Army to hold commanders and sysops liable for hacks

The Army is preparing new computer security regulations that would make base commanders and system operators liable under the military's criminal code for the security of their information systems.

Col. Mike Brown, the Army deputy director of information security, said the new policy will be based on existing provisions of the Uniform Code of Military Justice and will outline the responsibilities that various Army personnel have for safeguarding their systems. In addition, the policy will describe punishments for people who are found to have failed in their duties.

"There was nothing in the current [computer security] regulation that holds either the commander or the security guys responsible," Brown said. "We're going to try to enforce those security policies to make people accountable and to hold them accountable for what they are supposed to be doing."

Brown said the policy will describe who is responsible for different aspects of computer security and what they are supposed to do. For example, systems operators may be required to do "vulnerability assessments," but security of communications systems would be under the purview of intelligence officers.

He said, however, that officials had not settled on details, such as what sanctions would be in store for those who did not abide by the policy, and he said it will take six to eight months to complete the regulations.

Lawyers familiar with military law said the policy would probably be compatible with existing rules governing the physical security of Army property. Eric Marcotte, a partner with Winston & Strawn, Washington, D.C., who practices military law in the Air Force National Guard, said officials could prosecute personnel for breaches in computer security under current "dereliction of duty" laws.

"I think it's more of a message that the military is going to place emphasis on enforcement of this aspect of their duties," Marcotte said, adding that convictions in military courts require proof that a person's actions were "derelict." Civilian employees are not covered by the military code.

Nevertheless, some security experts questioned whether criminal sanctions are appropriate because information systems are so difficult to safeguard. "Today's computer systems can be very, very complicated," said Allen Church, an agency expert in secure Internet technology with the General Services Administration. Spelling out specific responsibilities for keeping systems secure would be "an endless task," he said.

"I could see where this would very likely encourage computer system people not to make any changes to their systems and keep the oldest technology," Church said. "Don't get on the Internet, don't get on any network, just keep your system hard-wired. There would be very little incentive to try something new."

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.