Defense Department “Off-The-Clock” Cyber-Nannies

When you are caught twixt poorly written legislation and imaginative reporting, its hard to decide which one to point to first.

Consider this report by Jack Moore in Lawmakers Want Off-The-Clock ‘Cyber Protection’ For Some Pentagon Personnel.

From the post:

Lawmakers crafting a massive annual Pentagon policy want the Defense Department to be able to provide off-the-clock cybersecurity protection to DOD personnel deemed “to be of highest risk of vulnerability to cyberattacks on their personal devices, networks and persons,”

That provision is included in the Senate’s version of the National Defense Authorization Act, which is headed for a vote in the Senate this week. Along with personal “cyber protection support,” the Senate bill would overhaul the role of the Pentagon chief information officer.

The phrase “off-the-clock” struck me as odd, even with lengthy experience at reading poorly written laws.

If you bother to check the text you will find:


Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters

SEC. 1631. CYBER PROTECTION SUPPORT FOR DEPARTMENT OF DEFENSE PERSONNEL IN POSITIONS HIGHLY VULNERABLE TO CYBER ATTACK.

(a) Authority To Provide Support.—The Secretary of Defense may provide cyber protection support to personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons.

(b) Nature Of Support.—Subject to the availability of resources, in providing cyber protection support pursuant to subsection (a), the Secretary may provide personnel described in that subsection training, advisement, and assistance regarding cyber attacks described in that subsection.

(c) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the provision of cyber protection support pursuant to subsection (a). The report shall include a description of the methodology used by the Secretary to determine the positions in the Department that are of highest vulnerability to cyber attacks for purposes of subsection (a).

No mention of “off-the-clock,” “round-the-clock,” “24×7,” etc.

Granting that Jack goes onto say:


Under the Senate bill, the Defense secretary would be authorized to identify high-risk positions and provide “training, advisements and assistance regarding cyberattacks,” according to the bill.

Last year, self-described “stoner high school student” hackers claimed to have breached personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson.

Neither man is a DOD employee, but the incidents raised concerns about the cybersecurity vulnerabilities posed by top government officials’ private email accounts.

The proposed move also comes amid increasing concerns about targeted malicious emails — phishing and “social engineering” attacks — aimed at tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails.

I think the critical text reads:

…tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails….

Let’s amend the Senate version to make it more effective than the proposed cyber-nannies:

Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters

SEC. 1631. REDUCTION OF RISKS FROM PHISHING ATTACKS ON DOD PERSONNEL

(a) Preparation To Detect Phishing Susceptibility.—The Secretary of Defense shall designate personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons, and publish a list of those personnel with their email addresses to Facebook.


(b) Detection Of Phishing Susceptibility.—The Secretary of Defense shall publish on Facebook an invitation for any citizen of any country to create and cause to be delivered, a phishing email to any of the personnel designated in (a), exempt from any statutes of the United States or its several states, prohibiting such emails. Upon receipt of proof of designated personnel being deceived by a phishing email, the Secretary of Defense will cause to be transmitted to the sender of such email, the sum of $5,000.00.


(c) Consequences Of Phishing Susceptibility.—The Secretary of Defense, upon receipt of proof of deception by phishing email, shall immediately cause to be suspended, all electronic or physical access to any and all DoD services and/or locations. This suspension will remain in effect until the person in question has been separated from their service.


(d) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the ongoing progress towards reducing phishing susceptibility at the Department of Defense.

Want to improve cybersecurity at the Department of Defense?

Test and separate personnel based on their susceptibility to phishing attacks.

Far saner and more effective than “off-the-clock” cyber-nannies.

Comments are closed.