Download PDF - Department of Navy Chief Information Officer - U.S. ...

Sailor Stores PII in Commercial Facility;
Fails to Pay the Bill
By Steve Muck
Figure 2 – The new technology and features introduced in SCA4.
solutions which are appropriately tailored to a particular product.
For the radio user, the flexibility permits customization and
extension of the features and capabilities of the original product.
Notable new SCA4 core features include lightweight components,
profiles, static ports, push model registration, intraapplication
connectivity and Common Object Request Broker
Architecture (CORBA) neutrality as depicted in Figure 2.
The SCA4 lightweight components can lower the cost of
software defined radios with the new optional inheritance
technology, which reduces software development and maintenance.
Previously, the developer was required to implement
all of the inherited interfaces even though all of the inherited
interfaces may not have been necessary. For example, an SCA
2.2.2 Resource Interface inherits the TestableObject Interface
and needs to implement the runTest operation regardless of
whether or not the component provides a test capability.
SCA4 allows the developer to only include the interfaces
necessary for the implementation, eliminating unused or underutilized
code. With SCA4, the developer would not include
TestableObject within the interface inheritance hierarchy and
not be required to implement a runTest operation. An optional
inheritance’s benefit is the reduction in the number of applicable
requirements; however, one should not lose sight of the
fact that the savings associated with this feature are distributed
across the entire software development life cycle.
Users that demand minimal boot-up times will benefit from
the introduction of the “push” model design pattern in SCA4.
The SCA was originally developed with a client-side “pull” design
pattern which required components to register with the framework
upon entry to the domain and then the framework would
query the component for information needed to complete the
deployment process. Within the SCA4’s push model approach,
when a component registers with the framework it is able to
provide all of its information upfront. The change in the interaction
model can achieve reductions in boot-up time, perhaps a
50 percent decrease.
The push model can be optimized even more in SCA4 by
extending it with the new static ports feature. Static ports allow
for an implementation specific approach to connection establishment.
Connections can be formed in an efficient manner at
run time or at build time which will result in more savings that
will become even more apparent for systems with applications
that require hundreds of port connections.
Security aware customers will be pleased with the information
assurance enhancements in SCA4. The original pull model
approach allowed access points to vulnerable system data.
SCA4’s push model pattern eliminates the possibility of clients
requesting information they should not have and removes susceptible
access points. Security-minded developers of earlier
versions of the SCA no longer have to manage these challenges
in SCA4, it’s simply built-in, and enables a cyber-hardened SCA4,
software defined radio without increasing cost and battery
consumption.
Suppose you want your software defined radio application
to connect to another application running on the radio. SCA4
introduces intra-application connectivity to connect multiple
applications for sharing and exchanging information. This permits
the inclusion of tactical mobile apps, such as those found
in the U.S. Army’s Marketplace, an Android-based app store, to
be deployed on military software defined radios and interconnected
with military applications. The SCA4’s new connectivity
options are ideal for handling communication to these external
apps seamlessly via the Android presentation layer.
The most anticipated stance in SCA4 was leniency on requiring
specific middleware technologies, namely CORBA. The SCA
no longer mandates the usage of CORBA as the sole middleware
option. CORBA is still a viable alternative for SCA platforms and
applications, but the SCA4 provides mechanisms to extend the
specification with additional transfer mechanisms.
SCA4 transcends the boundaries of software developers and
architects with mass appeal through a model driven architecture
approach. A specific industry could tailor its own platform
specific model from SCA4 by detailing which options and features
are right for its system. SCA4 takes the next step in streamlining
the development and maintenance of software defined
radios all while promoting flexibility and security as ingrained
features. This newest standard, officially versioned as SCA 4.0,
was approved by the JTRS Interface Control Working Group and
the Wireless Innovation Forum Feb. 28, 2012. A complete set of
SCA4 documentation, JTRS APIs, models and informative presentations
are available on the SCA public website: www.public.
navy.mil/jpeojtrs/sca/Pages/default.aspx.
T
he following is a recently reported personally identifiable
information (PII) data breach involving a Sailor
who improperly handled PII. Incidents such as this one
will be reported in CHIPS magazine to increase PII awareness.
Names have been changed or omitted, but details are factual
and based on reports sent to the Department of the Navy
Chief Information Officer Privacy Office.
The Incident
A Sailor removed several boxes of personnel and training
records from his command and stored them, along with his
personal gear, in an off-base commercial facility. Months
passed during which time the Sailor failed to pay his monthly
storage fee. While the bills remained unpaid, the Sailor transferred
to a new command. After a several months-long delinquency
period, the storage facility auctioned off the property
to a church. In assessing the contents, the church discovered
hundreds of documents containing PII and notified the base
security officer who then retrieved the boxes and reported
the incident as a PII breach.
The Cyber Security Division with Marine Corps Camp Lejeune implemented required training for Department
of Defense personnel to increase awareness and protect the Marine Corps network. Devices such as thumb
drives and smart phones, when connected to a computer, are one of the many ways a government computer
can contract malware. U.S. Marine Corps photo by Pfc. Nikki Phongsisattanak.
Actions Taken
The records had to be reviewed to identify the extent and seriousness
of the PII breach. Names of more than 2,800 personnel with
associated personally identifiable information were identified.
A list of personnel with high-risk PII elements, such as Social
Security number, date of birth and place of birth, reduced the
total number of personnel who were considered at risk for potential
identity fraud to 1,200. The DON CIO Privacy Office determined
that notifications to the high-risk personnel were required.
Approximately half the high-risk personnel had left the command
and in those cases, home addresses were researched. The irresponsible
Sailor was punished for mishandling PII and failure to
follow DON policy in accordance with the Privacy Act of 1974.
Lessons Learned
» Unless it is your own, personally identifiable information
should never be taken home.
» PII must be physically secured at all times.
» A breach of this magnitude requires extensive administrative
work to mitigate.
» Supervisors must monitor their workplace and be mindful
that subordinates need continual training and supervision.
» Paper and electronic records must be reviewed on a routine
basis for retention or destruction.
» The DON CIO Privacy Office can provide assistance in finding
addresses of personnel who have transferred to a new command
or have left the service.
Similar acts of carelessness are frequently reported to the
DON CIO Privacy Office. While this particular incident caused
a number of people a substantial amount of administrative
work, the department is fortunate in that a responsible person
returned the documents to government control. This minimized
the potential risk to those personnel whose documents
were improperly stored. DON personnel are reminded to properly
safeguard all PII when it is under their control and to report
any breach as soon as it is discovered.
Steve Muck is the privacy lead for the Department of the Navy
Chief Information Officer.
42 CHIPS www.doncio.navy.mil/chips Dedicated to Sharing Information - Technology - Experience CHIPS April – June 2012 43