Missing soldiers' CACs remained valid for weeks, data shows

Pentagon officials apparently did not revoke the network security credentials of two Army soldiers missing in Iraq since May 12 until early June, when insurgents claimed in a video they had killed the two, according to sources and data reviewed by Federal Computer Week.

Spc. Alex Jimenez of Massachusetts and Pvt. Byron Fouty of Michigan went missing in Iraq after their unit was ambushed outside Baghdad. The military is still searching for the soldiers, saying the insurgents' video presents no conclusive evidence of their deaths.

The group Islamic State of Iraq released a 10-minute video June 4 showing depictions of Fouty’s and Jimenez’s identification cards in an apparent attempt to prove the group had captured and killed them.

The ID cards also function as Common Access Cards (CACs), which can be used to log onto Pentagon Web sites from computers equipped with a card reader and the requisite software, according to experts. Use of the cards also requires a password.

Each time a CAC is logged in, Defense Department computers check whether an individual’s security credentials, known as certificates, are still valid by cross-checking a departmentwide certificate revocation list.

According to a June 13 snapshot of a list obtained by FCW, the credentials of Fouty and Jimenez were revoked June 5 at 1:51 p.m. and 2:32 p.m., respectively –- more than 20 days after they disappeared.

Questions remain as to what insurgents could have done with the soldiers’ CACs while their security certificates were still valid.

A spokeswoman for the Army’s chief information officer referred questions about the case and general certificate revocation policies to a spokesman for the Office of the Secretary of Defense. The spokesman there referred questions back to the Army, where officials did not provide answers by press time.

According to DOD sources, none of whom agreed to speak on the record, it is unlikely that the extremists would be able to access classified networks.

But they could have gained entry to Web sites with sensitive information the military wants to keep out of public view for security reasons, they say.

“A lot of things would have to line up before there’s any risk” of Iraqi insurgents using the cards to gain access to restricted information, said Jeremy Grant, senior vice president and identity solutions analyst at the Stanford Group’s Washington office.

Other sources suggested the insurgents could offer the cards to groups better equipped to break into Pentagon networks.

Insurgents in Iraq are known to mistreat their captives, and they might have used torture to obtain the soldiers’ passwords, one official said.

Featured

  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected