Physical operational security (OPSEC) measures in the military are absolute. It is a required function of all soldiers to review, understand, establish and maintain OPSEC practices at all levels.
When soldiers establish a forward operating post, they do so with careful consideration for avenues of approach, housing, power, proximity to support resources, roads, rail, aviation, fuel, water, sanitation, logistics, and medical to name a few.
Forward operating bases are established in hostile areas based upon the spectrum of conflict as defined in Figure 1. Forward operating bases are inherently in harm’s way. The facility requirements factors for the forward operating base are many and detailed:
- Mission and operational objectives
- Total force structure to be supported
- Expected duration of force deployment
- Types of equipment to be employed
- Number of days of supply to be stocked in the operational area
- Standards of construction
- Operational area medical policy
- Operational area climatic conditions
- Time-phasing of force deployment
- Force protection (for example, AT/FP standoff distances)
- Hazardous material management and waste disposal
- Proximity to lines of communications
- Utility requirements
- Availability and suitability of existing HN infrastructure
- Real property factors
- Environmental restrictions
- Cultural and historic sites and sensitive natural resources
- Safety requirements (for example, explosive safety distances, airfield clearance, fire prevention)
There is much to consider just establishing a base that is functional much less providing adequate physical security to protect the base. Base layout and diagrams are critical to planning of most any type. Soldiers need to know where the base weaknesses are and how to shore them up during an attack. They need to understand methods of support and response during times of trouble.
Base commanders participate in the preparation of base defense plans while providing staff with instructions on how to operate base defense facilities in accordance with base defense plans. They ensure individual and unit training to ensure readiness for assigned defense tasks. Some of the commander’s initial physical security guidance may be to:
- Identify and prioritize highest risk threats
- Establish/take handoff or perimeter security and access control
- Maximize dispersion to mitigate frag/blast effects
- Establish/confirm full-height sidewall protection against frag/blast in high troop concentration facilities and sleeping areas
- Compartmentalize areas with high troop concentrations
- Provide overhead cover and pre-detonation screens for facilities with high troop concentrations
Threats under consideration include adversary-controlled agents or sympathizers, terrorism, demonstrations, civil disturbances, guerrilla units, unconventional forces, small tactical units, air or missile attacks, and nuclear, biological, and chemical (NBC) weapons.
This is all based upon a risk assessment of the area that is continuous. One that starts before deployment to help determine need and one that continues well after based creation. The information gathered during these assessments is highly sensitive and classified. Falling into the hands of the adversary ensures death and destruction.
Tests are run to ensure fields of fire are accurate and effective. Passage of lines is tight and practiced. Call for fire is critical to the survival of the base. All these operational aspects are assessed for effectiveness and weaknesses. Nothing is shared with the adversary. It would be ludicrous to think otherwise. It is asinine to consider such an act. The Uniform Code of Military Justice (UCMJ) would view such an action as traitorous. Lives are at stake.
So when it comes to cyber security, why is it that the Office of Inspectors General of most all federal agencies feels it appropriate to publish the weaknesses of the agency’s cyber defenses?
I examined several non-DoD agencies looking at the OIG section of each website. What I found is both astonishing and commonplace. Astonishing from the aspect that the auditors feel it is appropriate to let our adversaries know exactly where our cyber weaknesses are.
Commonplace from the perspective that it seems to be an almost universal thought process (when questioned why they would post such material, one of the answers is always “Everyone else is doing the same thing and besides, I can find some of this information on your site already!” So that makes it okay.
Some years ago, The Washington Post's Style Invitational asked readers to take any word from the dictionary, alter it by adding, subtracting, or changing one letter, and supply a new definition. The one that comes to mind here is "ignoranus".
If the auditors were to find information of a sensitive nature on the target website or system, then they should immediately notify the owners for removal of said sensitive information instead of publishing it for the whole world to see. The crime of giving aid to the enemies of one's government is called what?
OIG audit findings provide a roadmap for exploitation. The definition of security control weaknesses in the public domain provide our adversaries the ammunition needed to quickly and effectively exploit the weaknesses, penetrate the site(s) and exfiltrate the target data. The OIG organizations I examined are below.
AGENCIES and the Corresponding OIG Reports on Cyber Security:
United States Department of Agriculture
United States Department of Commerce
1-10 of about 96 results
- FISMA Eval USPTO Patent Cooperation Treaty Search Recordation System PTOC-018-00.pdf - Acquisition and IT Security SUBJECT: FISMA Evaluation of USPTO's Patent Cooperation Treaty… meet our FY 2009 reporting requirements under FISMA. Because of these two issues, we have…
- FISMA 2004 Reporting Guidance - enter data in allowed fields, use password: fisma A.1. By bureau (or major agency operating… secure and meet the requirements of FISMA, OMB policy and NIST guidelines, national security …
- USPTO FISMA job announcement - for Audit and Evaluation SUBJECT: FISMA Evaluation ofUSPTO's Enterprise Remote Access system …
- FY 2009 FISMA Assessment of Bureau Export Control - 2009 BUREAU OF INDUSTRY AND SECURITY FY 2009 FISMA Assessment of Bureau Export Control Cybe … and bringing it into conformance with both FISMA and departmental requirements. We are also …
- FY 2009 FISMA Assessment of BIS Information - BUREAU OF INDUSTRY AND SECURITY FY 2009 FISMA Assessment of BIS Information Technology (IT… of the entity’s compliance with FISMA and applicable requirements. This review covers our…
- FY 2009 FISMA Assessment of Enterprise UNIX Services System (EUS) (PTOI-010-00) - Patent and Trademark Office FY 2009 FISMA Assessment of Enterprise UNIX Services System (EUS… to communicate the plan as required by FISMA. We appreciate the cooperation and courtesies…
- FY 09 FISMA Assessment of Field Data Collection Automation System (CEN22) - exterior U.S. Census Bureau FY 2009 FISMA Assessment of the Field Data Collection Automation… to our recommendations. As required by FISMA, a plan of action and milestones should be used …
- FY 2009 FISMA Assessment of BIS IT Infrastructure (BI) (BIS002) OSE-19574 - and Security Operations, BIS OIG FY 2009 FISMA Assessment Listing of Abbreviated Terms and… Page 3 OIG FY 2009 FISMA Assessment Introduction BI provides headquarters and 11 field…
- FISMA Audit Identified Significant Issues Requiring Management Attention - November 15, 2010, Final Report OIG-11-012-A… 3 I. Significant Vulnerabilities in Commerce… Security Management Act of 2002 (FISMA) requires agencies to secure systems through the use…
- FISMA Audit Identified Significant Issues Requiring Management Attention - November 15, 2010, Final Report OIG-11-012-A… Security Management Act of 2002 (FISMA) requires agencies to secure their information…
United States Department of Defense
United States Department of Education
United States Department of Energy
- http://energy.gov/sites/prod/files/IG-0856_0.pdf (unclassified program)
United States Department of Health and Human Services
- http://oig.hhs.gov/oas/reports/region1/181030300.pdf
- http://oig.hhs.gov/publications/workplan/2011/wp07-deptwide.pdf
United States Department of Homeland Security
United States Department of the Interior
United States Department of Justice
- Seems to only provide very high level overviews http://www.justice.gov/oig/semiannual/1111/semi.pdf
United States Department of Labor - Federal Information Security Management Act Audit of EBSA’s Technical Assistance and Inquiry System
- Report No. 23-11-026-12-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of ETA's E-Grants System and Unemployment Insurance Database Management System
- Report No. 23-11-027-03-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of the OCFO PeoplePower and New Core Financial Management System
- Report No. 23-11-028-13-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of OASAM E-Procurement System and Employee Computer Network/Departmental Computer Network
- Report No. 23-11-029-07-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of OCIO Entity-wide IT Security Controls
- Report No. 23-11-030-07-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted
United States Department of State
- Stopped publishing after 2006 - http://oig.state.gov/lbry/archives/fisma/c46901.htm http://oig.state.gov/lbry/archives/it/c46667.htm ***OIG reports on this site may be redacted. To request a full copy without redactions or a report not listed in this library, please click here to visit our FOIA site.
- Office of Inspector General (OIG) reports are posted on OIG's Web sites in accordance with section 8L of The Inspector General Act of 1978 (5 U.S.C. App.), as amended. All reports are reviewed, and redacted when appropriate, in accordance with the Freedom of Information Act (5 U.S.C. § 552), and related statues/regulations, plus the President's memorandum on "Transparency and Open Government", dated January 21, 2009, and the Attorney General's FOIA guidelines dated March 19, 2009. http://oig.state.gov/documents/organization/162876.pdf
United States Department of Transportation
- http://www.oig.dot.gov/library-item/5659
- http://www.oig.dot.gov/sites/dot/files/FISMA%2011-14-2011.pdf
United States Department of the Treasury
- http://www.treasury.gov/about/organizational-structure/ig/Agency%20Documents/OIG-11-112.pdf
- http://www.treasury.gov/about/organizational-structure/ig/Agency%20Documents/FY2011%20Treasury%20FISMA%20Report%20FINAL.pdf
United States Department of Veterans Affairs
National Aeronautics and Space Administration
- http://oig.nasa.gov/audits/reports/FY12/IG-12-006.pdf
- http://oig.nasa.gov/audits/reports/FY11/IG-11-017.pdf
I actually found some organizations that practice prudent and effective security practices. Some stopped publishing cyber security control weaknesses several years ago. Others require a freedom of information act (FOIA) request to get the information and then it is redacted for sensitive information. Others provide it outright but again, it is redacted.
Regardless, the majority of OIG organizations publish this highly sensitive information as if they were actually assisting the target agency. Just the opposite. They are ensuring a more rapid penetration of agency cyber defenses. Whose side of the equation here are you on? Why does this need to be public information?
I even found one enterprising ID ten T who took one OIG audit report and is now selling it on Amazon for $12.95. Let’s add insult to injury.
Where is Congress in all this? The bluster and billow about hacking, cyber warfare, and cyber espionage but they do not address the foundational elements associated with online OPSEC. I invite anyone who reads this to contact their representative (Congress and/or Senate) and let them know of this practice. It needs to stop.
Mission statements from several OIG sites are as follows:
- To be an agent of positive change, striving for continuous improvement in management and program operations.
- Office of Inspector General's (OIG) mission is to protect the integrity of agency programs.
- Promotes the integrity, efficiency and effectiveness of agency programs and operations to assist the Department in meeting its mission.
- Detects and prevents waste, fraud, and abuse
- Seeks administrative sanctions, civil recoveries and/ or criminal prosecution of those responsible for waste, fraud and abuse in agency programs and operations. (should look in the mirror)
- To promote the efficiency, effectiveness, and integrity of the Department's programs and operations, we conduct independent and objective audits, investigations, inspections, and other activities.
Then we publish this information for all adversaries to see. Having worked in the federal sector, I find many OIG departments who do not practice what they preach. The systems they own and operate within these agencies can be suspect to say the least.
CISOs are afraid to go after them to correct the issues much less openly identify them for fear that more will be publically exposed. Most all provide a hotline. I think we should contact them using the hotline email and phone lines with identified abuse.
No CISO would publically publish their threat and vulnerability assessments, vulnerability scans, penetration tests, or assessments of any type. To do so would result in termination (and it has), a betrayal of trust.
Even CIOs understand the ramifications of this type of information exposure. Some recommendations for the CISOs and CIOs of these organizations:
- Classify your security program and all that is in it (at a minimum) as sensitive but unclassified (SBU) - This includes metrics, reports, assessments, security technology stack diagrams, procedures, etc.
- Write a policy or enhance an existing policy to state that the above is critical to the security posture of the agency and therefore, cannot be disclosed in any shape, form, format or medium.
- Communicate this change and gain buy in from the agency administrator since his or her information is also at stake.
- Talk to your peer CISOs and CIOs and create a united front against the OIG’s poor practices.
In the words of Chris Berman: C’mon man. Wake up and change your ineffective practices. We are already under siege at the cyber level. Why give them a leg up. Stop being an ignoranus.
About the Author: Jeff Bardin is currently Chief Intelligence Officer for Treadstone 71. In 2007 he was awarded the RSA Conference award for Excellence in the Field of Security Practices. The Bardin-led security team from Hanover Insurance also won the 2007 SC Magazine Award – Best Security Team competing against such organizations as Barclays Global and the Department of State. Jeff sits on the Board of Directors, Boston Infragard; Content Raven, Wisegate, was a founding member of the Cloud Security Alliance; is a member of the Cyber Security Forum Initiative, the RSA Conference Submission Selection Committee and formerly on the Customer Advisory Board for Chosen Security. Jeff published The Illusion of Due Diligence in 2010 and was a co-author for the Computer and Information Security Handbook, Understanding Computers, and has published articles for magazines such as The Intelligencer, CSO, and SC Magazine. Jeff served in the USAF as a cryptologic linguist, and in the USANG as an officer. He has BA in Special Studies - Middle East Studies & Arabic Language from Trinity College as well as a MS in Information Assurance from Norwich University. He is also a professor of masters programs in cyber intelligence, counterintelligence, cybercrime and cyber terrorism at Utica College. Jeff also holds the CISSP, CISM, C|CISO and NSA-IAM certifications.
