Missing soldiers' CACs remained valid for weeks, data shows

Pentagon officials apparently did not revoke the network security credentials of two Army soldiers missing in Iraq since May 12 until early June, when insurgents claimed in a video they had killed the two, according to sources and data reviewed by Federal Computer Week.

Spc. Alex Jimenez of Massachusetts and Pvt. Byron Fouty of Michigan went missing in Iraq after their unit was ambushed outside Baghdad. The military is still searching for the soldiers, saying the insurgents' video presents no conclusive evidence of their deaths.

The group Islamic State of Iraq released a 10-minute video June 4 showing depictions of Fouty’s and Jimenez’s identification cards in an apparent attempt to prove the group had captured and killed them.

The ID cards also function as Common Access Cards (CACs), which can be used to log onto Pentagon Web sites from computers equipped with a card reader and the requisite software, according to experts. Use of the cards also requires a password.

Each time a CAC is logged in, Defense Department computers check whether an individual’s security credentials, known as certificates, are still valid by cross-checking a departmentwide certificate revocation list.

According to a June 13 snapshot of a list obtained by FCW, the credentials of Fouty and Jimenez were revoked June 5 at 1:51 p.m. and 2:32 p.m., respectively –- more than 20 days after they disappeared.

Questions remain as to what insurgents could have done with the soldiers’ CACs while their security certificates were still valid.

A spokeswoman for the Army’s chief information officer referred questions about the case and general certificate revocation policies to a spokesman for the Office of the Secretary of Defense. The spokesman there referred questions back to the Army, where officials did not provide answers by press time.

According to DOD sources, none of whom agreed to speak on the record, it is unlikely that the extremists would be able to access classified networks.

But they could have gained entry to Web sites with sensitive information the military wants to keep out of public view for security reasons, they say.

“A lot of things would have to line up before there’s any risk” of Iraqi insurgents using the cards to gain access to restricted information, said Jeremy Grant, senior vice president and identity solutions analyst at the Stanford Group’s Washington office.

Other sources suggested the insurgents could offer the cards to groups better equipped to break into Pentagon networks.

Insurgents in Iraq are known to mistreat their captives, and they might have used torture to obtain the soldiers’ passwords, one official said.