914th Communications Squadron ensures cyber protection

  • Published
  • By TSgt. Andrew Caya
  • 914th Airlift Wing Public Affairs
NIAGARA FALLS AIR RESERVE STATION N.Y. --  President Barack Obama has proclaimed October 2014 as National Cybersecurity Awareness Month: 

"Cyber threats pose one of the gravest national security dangers the United States faces. They jeopardize our country's critical infrastructure, endanger our individual liberties, and threaten every American's way of life," said the Commander In Chief through a proclamation.  "When our Nation's intellectual property is stolen, it harms our economy, and when a victim experiences online theft, fraud, or abuse, it puts all of us at risk. During National Cybersecurity Awareness Month, we continue our work to make our cyberspace more secure, and we redouble our efforts to bring attention to the role we can each play."

The 914th Communications Squadron has been working to make cyberspace more secure for Military operations, here.

914th Airlift Wing members may have noticed new options in their email toolbar, here. Those buttons are a part of the Digital Signature Enforcement Tool, DSET.  If your email contains Personally Identifiable Information or For Official Use Only information, you press the buttons.  Unit members will then be prompted to digitally sign and encrypt the email when sending.

We asked our cyber security managers at the 914th CS some questions about the new features that members can use to safeguard against PII/FOUO Breeches.

First, readers need to know PII/FOUO information will only be sent to recipient with valid Need-To-Know of the information being sent.  PII/FOUO will not be sent to any ".com" email addresses.

Q: What constitutes PII? 

A: Sensitive PII is personal information, which if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience or unfairness to an individual.  Some categories of PII, when maintained by the Department of Air Force, are sensitive as stand-alone data elements.  Examples of such sensitive PII include:

Social Security Number (SSN), in any form

Alien Registration number (A-number)

Biometric identifier

Financial account numbers

The following information is sensitive PII when grouped with a person's name or other unique identifiers such as address or phone number:

Driver's license number

Medical Information

Citizenship or immigration status

Passport number

Full date of birth

Authentication information such as mother's maiden name or phone passwords

Q:  What constitutes FOUO?

A: FOUO is information designated "For Official Use Only", which must be protected under the Freedom of Information Act of 1966 and Privacy Act of 1974, as amended.  It is Personal information that if disclosed without proper authorization may result in criminal and/or civil penalties.  FOUO is a dissemination control applied by the Department of Defense to unclassified information when disclosure to the public of that particular record, or portion thereof, would reasonably be expected to cause a foreseeable harm to an interest protected by one or more of FOIA exemptions 2-9.  A listing of the 9 exemptions is available through DoDM 5200.01-V4 Enclosure 3.

Q: Why do we have new Security measures, and are the new options Air Force-wide?

A: The intent of The Digital Signature Enforcement Tool (DSET), is to provide individuals awareness of PII risks before they send an e-mail.  DSET is an Outlook add-in that automatically detects attachments, hyperlinks and any information people transmit that may be PII and For Official Use Only.  

The original function of DSET was to mitigate risks from socially engineered e-mail or phishing attacks.  Now it prompts people to protect the message by encrypting and signing e-mails that have PII and FOUO information.  Using caution is highly recommended because DSET does not detect all PII.  DSET can scan most common Microsoft Office file types, text, native PDF, and hypertext markup language.  DSET does not scan images and it only detects the potential presence of social security numbers.  Higher Headquarters is working to address all PII in a future capability.

Q: Where can you send PII/FOUO ?

A: PII/FOUO information will only be sent to recipient with a valid Need-To-Know of the information being sent.  PII/FOUO will not be sent to any .com email addresses.

Q: I have to send PII/FOUO to an appropriate source, I see these new PII/FOUO Buttons on my toolbar, what do I do? What are the steps?

Those buttons belong to the DSET.  If your email contains PII or FOUO information, you press the buttons.  It will then prompt you to digitally sign and encrypt your email when sending.

Q: Do you have data on how well these new security measures are doing?

A: Since the start of DSET, Niagara has had no known scanned PII incidents.  It must be working to some extent making senders aware of their choices.

Q: What happens when PII/FOUO is breeched? What are the consequences?

A: "We are taking several steps to improve notification and reporting of PII incidents," said General William L. Shelton, commander, Air Force Space Command.  Increased awareness within the Air Force is ensuring the security and defense the security and defense of the AFNET and its users.  PII violations create both a personal and operational risk for all of us, he said.

Based out of Joint Base San Antonio, Texas, the 68th Network Warfare Squadron and 352nd Network Warfare Squadron, as the Cyberspace Defense Analysis Weapon System, are actively monitoring the AFNET for PII breaches and violations. When a PII breach is identified:

-  It is reported to the 624th Operations Center, also at Joint Base San Antonio, and the formal reporting process is initiated.

- The 624th OC, as the Cyber Command and Control Mission System Weapon System, then reports the AFNET PII breach to the 24th Air Force Commander, which will result in locking the violator's AFNET account and a notification sent to the individual's wing commander.

- Accounts are locked out of the AFNET of individuals who were found to be inappropriately transmitting PII data via the AFNET. 

- A violator's account will only be unlocked once the first O-6 in their chain of command, after conducting an inquiry and completing the formal reporting process, certifies that the individual has accomplished accomplished all necessary actions, to include remedial training. These new actions are in addition to, and do not circumvent or replace, the normal Privacy Act Breech notification process, which is already in place throughout the Air Force.

- Air Force Instruction 33-332 Air Force Privacy Act Program governs the PII breach reporting process as well as the consequences for PII violations.

If you have any questions or concerns, contact the Base Privacy and FOIA Office at 236-2210.