Missing soldiers' CACs remained valid for weeks, data shows

Pentagon officials apparently did not revoke the network security credentials of two Army soldiers missing in Iraq since May 12 until early June, when insurgents claimed in a video they had killed the two, according to sources and data reviewed by Federal Computer Week.

Spc. Alex Jimenez of Massachusetts and Pvt. Byron Fouty of Michigan went missing in Iraq after their unit was ambushed outside Baghdad. The military is still searching for the soldiers, saying the insurgents' video presents no conclusive evidence of their deaths.

The group Islamic State of Iraq released a 10-minute video June 4 showing depictions of Fouty’s and Jimenez’s identification cards in an apparent attempt to prove the group had captured and killed them.

The ID cards also function as Common Access Cards (CACs), which can be used to log onto Pentagon Web sites from computers equipped with a card reader and the requisite software, according to experts. Use of the cards also requires a password.

Each time a CAC is logged in, Defense Department computers check whether an individual’s security credentials, known as certificates, are still valid by cross-checking a departmentwide certificate revocation list.

According to a June 13 snapshot of a list obtained by FCW, the credentials of Fouty and Jimenez were revoked June 5 at 1:51 p.m. and 2:32 p.m., respectively –- more than 20 days after they disappeared.

Questions remain as to what insurgents could have done with the soldiers’ CACs while their security certificates were still valid.

A spokeswoman for the Army’s chief information officer referred questions about the case and general certificate revocation policies to a spokesman for the Office of the Secretary of Defense. The spokesman there referred questions back to the Army, where officials did not provide answers by press time.

According to DOD sources, none of whom agreed to speak on the record, it is unlikely that the extremists would be able to access classified networks.

But they could have gained entry to Web sites with sensitive information the military wants to keep out of public view for security reasons, they say.

“A lot of things would have to line up before there’s any risk” of Iraqi insurgents using the cards to gain access to restricted information, said Jeremy Grant, senior vice president and identity solutions analyst at the Stanford Group’s Washington office.

Other sources suggested the insurgents could offer the cards to groups better equipped to break into Pentagon networks.

Insurgents in Iraq are known to mistreat their captives, and they might have used torture to obtain the soldiers’ passwords, one official said.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.