM in the A6 & J6 communities? Does an invalid reason for the current INFOCON bother you?

I follow a simple motto, gentlemen. “If you recognize your problem, you’re halfway to a solution.” I can sum up the root cause of your problem in a dozen words:

OPSEC and COMPUSEC are no longer two sides of the same coin.

OPSEC has always been driven from the top down. COMPUSEC was, too, way back in the WWMCCS era … but not anymore. AFI 33-112 paragraph 16.3.1, for example, usurps your DAA accreditation process and gives your powers to the users themselves.

You can only fix this problem by tackling its root cause, not by tackling its symptoms. Of course you can’t fix it overnight; indeed, you almost certainly won’t fix it during your careers. But you can start the change on the first day of your next assignment.

That’s where your moral courage comes in, gentlemen. Do you have what General Burke talks about?

“But Senior,” you interject. “We’re just lowly colonels and brigadiers. This problem goes way beyond our pay grades.”

Gentlemen, so what? The “bomber barons” experienced the same problems before WWII. What did they do about it? They took over the U.S. Army Air Forces and made it a separate service. The “fighter mafia” experienced the same problems after Korea. What did they do about it? They took over the U.S. Air Force from the bomber barons.

Carpe diem, gentlemen — it’s only a matter of time before the “cyber outers” take over the U.S. Air Force from the fighter mafia. To get there, we need strong-willed leaders who will fight the institutionalized failure of CRM so we can repair the breakdown of COMPUSEC surety. Lead, follow, or get the hell out of the way.

“But Senior,” you interject again. “What if we collectively turn a deaf ear to your concerns?”

Actually, gentlemen, I’ve long prepared for that. You see, I’ve worked behind the scenes since 1997 to enlighten junior NCOs & CGOs who see the forest for the trees. Young people who realize, for example, that viruses spread across networks because USAF’s antivirus “solution” repeatedly fails at the most crucial moment.

Many of these young people serve in the Navy. Some serve in the Army. And, of course, many of them serve in the Air Force. This enlightened corps has methodically worked its way up the rank structure for all these years. It’s only a matter of time before they seize control of the levers of power. Then, gentlemen, we’ll see real change.

My only question to you is: “will you help them, or will you just leave it to them?”

Rob Rosenberger, SMSgt (ret.)

PS: Please notice I sell no product or service. I don’t even run ads on this website. I do everything here as a labor of loveanger. I do it because I’m a protégé of Colonel Steve Orton, the deputy USAFE/A6 in 1985 whose own moral courage set me on this very path.

PPS: AFNIC really should update their fact sheets. General Butler and Mr. Ogg both retired in 2008 before Operation Buckshot Yankee