Problems with Pentagon’s Classified Data Access Could Put Lives at Risk

The military’s Secret Internet Protocol Router Network, or SIPRNET, offers need-to-know access to highly sensitive, classified military information to users with sufficient access and credentials.

However, lax policies around how access is managed have led to critical and ongoing weaknesses in the system, used by the Army, Navy, Air Force and other defense agencies.

A report issued March 18 by the Defense Department inspector general showed ongoing issues with how the military manages access to the network that “could pose a risk to the life and safety of DoD personnel, impact military programs and operations, and lead to accidental or negligent exposure of classified information on the SIPRNET.”

At least two of the problems could be fixed by establishing better processes, and the IG has broached these issues before in prior reports. However, the newest audit shows the military branches have not satisfied prior recommendations.

Two of those issues revolve around access management. According to the report, officials from the Army, Navy and Air Force failed to:

• Ensure that approving officials maintained completed and approved user access forms because officials did not have a process to verify the accuracy and completeness of SIPRNET access forms.
• Ensure users had the required security training because officials did not have a process to verify users completed the required annual security training.

As insider threats—malicious and accidental—continue to be one of the most critical threat vectors, ensuring users have the least amount of access necessary to do their jobs is of the utmost importance. Without review procedures in place, the Pentagon risks granting access to users who have not been cleared to view that information.

“The SIPRNET is an obvious target for cyberattacks and other adverse actions because it contains high-value information,” the IG wrote. “Therefore, the DoD requires that components employ logical and physical security safeguards to protect access to the SIPRNET.”

In the report summary, IG officials recommended creating a process to ensure access requests are “properly completed, reviewed and approved” and that all users go through required security training.

The auditors also discovered two other security issues, however, both are redacted from the public summary, with one classified as secret and the other for official use only.

Leadership from the Pentagon’s Office of the Chief Information Officer and the Army Deputy Chief of Staff for Intelligence did not provide adequate responses to the audit, the IG wrote, and so recommendations directed to their offices remain open.

The Army’s acting deputy director for cybersecurity responded saying its CIO office will issue new guidance within one year that will cover the current gaps in the process.

A Pentagon spokesperson declined to comment further on the report.