Keep classified information safe

Sarah Colantuono and Senior Master Sgt. Charles Womack
Headquarters USAFE Information Assurance Office

A guide to preventing and reporting classified messages

There are an increasing number of Classified Message Incidents on the unclassified network, known as the Non-Classified Internet Protocol Routable Network. That’s essentially the military’s Internet. A CMI is the inadvertent transmission or storage of classified data, typically sent via e-mail, on the NIPRNet. It’s no different than leaving a classified document lying around in a non-secure area.

When classified data is transmitted to multiple widely dispersed addressees it is essentially a broadcast of the sensitive information to many locations, rather than just one contained location.

The problem is divulging classified information to people who do not have a need to know, including  computer network intruders and hackers who have skills and tools to seize that information before anyone realizes it’s been divulged.  

And, leakage of classified information puts U.S. forces and the mission at risk. Even if adversaries don’t   seize classified information, there is all the time and effort to clean up the leak, including sanitizing the user’s computer, the servers that process e-mail, network data storage devices, and if transmitted to or from a handheld device, sanitization could  be as basic as physical destruction with a hammer.

All of this is network down-time, thereby stopping a large percentage of mission activity and operational productivity throughout a given base.  When the network is shut down, other systems that are accessed via the network or are superimposed on the network may also become inoperable. The impact of future CMIs will be even greater as the convergence of voice, data and video communications continues onto the unclassified network.

What can you do to help?  While your Security Managers are increasing their training in handling CMIs and prevention awareness, you need to increase your vigilance of double-checking for classification markings of attachments to unclassified documents, and practice good operations and information security by questioning the sensitivity of what’s composed in an e-mail. If a person discovers a possible CMI, there are two people that must be contacted:

-Unit Security Manager.
-Unit Information System Security Officer or the Wing IA Office.

If a person needs to transfer information from the secure SIPRNet to the unclassified NIPRNet, the transfer should be made in hard-copy to avoid inadvertently dragging along classified data. If it’s to be an electronic download of unclassified information from the SIPRNet, then a person should use the specific and rigid procedures for doing so, and make sure two people check the transfer to ensure classified information was not downloaded.

Finally, people should opt to communicate on the secure IPRNet if the nature of it includes sensitive information, or if the overall activity is classified, rather than attempting to find an unclassified way to “talk around” a classified project or activity.

Network defense has been significantly strengthened through a number of technical measures. However, the NIPRNet is not secure enough for classified information to be placed on it or spill into it without having it purged.   

People protect their personal and financial information with great care. And, it is more important to ensure that classified military information does not spill onto the unclassified network. When that occurs, the mission and military forces are at risk. No matter what, an accidental spill of classified information requires a great deal of technical and investigative manpower and network down-time to clean up.  Be careful with what you are doing. People are asked not to put themselves and others at risk by inadvertantly revealing classified information.

Military discipline is not out of vogue.