U.S. Army Europe information assurance experts remind computer users of risks of connecting personal devices to government systems

March 30, 2012

By Spc. Joshua Leonard U.S. Army Europe Public Affairs

HEIDELBERG, Germany -- U.S. Army Europe personnel are being reminded of the risks and consequences of connecting their personal computers or other devices to government-operated networks.

Government systems include Unclassified but Sensitive Internet Protocol Router Network, more commonly known as NIPRNet, and the Secret Internet Protocol Router Network, known as SIPRNet. Each comes with distinct responsibilities and consequences for its users.

Because the ability to monitor USAREUR networks and react to any threat activity is vital to defending those networks, USAREUR has “very robust” defensive and detection capabilities and can monitor all systems and network traffic, said Gerald Holland with the USAREUR Communications directorate’s (G6) Information Assurance Program Management, Policy.

“The USAREUR network is a weapon system,” says an information assurance reference guide the IAPM provides to commanders. “Commanders must protect and defend cyberspace as vigilantly as they would protect and defend any other area of operation. All communications over military networks are subject to monitoring. A risk imposed by one is a risk assumed by all.”

Plugging personal equipment into a government network creates unnecessary security risks, Holland said, and the Army goes to great lengths to protect its networks. If personal devices are located they will be removed and the offender will be subject to penalties.

Solomon T. Kiakona, operations lead for U.S. Army Cyber Command's Regional Computer Emergency Response Team-Europe, said personal systems are more prone to infection or compromise, as users connect these devices to other networks that may not have the same safeguards as USAREUR.  Once connected, personal systems could disrupt protected networks by introducing existing or new variants of malicious software.

The IA commander’s guide lists some of the unauthorized hardware that cannot be connected to official networks. In addition to personally owned computers, the list includes MP3 or other digital music players, GPS navigation devices, personal digital assistants, electronic book readers, smartphones, digital cameras, unauthorized or personally owned wireless access points, gaming consoles, personally owned external hard drives and any flash-based removable media.

The guide also lists several prohibited types of content and activities that can land users who connect their personal devices to an official network in hot water, including pornography, online auctions, chat and instant messaging, gambling and gaming, hacking and malware, illegal drugs, Internet telephone systems, online storage, “pay to surf” activity, peer-to-peer file sharing, personals and dating, unauthorized software, proxy or “anonymizer” use, and material with violent, hate, racist or terrorist themes.

If a personal computer is connected to an official network, commanders have authority to take immediate and necessary action, Holland said. The system is immediately removed from the network and the user can face harsh consequences.

Those consequences can include oral or written reprimand, adverse performance evaluation, suspension from employment with or without pay, loss of access to official information systems or networks, suspension of security clearance, dismissal from employment, administrative or non-judicial punishment, and possibly even civil or criminal prosecution.

Holland pointed out that all users of official U.S. government information systems are required to complete yearly information assurance training, as well as sign an “acceptable use policy” document that outlines these prohibitions and consequences.

“There is no excuse to say you didn’t know,” he said.

Still, security violations are often inadvertent, Holland said; people see a network connection in their workplaces or on their official systems and plug into them to complete a task, with no intent to do harm. But the bottom line, he added, is that users must recognize that personal computers are not allowed on the network and government computers are for official use only, and leaders must hold people accountable for their actions and take appropriate action against offenders.

“Even with all our protections in place, we still have computer-related security incidents involving government systems, so sometimes it’s better to just leave personal computers at home,” he said. “In today’s world everyone wants to be able to stay connected, but they must understand that their actions could cause an event that results in mission failure, or even the loss of someone’s life.”

“In today’s age access points and connectivity are readily available to anyone,” Kiakona said. "It's basically a convenience that most users have come to know and feel that they can connect up wherever there is an access port. What it boils down to is that, ‘convenience kills!’”

For those who would like more information on safeguarding data, Holland pointed to two regulations: Army Regulation 25-2 (Information Assurance) and Army in Europe Regulation 25-2 (Army in Europe Information Assurance).

He also urged users to contact their organization Information Assurance Managers or call the Army in Europe information technology Enterprise Service Desk by dialing 119 from any official phone, if they witness information security violations or need other information technology assistance. Users can also contact USAREUR IAPM, Policy Team at 370-9549 or 370-9166.

About us: U.S. Army Europe is uniquely positioned to advance American strategic interests across Eurasia and has unparalleled capability to prevent conflict, shape the environment and, if necessary, win decisively. The relationships we build during more than 1000 theater security cooperation events in more than 40 countries each year lead directly to support for multinational contingency operations around the world, strengthen regional partnerships, and enhance global security.