Army to hold commanders and sysops liable for hacks

The Army is preparing new computer security regulations that would make base commanders and system operators liable under the military's criminal code for the security of their information systems.

Col. Mike Brown, the Army deputy director of information security, said the new policy will be based on existing provisions of the Uniform Code of Military Justice and will outline the responsibilities that various Army personnel have for safeguarding their systems. In addition, the policy will describe punishments for people who are found to have failed in their duties.

"There was nothing in the current [computer security] regulation that holds either the commander or the security guys responsible," Brown said. "We're going to try to enforce those security policies to make people accountable and to hold them accountable for what they are supposed to be doing."

Brown said the policy will describe who is responsible for different aspects of computer security and what they are supposed to do. For example, systems operators may be required to do "vulnerability assessments," but security of communications systems would be under the purview of intelligence officers.

He said, however, that officials had not settled on details, such as what sanctions would be in store for those who did not abide by the policy, and he said it will take six to eight months to complete the regulations.

Lawyers familiar with military law said the policy would probably be compatible with existing rules governing the physical security of Army property. Eric Marcotte, a partner with Winston & Strawn, Washington, D.C., who practices military law in the Air Force National Guard, said officials could prosecute personnel for breaches in computer security under current "dereliction of duty" laws.

"I think it's more of a message that the military is going to place emphasis on enforcement of this aspect of their duties," Marcotte said, adding that convictions in military courts require proof that a person's actions were "derelict." Civilian employees are not covered by the military code.

Nevertheless, some security experts questioned whether criminal sanctions are appropriate because information systems are so difficult to safeguard. "Today's computer systems can be very, very complicated," said Allen Church, an agency expert in secure Internet technology with the General Services Administration. Spelling out specific responsibilities for keeping systems secure would be "an endless task," he said.

"I could see where this would very likely encourage computer system people not to make any changes to their systems and keep the oldest technology," Church said. "Don't get on the Internet, don't get on any network, just keep your system hard-wired. There would be very little incentive to try something new."

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.