PII breaches damage the AF mission

  • Published
  • By 1st Lt. Nicholas Konishi
  • 81st Communications Squadron
KEESLER AIR FORCE BASE, Miss. --  Personally Identifiable Information -- better known as "PII" -- is one of those buzz-words we as Airmen have had drilled into our minds over and over again.

Even here at Keesler, when we log into our computers in the morning, the first thing we see is a notice that warns of the dangers and consequences of PII breaches, including network account deactivation and punishment under Article 92 of the Uniform Code of Military Justice.

Of course, most don't actually read those things, and we often curse them for slowing down our morning routine. After all, we know that protecting PII is important. Yet, PII breaches continue to plague Keesler and the Department of Defense.

Believe it or not, all those PII breaches you may have heard about are scrutinized at the very highest levels of the Air Force. Trends point primarily to email as the largest share, sometimes affecting tens of thousands of individuals

In certain cases, when PII is transmitted via unsecure means to or from a network provider not controlled by the Department of Defense, the 24th Air Force Commander is required to personally notify wing commanders.

The U.S. Air Force Public Key Infrastructure has even been testing an application script in an attempt to stop breaches at the client level. Outlook will eventually gain the capability to scan for PII (to include searches for keywords, such as "recall roster") that will prompt a user to encrypt an email if it detects what may be PII attached, or even within the email message itself. However, these scripts are not 100 percent effective, but the tools continue to be refined and will get better over time.

But why is protecting PII so important, and why is the Air Force taking such extreme measures to protect it?

We're all familiar with identify theft, and how cyber-criminals use this kind of data for gains against individuals. But is there an even more ominous threat which could negatively affect the Air Force or DoD as a whole?

Recently, Chinese hackers broke into the Office of Personnel Management and accessed large amounts of data; specifically, civilians who had applied for a U.S. security clearance.

According to the Washington Post, "the system contains sensitive data that ranges from financial and travel histories to the names of applicants' children, relatives, neighbors and close friends."

Using this PII, Chinese intelligence operations could target those who have access to carefully guarded information and conduct further cyber espionage on those individuals to find pieces to the puzzle, so to speak, to build a picture of what the U.S. government has classified.

Even using just the information that was compromised (government employee's names), a cyber-adversary can mine the databases of social media sites to nail down individuals skill sets and experience. They are then able to accurately infer which areas of study the U.S. government is expending human capital on secret military research and development projects for future operational implementation. PII can be used in a variety of different and damaging ways to undermine the Air Force's mission.

So, what can we do to mitigate these kinds of breaches? Hackers will attempt to gather our critical information even in the face of our best efforts to secure our information systems. Hackers, however, don't want to work hard if they don't have to. That's where PII breaches come into play. When we let PII out into the open, in publicly available domains (commercial websites, on our desks, in the dumpster), we make our adversaries job that much easier.

PII has been discovered as abandoned personnel documents, websites, server folders without proper security permissions, and government in the homes of other Airmen, recycling bins, and other unsecured areas. In fact, Keesler has implemented a 100 percent shred policy to destroy unnecessary physical documents to keep the information they contained out of the hands of those who practice "dumpster diving."

But the best deterrent we have to stop PII breaches is not fancy computer programs, 100 percent shred policies, or bothersome electronic warnings; it's our Airmen. We trust each other to be good Wingmen to keep each other safe during deployments, create safe working environments for everyone, and even save lives at the Keesler Medical Center.

We, as Airmen, must take the same stance towards protecting PII as we do all those other things; it's really all about just being a good Wingman. Keep that in mind, and take it to heart as you carry out your unit's mission every day.