Changing the paradigm of internet access from government information systems: a solution to the need for the DOD to take time-sensitive action on the NIPRNET.
I. INTRODUCTION
II. THE NATURE OF DOD CYBERSPACE: CURRENT
ASSUMPTIONS AND DANGERS
III. INADEQUACIES OF CURRENT REGULATIONS
A. Joint Ethics Regulation
B. Other DOD-Wide Regulations
C. Service Rules and Regulations
IV. COURSES OF ACTION
A. Lawful Order
B. Regulations
C. Hybrid Approach
D. Support from Other Jurisdictions
V. CONCLUSION
APPENDIX. PROPOSED DOD DIRECTIVE AND DRAFT ORDER
I. INTRODUCTION On 12 May 2008, the Deputy Secretary of Defense (Dep SECDEF SECDEF Secretary of Defense ) issued a formal definition of cyberspace via a memorandum to the secretaries of the military departments and the rest of the Department of Defense (DOD (1) (Dial On Demand) A feature that allows a device to automatically dial a telephone number. For example, an ISDN router with dial on demand will automatically dial up the ISP when it senses IP traffic destined for the Internet. ). (1) Implicit in Adj. 1. implicit in - in the nature of something though not readily apparent; "shortcomings inherent in our approach"; "an underlying meaning" underlying, inherent this memorandum was a statement of the importance of cyberspace to military operations This is a list of missions, operations, and projects. Missions in support of other missions are not listed independently. World War I ''See also List of military engagements of World War I
Adjective not prevented or obstructed: unhindered access Adverb without being prevented or obstructed: he was able to go about his work unhindered in cyberspace." (2) Thus, it is now doctrinally accepted, without any exception within the DOD, that cyberspace is a "war-fighting domain." (3) However, cyberspace is a domain not only used by war-fighters (indeed warfighters are a miniscule min·is·cule adj. Variant of minuscule. Adj. 1. miniscule - very small; "a minuscule kitchen"; "a minuscule amount of rain fell" minuscule minority of users), it is accessed by a significant and growing global population for business communications, personal recreation, intelligence collection, and a host of other uses. (4) Commensurately, cyberspace is a crowded domain, and for the warfighter, access to it requires cleared pipelines, in turn necessitating a minimization of unofficial Internet access See how to access the Internet. . The DOD does not own cyberspace, or even a portion of it, in a traditional legal sense. (5) But, the DOD is able to perform functions in parts of cyberspace by creating security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security which control access to those areas. (6) The area of operations controlled by the DOD is referred to as the Global Information Grid The globally interconnected, end-to-end set of information capabilities, associated processes and personnel for collecting,processing, storing, disseminating and managing information on demand to warfighters, policy makers, and support personnel. (GIG). (7) Without access to the GIG, or the ability to protect the flow of information (or freedom of maneuver) on it, the military's capabilities are severely degraded. (8) It is axiomatic ax·i·o·mat·ic also ax·i·o·mat·i·cal adj. Of, relating to, or resembling an axiom; self-evident: "It's axiomatic in politics that voters won't throw out a presidential incumbent unless they think his challenger will that the success or failure of military operations in cyberspace is contingent on Adj. 1. contingent on - determined by conditions or circumstances that follow; "arms sales contingent on the approval of congress" contingent upon, dependant on, dependant upon, dependent on, dependent upon, depending on, contingent access to cyberspace. While much of the focus on the military's use of cyberspace is on offensive or defensive roles, attention to the management of access to cyberspace is equally important. This is because without proper management, neither the full range of offensive, defensive, or exploitive operations will Occur. (9) However, the DOD is currently lacking sufficient regulatory authority Noun 1. regulatory authority - a governmental agency that regulates businesses in the public interest regulatory agency administrative body, administrative unit - a unit with administrative responsibilities to ensure the availability of access to conduct operations through cyberspace, because the conduct of its members is predicated on a number of false assumptions which are written into outdated or otherwise poorly designed current regulations. This article addresses those assumptions and existing regulations and argues for new guidance to alter the current paradigm of almost unfettered access. This article is divided into three sections. Section I touches on the nature of DOD cyberspace and the potential harms that result from current social behaviors of the department's personnel. Section II analyzes shortcomings in existing regulations to police the use of government information systems. Section III presents differing options to provide the DOD and its commanders a means to reduce the risk of malicious code through the implementation of a new regulation or lawful order. It also includes an analysis of relevant supportive federal and state court decisions. Finally, the article contains an appendix with a draft proposed regulation and a draft order. One issue throughout this article is important to note. The article and its contents are unclassified un·clas·si·fied adj. 1. Not placed or included in a class or category: unclassified mail. 2. , but much of the information on cyber-intrusions, defense methods in the networks, and the forensic work on malicious codes are classified secret and top-secret. Consequently, the article relies on open source documents, which do not contain detailed information on the tactics, techniques, and procedures or adversary conduct in cyberspace. II. THE NATURE OF DOD CYBERSPACE: CURRENT ASSUMPTIONS AND DANGERS There are five essential considerations which require continual understanding throughout this article, and indeed, in addressing the need to change the paradigm of almost unfettered access. The first is social behavior In biology, psychology and sociology social behavior is behavior directed towards, or taking place between, members of the same species. Behavior such as predation which involves members of different species is not social. , which is the sole focus of this article. Most users believe that access to the internet is of only nominal cost, which results in its unfettered use. (10) This assumption is false. In fiscal year 2007, the DOD through the Defense Information Services See Information Systems. Agency procured Internet access at an annual recurring cost in excess of $105 million. (11) In July 2008, a naive e-mail user in the DOD sent out an e-mail containing an Internet game attachment. The resulting e-mails and other net activity caused a widespread disruption across the base's server. (12) Despite the expenditure of monies, freedom of access to the internet has also translated into the idea that the DOD or its component services will block offending or dangerous sites. Problematic to this assumption is that many otherwise legitimate sites unwittingly contain malicious code, and other sites are spoofed to enable exfiltration The removal of personnel or units from areas under enemy control by stealth, deception, surprise, or clandestine means. See also special operations; unconventional warfare. of critical data. (13) The National Institute of Standards and Technologies (NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. ), a division of the Department of Commerce, states the problem as this: "In the 1980s, malware was occasionally a nuisance or inconvenience to individuals and organizations; today, malware is the most significant external threat to most systems, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations." (14) Moreover, while it is true technologies exist to block access to specific websites, it is also true that technologies exist to bypass those web-blocks, and as such, have already been employed by servicemembers and other DOD personnel. (15) While accessing Internet sites from DOD computers posses only one risk to malicious code, it is the most difficult to prohibit. (16) For instance, it is likely easier to prevent the transfer of information from a personal computer via a personal thumb-drive or other removable media In computer storage, removable media refers to storage media which can be removed from its reader device, conferring portability on the data it carries. A removable drive is a reader device for such media. to a DOD computer than it is to prohibit access to sites which are not currently blocked. In response to the appearance of malicious code on government information systems of various classification levels, the DOD enacted a ban on the use of certain removable media. (17) At best, technological solutions alone deprive the DOD of the full "defense in depth" that it requires to protect its cyber capabilities or critical information. The second consideration is that risks such as malicious code occur as a function of access and connection, rather than actual time spent on an Internet site. (18) The time to download a malicious code is often measured in nanoseconds, making it virtually instantaneous. (19) Malicious code resides primarily across the Internet, but some malicious code has been designed to traverse onto computer systems with high classification levels that do not connect to the Internet. (20) Gaps, known colloquially col·lo·qui·al adj. 1. Characteristic of or appropriate to the spoken language or to writing that seeks the effect of speech; informal. 2. Relating to conversation; conversational. as "air gaps," existing between isolated classified system networks and unclassified systems connecting to the Internet were thought to serve as a protective barrier against intrusions onto the classified systems. (21) But, information on the classified systems as well as the systems themselves may be in jeopardy by both the lawful transference of information, as well as the negligent transference of information between the classified levels. (22) As a result, this article is not concerned with the ethical implications of time spent in web-surfing from government information systems during duty hours, but the web-surfing itself. The third consideration is what the reduction in unofficial Internet access traffic will give commanders overseeing military operations. United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. military operations rely on decisional superiority, freedom of maneuver, and operational security. (23) Because of excessive unofficial Internet usage, the DOD decided to purchase commercial Internet service in the U.S. Central Command area of responsibility. The reduction in unofficial Internet access traffic will protect these essential operational requirements (programming) operational requirements - Qualitative and quantitative parameters that specify the desired capabilities of a system and serve as a basis for determining the operational effectiveness and suitability of a system prior to deployment. by reducing the risk to the GIG. Fourth, the exponential growth Extremely fast growth. On a chart, the line curves up rather than being straight. Contrast with linear. of malicious code risks to secured information on the GIG, the ability for the DOD to freely access the GIG, and the integrity of secured information on the GIG are all part of the same concern: GIG security. While no regulation, however austere, will remove all risks, it is very apparent that nation-states and non-state actors have engaged in robust exfiltration of data from government information systems, including the DOD's systems. (24) Moreover, the 2007 Estonian experience, in which denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. attacks encumbered that allied government's ability to rely on its information systems, must concern the integrity of DOD systems. (25) Fifth and finally, a definition of official use and unofficial use in terms of Internet access does not currently exist in the DOD lexicon. For the purpose of this article, unofficial use is defined as a use which does not relate to the functions or necessities of DOD personnel or mission sets. (26) For instance, individuals accessing weather information in preparation for a TDY TDY abbr. temporary duty or real estate information in preparation for a permanent change of station (PCS (1) (Personal Communications Services) Refers to wireless services that emerged after the U.S. government auctioned commercial licenses in 1994 and 1995. This radio spectrum in the 1. ) move may articulate the search as related to official duty. On the other hand, when individuals access those same sites prior to a personal vacation or for non-PCS investment reasons, there is little likelihood the same articulation to mission nexus can occur. Access to the Internet from any location occurs with a number of inherent risks. These risks include the transfer of malicious code, which may be designed to remotely corrupt or commandeer com·man·deer tr.v. com·man·deered, com·man·deer·ing, com·man·deers 1. To force into military service. 2. To seize for military use; confiscate. 3. To take arbitrarily or by force. a computer system, destroy the system, implant a virtual beacon on the system to provide information to a far-way user, or convey false information through the user's system. (27) One recent study concluded that 80% of legitimate sites have malicious code implanted. (28) The exponential growth of malicious codes has affected the DOD systems, making them increasingly vulnerable to the risks noted above. Technical solutions provide only a short-term solution and a partial insurance against these risks, primarily because the ability of malicious code developers matches the ability of security advances. Like most computer networks, DOD computer information systems provide a ready access to the Internet. (29) During any given twenty-four hour period the Internet is accessed over one billion times from roughly seven million DOD owned computers. (30) The overwhelming majority of this traffic occurs on the Non-Secure Internet Protocol Router Network (NIPRNET NIPRNET Unclassified but Sensitive Internet Protocol Router Network (US DoD) NIPRNET Non-Classified Internet Protocol Router Network (US DoD) NIPRNET Non-Secure Internet Protocol Router Network ). In an ongoing study, over two-thirds of Internet access from DOD computers occurs for non-official purposes. The types of sites accessed including dating services, resort and vacation sites, car purchases, electronic stock and commercial trading, sports sites, and "streaming video" sites. (31) While it is remotely possible a small minority of users accessing these sites could argue the access occurred for an official DOD purpose, one would be hard pressed to believe the bulk of the access was for a mission-related function. Despite the fact that the NIPRNET is non-secure, a number of protected, encrypted, or coded DOD functions occur across it. These functions include pay and leave access, transfer and tracking of component parts, the bulk of aircraft schedules, medical information transfers, fuel data, travel schedules of ranking officers and civilian personnel, real-time communications, and a variety of other data which is closely guarded and essential for military operations. (32) Moreover, information may be transferred to and from the NIPRNET to the Secured Internet Protocol Router Network (SIPRNET), as well as higher classified systems, placing the higher classification of SIPRNET and other access data at risk. (33) III. INADEQUACIES OF CURRENT REGULATIONS Prior to examining current departmental and service regulations, it is essential to examine 10 U.S.C. [section] 2224, which directs SECDEF to develop and maintain a "Defense Information Assurance Program." (34) The regulations examined below, in some measure, are buttressed by this law. For instance, it requires this program to "provide continuously for the availability, integrity, authentication, confidentiality, nonrepudiation, and rapid restitution of information and information systems that are essential elements of the Defense Information Infrastructure." (35) It additionally charges SECDEF to develop a program strategy that encompasses those actions necessary to assure the readiness, reliability, continuity, and integrity of Defense information systems, networks, and infrastructure...." (36) But, as noted in the introduction, regulatory authorities do not adequately address network threats to the DOD's mission capabilities, and this fact shows a failing to comply with 10 U.S.C. [section] 2224. Moreover, the regulations containing rules governing Internet access are disjointed. These include departmental regulations, Chairman of the Joint Chiefs of Staff The Chairman of the Joint Chiefs of Staff is by law the highest ranking overall military officer of the United States military, and the principal military adviser to the President of the United States. Instructions, service regulations, and individualized user agreements. Moreover, while rescission The abrogation of a contract, effective from its inception, thereby restoring the parties to the positions they would have occupied if no contract had ever been formed. By Agreement of security clearances based on Internet misuse has also been sustained by administrative law administrative law, law governing the powers and processes of administrative agencies. The term is sometimes used also of law (i.e., rules, regulations) developed by agencies in the course of their operation. judges, this is merely a "backdoor See trapdoor. " method for addressing the problem and available in only limited circumstances. (37) For reasons noted below, none of these regulations satisfactorily mitigates the threats described above. A. Joint Ethics Regulation Department of Defense Directive 5500.7-R, the Joint Ethics Regulation (hereafter JER JER Jeremiah JER Joint Ethics Regulation JER Journal of Educational Research JER Jersey, Channel Islands, United Kingdom - States (Airport Code) JER James E Riley (head writer for NBC soaps) ) (38) governs the conduct of all DOD personnel. It was most recently updated on November 29, 2007. (39) The JER was promulgated to buttress public trust in the Department of Defense. (40) It also serves as a mirror to the Code of Federal Regulations The New Deal program of legislation enacted during the administration of President franklin roosevelt established a large number of new federal agencies, which generated a shapeless and confusing mass of new regulations. (CFR CFR See: Cost and Freight ) and other government instruments serving the same purpose. (41) The JER governs such areas as political activities, relationships between DOD personnel and contractors, gifts between superiors and subordinates, expenditures of government monies for conferences, and attendance at private events. The JER's primary strengths are that it is the most holistic governance for DOD personnel in regard to professional behavioral standards and it does not contradict the Uniform Code of Military Justice (UCMJ An abbreviation for the Uniform Code of Military Justice (10 U.S.C.A. § 801 et seq.). ). Moreover, the JER provides the due process notice requirements for enumerated military offenses under which violations may be charged. (42) Violations of the JER may be charged against persons subject to the UCMJ through Article 92. (43) At first glance, the JER should provide some authority to regulate unofficial access to the Internet because is a fundamental principle of administrative law that an agency is bound to adhere to its own regulations. (44) However, as a disciplinary tool, the JER has rarely served as the basis for charging UCMJ offenses in courts-martial. Indeed, the appellate record of published cases is slim. In United States v. Crafter, (45) the Court of Appeals for the Armed Forces (CAAF CAAF Children Affected by AIDS Foundation (since 1993; Los Angeles, California) CAAF US Court of Appeals for the Armed Forces CAAF Chapel Allerton Arts Festival (Leeds, England) ) upheld a court-martial conviction based on the provision of the JER prohibiting bribery. (46) CAAF has also upheld a conviction for accessing child pornography Child pornography is the visual representation of minors under the age of 18 engaged in sexual activity or the visual representation of minors engaging in lewd or erotic behavior designed to arouse the viewer's sexual interest. and bestiality Bestiality See also Perversion. Asterius Minotaur born to Pasiphaë and Cretan Bull. [Gk. Myth.: Zimmerman, 34] Leda raped by Zeus in form of swan. [Gk. Myth. websites charged under the JER. (47) However, bribery and child pornography are already prohibited in other regulations, raising the question as to why the JER was incorporated into a UCMJ charge and specification in the first place. Civilian employment within the DOD has been terminated on the basis of JER violations as well, but only rarely. The Merit Systems Protection Board The Merit Systems Protection Board (MSPB) ensures that federal civil servants are hired and retained based on merit. In overseeing the personnel practices of the federal government, the board conducts special studies of the merit systems; hears and decides charges of wrongdoing and (MSPB MSPB Merit Systems Protection Board ), the primary governing body for adjudicating challenges to adverse employment decisions, has upheld agency decisions to terminate employment for such reasons as monetary debts to subordinates, (48) using government computers for personal business and sending sexually suggestive e-mails to other employees, (49) accepting gifts from subordinates exceeding the amount permitted under the regulation, (50) and, sexual harassment sexual harassment, in law, verbal or physical behavior of a sexual nature, aimed at a particular person or group of people, especially in the workplace or in academic or other institutional settings, that is actionable, as in tort or under equal-opportunity statutes. . (51) However, it does not appear that under either the JER, or its incorporation under the UCMJ, that any charges have occurred for excessive unofficial non-pornographic Internet access or access for personal recreational purposes. Accessing pornography has been amply charged against both uniformed service members and non-uniformed DOD employees but usually not under the JER. In terms enabling the sought-after paradigm change, the JER possesses inherent weaknesses beyond the obvious statistical evidence. To begin, the regulation in section 2-301 lumps computer use in the same category as other modes of government-owned communications, to include telephones and facsimile machines. (52) While service members have been prosecuted for using government telephones, military law favors charging unofficial telephone use under UCMJ, Article 121, prohibiting larceny, rather than under the JER. (53) It would be difficult to charge unofficial access to the Internet under the same article prohibiting larceny because that particular article requires the government to prove the user's intent to permanently deprive the owner of a property, that the property had a rightful owner, and that the property had an actual value, or at least some nominal value Nominal Value The stated value of an issued security that remains fixed, as opposed to its market value, which fluctuates. Notes: When referring to fixed-income securities, the nominal value is also the face value. . (54) The JER does not take into account the risk to the GIG or the nature of the NIPRNET. Indeed, it does not even make use of those terms anywhere within its voluminous rules. Telephones and facsimile machines do not, as a general rule, have the capability of transferring malicious code, serve as an effective tool for the exfiltration of data, or possess the inherent capability of a takeover from an operator at a remote site. Section 2-301(a) governs the use of DOD computers under the aegis of "Use of Government Resources." (55) The regulation defines official use to include such matters as: emergency communications, communications to military members and other DOD employees who are deployed or in extended TDY status. Yet, the regulation permits commanders flexibility to permit DOD personnel at a normal workplace to conduct brief internet searches beyond matters involving official business or family communications under certain conditions reflecting the overarching ethics rules. (56) The JER does not define brief internet searches, leaving one to conclude that the content of such searches are only constrained by what is already prohibited under other regulations or laws such as pornography, child pornography, gambling, or political activities. (57) As a further example of the regulation's permissive nature, wide-ranging Internet searches are permitted when that activity does not adversely affect the performance of official duties of the DOD employee or organization. Although the regulation does not define the term "brief," it permits use that is of "reasonable duration and frequency" (58) and serves "a legitimate public interest." (59) The regulation does not define "legitimate public interest," but it provides examples such as "enhancing the professional skills of" DOD employees or "job searching." (60) Therein is the proof that the JER's drafters missed the fundamental risk factors in Internet access in that it is a matter of access and not time spent on any particular activity which creates risk in the first place. B. Other DOD-Wide Regulations Other regulations exist which govern the use of the government information systems as well as the GIG, but none directly addresses the social behaviors of accessing the Internet. For instance, DODD v. t. 1. To cut off, as wool from sheep's tails; to lop or clip off. 8500.01E, Information Assurance, (61) articulates policy to regulate access to the internet, but primarily through technological solutions. (62) Its implementation instruction, DODI DODI Department Of Defense Instruction 8500.2, Information Assurance (IA) Implementation, (63) places on all DOD personnel the responsibility to only access data for "which they are authorized or have a need to know." (64) While 8500.02 provides defined language, it is not a regulation under which DOD personnel may be disciplined for unofficial Internet access, though arguably if the access resulted in damage or disruption to DOD information systems, DOD personnel might become the subject of an investigation. Chairman of the Joint Chiefs of Staff Instruction A replacement document for all types of correspondence containing Chairman of the Joint Chiefs of Staff policy and guidance that does not involve the employment of forces. An instruction is of indefinite duration and is applicable to external agencies, or both the Joint Staff and external (CJCSI CJCSI Chairman of the Joint Chiefs of Staff Instruction ), 6211.02C, Defense Information Systems Network (DISN DISN Defense Information Systems Network DISN Disney Channel (TV network) DISN Defense Information Switched Network (less common) DISN Defense Information Support Network ) Policy, Responsibilities, and Processes, (65) imposes responsibility on all DOD personnel to protect classified information, including classified information on DOD networks. (66) It also provides parameters of "authorized uses" for government information systems capable of accessing the internet. But the parameters for acceptable Internet access in this instruction mirror those in the JER. (67) CJCSI 6510.01E, Information Assurance (IA) and Computer Network Defense (CND CND Campaign for Nuclear Disarmament CND n abbr (= Campaign for Nuclear Disarmament) → plataforma pro desarme nuclear CND (Brit) n abbr (= ), (68) provides additional authority to hold accountable individuals who place government information systems at risk through negligent conduct or intent. The range of accountability includes terminating an individual's ability to access the Internet from a government information system. (69) However, CJCSI 6510.01E does not require combatant commands, services, and agencies to reduce the amount of Internet access. C. Service Rules and Regulations Army Regulation (AR) 25-1, Knowledge Management and Information Technology, establishes the policies and assigns responsibilities for the management of information resources and information technology. (70) This regulation governs internet access for all personnel assigned to, or employed by, the Department of the Army. While the entirety of AR 25-1 is not punitive, the regulation notes there are punitive portions. (71) Of importance, unlike the JER, the authors of AR 25-1 evidenced their understanding of the GIG by incorporating and defining the NIPRNET and SIPRNET into the regulation. Notably, AR 25-1 prohibits computer activity "that could reasonably be expected to" congest con·gest v. To cause the accumulation of excessive blood or tissue fluid in a vessel or an organ. estrogens, conjugated Warning - Hazardous drug! C.E.S. , delay, or disrupt computer service. (72) In one sense, the language contained in AR 25-1 is superior to that found in the JER. Specific intent is not the liability standard for violations. (73) Thus only a general negligence of Internet access which results in system degradation is required to hold a person punitively accountable for violating the regulation. Despite the recognition of threats to the GIG, AR 25-1 incorporates the permissive access to Internet doctrine found in the JER. (74) This permissiveness includes, personal "brief Internet searches," without providing any further parameters as to the meaning of the limitation. (75) Air Force Instruction (AFI AFI American Film Institute AFI Awaiting Further Instructions AFI Armed Forces Insurance AFI A Fire Inside (band) AFI Air Force Instruction AFI Australian Film Institute AFI Agencia Federal de Investigación ) 33-129, Communications and Information: Web Management and Use, is the Air Force's counterpart to AR 25-1. (76) Like AR 25-1, it provides a framework for access, modeled on the JER. (77) Also, like its Army counterpart, AFI 33-129 provides a non-inclusive list of inappropriate use. This list is broader than AR 25-1 as it also prohibits modifying or altering the network operating system An operating system that is designed for network use. Normally, it is a complete operating system with file, task and job management; however, with some earlier products, it was a separate component that ran under the OS; for example, LAN Server required OS/2, and LANtastic required DOS. or system, and permitting an unauthorized individual to access a DOD computer system. However those two examples are prohibited in other regulations. Moreover, AFI 33-129 is unique in prohibiting the use of measures to circumvent blocked sites or other security systems. (78) IV. COURSES OF ACTION There are at least four possible courses of action to effectuate a change in the current paradigm of almost-open Internet access. The DOD can draft a new regulation (or series of regulations) limiting access to the Internet through government information systems. Such a regulation would be divorced from the JER, but the JER would, in turn, require modification to section 2-301. A second course of action is to have local commanders recognize the inherent risks of the current paradigm, preempt pre·empt or pre-empt v. pre·empt·ed, pre·empt·ing, pre·empts v.tr. 1. To appropriate, seize, or take for oneself before others. See Synonyms at appropriate. 2. a. the JER and draft lawful orders applicable to the commander's respective installation, command, or vessel. In the legal rubric RUBRIC, civil law. The title or inscription of any law or statute, because the copyists formerly drew and painted the title of laws and statutes rubro colore, in red letters. Ayl. Pand. B. 1, t. 8; Diet. do Juris. h.t. of lawful command, it is, of course, possible for the President or SECDEF to issue a lawful command limiting Internet access through government information systems. This course of action could occur at a far more rapid rate than issuing a regulation but would come at the cost of denying full input from the services, combatant commands, and field agencies. A third course of action would be to draft a new regulation, but while the process of drafting, input, and promulgation PROMULGATION. The order given to cause a law to be executed, and to make it public it differs from publication. (q.v.) 1 Bl. Com. 45; Stat. 6 H. VI., c. 4. 2. is occurring, permit local commanders to issue lawful orders. This course of action is essentially a hybrid of the prior two. Finally, a fourth course of action is to do nothing, and permit the JER and other service regulations and user agreements to regulate internet access through government information systems. A. Lawful Order Historically, the most immediate means of effectuating an enforceable policy change has been the issuance of a lawful order from a command authority. While lawful orders are generally issued by officers commanding installations or vessels, the President, followed by the SECDEF, are the two highest command authorities. (79) They are constitutionally empowered to issue orders which have a service-wide effect. (80) In terms of hierarchy and reach of authority, the three Service Secretaries, four commissioned chiefs of their respective services, and the combatant commanders follow. (81) The authority to issue a lawful order descends to the lowest command level. (82) Depending on the service, location, and chain of command, the level of authority may simply be whoever is of highest rank in a given chain. (83) But, only the President and Defense Secretary have the ability to directly order the entire Department to comply with a policy. (84) The UCMJ, Article 92, governs the punitive nature of lawful orders. The essential attributes of a lawful order include: (1) issuance by competent authority--a person authorized by applicable law to give such an order; (2) communication of words that express a specific mandate to do or not do a specific act; and (3) relationship of the mandate to a military duty. (85) Orders are generally presumed to be lawful, and it is for a judge to decide whether this is the case. (86) An order, in addition to showing its intent to regulate some aspect of behavior of servicemen; must state clearly whether it is punitive. (87) The issuance of multiple lawful orders across the DOD has two inherent difficulties rooted in law. Firstly, it is a fundamental due process right that DOD personnel have fair notice of the criminality of a prohibited conduct before being charged or convicted of an offense. (88) If every military base, post, encampment, or station has its own separate set of rules, those particular rules have to be visible and understood by the persons falling within the jurisdictional reach of those specific rules. (89) Even in a scenario in which major commands create their own independent rules, the issue of notice will exist, in part, because military personnel transfer from post to post. While the difficulty of providing notice is not insurmountable, it is far less difficult if the order is issued from the highest levels. Secondly, one of the potential enforcement problems with commanders independently issuing orders in the absence of a regulation may be challenges based on the Fifth Amendment's guarantee of "equal protection." (90) Rooted in due process, "equal protection" protects individuals from differences in treatment from a convening authority. (91) Within the services, different commanders may issue differing orders, with unique prohibitions. A violator of one order might seek to challenge a commander's decision to offer non-judicial punishment or prefer charges for violating the order. While "equal protection" challenges might arise from the fact that each of the services (or, the major commands within each service) have different prohibitions against unofficial Internet access, the majority of these challenges would fail. "Equal protection" usually applies to constitutionally suspect classes of individuals who have historically suffered discrimination based on race, religion, or national origin. (92) In 1981, the Court of Military Appeals (the predecessor to CAAF), in United States v. Means, (93) determined that the rank or status of an individual could be a determining factor in a commander's decision to refer a military member to a court-martial as long as the status did not involve race, religion, national origin, or another protected factor. (94) Lawful orders may exist in the form of standard "user agreements," in which the user of government computers agrees not to engage in non-mission related web surfing. Clearly a standard "user agreement" will be an appropriate instrument to provide notice as to a prohibition against unofficial access to the Internet. But alone, arguably the user agreement is not enough to create a culture change in Internet access. B. Regulations Punitive general orders issued directly from the Secretary of Defense to the entire Department have been rare since the Goldwater-Nichols Act. This is because the Department adopted a means for projecting policies, regulations, and other rules to its service members and federal employees mirroring the Code of Federal Regulations. The issuance of regulations to the services is a function of the executive branch, which mirrors the legal construct of issuing lawful orders but occurs as a defined process. (95) However, in comparison to posting an order, the drafting and issuance of regulations is time consuming because it involves the comments and concerns of the service departments, combatant commands, and agencies. (96) On the other hand, published regulations which specifically prohibit unofficial Internet access from DOD computers are the optimum means of establishing a single department-wide framework for mitigating risks from malicious code. There are, of course, legal considerations before drafting and implementing such regulations. As in the case of lawful orders, any regulatory changes which affect the conditions of employment conditions of employment that part of an employment that sets out the duties, responsibilities, hours of work, salary, leave and other privileges to be enjoyed by persons employed, for example a veterinary nurse, in private practice. will likely require negotiation with collective bargaining collective bargaining, in labor relations, procedure whereby an employer or employers agree to discuss the conditions of work by bargaining with representatives of the employees, usually a labor union. units. (97) While localized orders prohibiting unofficial access to the Internet will, at most, require limited notice to collective bargaining units, a DOD-wide regulation may require negotiation with multiple collective bargaining units representing personnel. A new regulation will also require other changes. Certainly, the adaptation of a new regulation will require ancillary amendments to other existing regulations such as the JER, and the Department of Defense Dictionary of Military and Associated Terms The Department of Defense Dictionary of Military and Associated Terms is a compendium of terminology used by the United States Department of Defense (DOD). It sets forth standard US military and associated terminology to encompass the joint activity of the Armed will have to be updated to include the term "mission use." Another consideration is which DOD agency should be responsible for drafting the regulation. A new regulation may be proposed and coordinated through several venues within the DOD. The Assistant Secretary of Defense for Networks and Network Integration (ASD/NII) is the DOD's Chief Information Officer (CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. ). The ASD/NII CIO is charged with the responsibility for protecting the DOD's net-centric data. (98) The commander, U.S. Strategic Command (USSTRATCOM USSTRATCOM United States Strategic Command ), is charged with overall responsibility for GIG operations and network defense in coordination with the CJCS CJCS Chairman of the Joint Chiefs of Staff (US DoD) CJCS Cathedral and John Connon School and other combatant commands. (99) Joint Task Force Global Network Operations (JTF-GNO), a standing joint task force under the command of USSTRATCOM, is organized to protect and defend the GIG. (100) Of the twelve doctrinally assigned tasks to JTF-GNO, the first is listed, "direct GIG NETOPS NETOPS Network Operations NETOPS Nuclear Emergency Team Operations to ensure confidentiality, integrity, availability, and efficiency of the GIG infrastructure and information services." (101) In 2004, SECDEF ordered the services, combatant commands, and field agencies to comply with USSTRATCOM directives on securing the NIPRNet and SIPRNet. (102) At a minimum, a regulation must comprehensively and clearly articulate proscribed PROSCRIBED, civil law. Among the Romans, a man was said to be proscribed when a reward was offered for his head; but the term was more usually applied to those who were sentenced to some punishment which carried with it the consequences of civil death. Code, 9; 49. conduct. This conduct should include limitations on access to the Internet for official purposes only. It should also prohibit DOD personnel from engaging in other risky activity such as transferring DOD information on personal thumb-drives. It must also prohibit the use of software to by-pass technical blocking of websites. Finally, the regulation must educate personnel as to the importance of safeguarding government information systems. C. Hybrid Approach Because of the length of time it may take for the DOD to promulgate To officially announce, to publish, to make known to the public; to formally announce a statute or a decision by a court. a new regulation, independent commands may draft lawful orders or local regulations designed to reduce the amount of unofficial internet traffic. The only difficulty, other than those enunciated above, is that commands may have to rescind orders if these conflict with the regulation. D. Support from Other Jurisdictions. While the issuance of regulations or orders limiting access to the internet for official use is important, guidance from federal and state courts, as well as administrative decisions should to be considered in the enforcement of rules. For instance, in Eliserio v. United Steelworkers of America, Local 310, (103) the Eighth Circuit Court of Appeals, in overruling a lower court's grant of summary judgment, found that the enforcement of rules against Internet misuse was arbitrary and could have occurred as a result of unlawful discrimination. (104) In Thompson v. State Civil Service Commission, (105) the Pennsylvania Appellate Court upheld a county's decision to terminate an individual's government employment resulting from violations of the county's computer use policies. Although part of the decision to terminate employment occurred as a result of the individual accessing sites containing nudity, evidence that the individual "surfed" the Internet for at least twenty to thirty percent of the workday was also a reason. (106) Decided by the Connecticut Supreme Court The Connecticut Supreme Court, formerly known as the Connecticut Supreme Court of Errors, is the highest court in the U.S. state of Connecticut. It consists of a Chief Justice and six Associate Justices. this year, McCann v. Department of Environmental Protection (107) is the most compelling and relevant case to the issue of reducing risk through regulations on social behavior. McCann began his employment with the state government in 1985. (108) Over time, the state issued McCann a laptop computer. In 1998, the state government issued a directive to its employees that government-issued computers were for "official and authorized business purposes." (109) The state informed its employees that violations of the directive could result in discipline including job termination. In 2001 and 2002, McCann's supervisors reiterated the state directive's prohibitions against unofficial use and articulated a "zero tolerance The policy of applying laws or penalties to even minor infringements of a code in order to reinforce its overall importance and enhance deterrence. Since the 1980s the phrase zero tolerance has signified a philosophy toward illegal conduct that favors strict imposition of " policy towards violators. In 2002, the state discovered McCann had downloaded a K-Mart commercial software package onto his computer after he brought his computer to a repair center. A supervisor verbally reprimanded McCann after this discovery. During an "upgrade," in 2004, a Wal-Mart Internet commercial software program was found on a second state-issued computer used by McCann. Additionally, computer technologists discovered over 7,000 commercial web entries and a latent virus Latent virus A nonactive virus which is in a dormant state within a cell. Herpes virus is latent in cells of the nervous system. Mentioned in: Genital Herpes capable of degrading the state's computer networks. Later that year, a third state-issued laptop computer used by McCann was infected after he accessed several unofficial websites. The state notified McCann it had decided to terminate McCann's employment based on numerous violations which placed the state's information systems at risk. Because McCann belonged to a collective bargaining unit, he was entitled to an administrative hearing administrative hearing n. a hearing before any governmental agency or before an administrative law judge. Such hearings can range from simple arguments to what amounts to a trial. There is no jury, but the agency or the administrative law judge will make a ruling. . The arbitrator determined McCann was given enough notice that his conduct violated state rules and the employment termination was justified. Important to this article's advocacy was the arbitrator's determination that "unauthorized use of [McCann's] laptop ... caused it to be infected with a virus that threatened the [s]tate's entire computer network, no small matter." (110) McCann appealed to a state trial court, which ruled that the arbitrator failed to consider whether the state "offered McCann progressive discipline" and improperly excluded evidence of prior arbitrated agreements between the state and third parties who engaged in similar conduct, as well as the issue as to whether the state had disciplined employees for similar conduct. (111) The trial court determined that the evidence did not support the arbitrator's assessment of the risk to Connecticut's state computer systems caused by McCann's conduct. (112) The Connecticut Supreme Court reversed the trial court's determination as to the arbitrator's failure to include disputed evidence but agreed that the arbitrator could not have made the risk determination based on the quantum of evidence the state provided. (113) However, the state supreme court upheld the arbitrator's decision to support McCann's employment termination and, more importantly, left open the prospect that conduct such as McCann's, which created vulnerabilities to malicious code, could be the basis for disciplinary action. (114) This is precisely the construct which the DOD should adopt in enforcing regulations on unofficial Internet access. V. CONCLUSION One need only to look at the open source headlines and academic literature to understand the depth of the problem facing the DOD. These threats span a wide range, from the exfiltration of data to full scale denial of service attacks. As previously noted, a well-intentioned e-mail user within the DOD sent a link to an infected Internet game site. Two current nation-state adversaries, or their citizens, have repeatedly attempted to probe weak-points within the DOD and defense contractors. (115) At least three weeks prior to the Russian invasion of Georgia, Russian government agencies, or its citizens, independently stepped up cyber attacks on Georgia. (116) The potential for a terrorist strike against DOD information systems must be considered. The primary vector of attack will be through the Internet to the NIPRNet connection points. In essence, the threat to DOD information systems through cyberspace is very real, and a defense in depth is required to meet it. The defense should begin with social behavior, in essence, modifying the culture of permissive use, but include technical solutions as well. It may be the case that commanders, judge advocates, and DOD personnel will view the implementation of a new regulation or series of orders designed to reduce the amount of Internet access traffic as a draconian measure. But, a decision to maintain the status quo [Latin, The existing state of things at any given date.] Status quo ante bellum means the state of things before the war. The status quo to be preserved by a preliminary injunction is the last actual, peaceable, uncontested status which preceded the pending controversy. and continue the permissive browsing of the Internet increases the risk of dangers ranging from exfiltration of data to a cyber "Pearl Harbor." Understandably, the DOD and its commanders possessing UCMJ authority may want to resist measures which will likely be detrimental to morale. Certainly, a DOD-wide regulation should exempt deployed servicemembers, as well as personnel assigned to naval vessels operating at sea, because an alternative private means to access the Internet is unlikely to exist in austere locations. It is also understandable that commanders and departmental leaders will worry about recruiting and retention, both for uniformed personnel and the civilian workforce, and therefore not wish to create a policy limiting use. One solution may be for the acquisition of Internet connected computers in cafes and kiosks not connected to the .rail network. This solution, while outside the scope of this article, should be considered for later advocacy. Social behavior, even in the armed services, cannot change without education and the development of policy. This is true, particularly, where the behavior to be limited is predicated on the assumption that no harm is caused by it. But the risk factors involved in unfettered internet access are too great to ignore. As a result, the DOD, or, in the absence of DOD action, responsible commanders with the support of their military legal community, should lay the groundwork for changing the paradigm. Department of Defense DIRECTIVE NUMBER XXXX XXXX Army (Graphical Representation/Army) XXXX Fourex (Australian beer) XXXX Four X Level of Decontamination [Month] [Day], [Year] Appendix 1 SUBJECT: Protection of DoD Information Systems References: (a) DoD Directive 8100.1, "Global Information Grid (GIG) Overarching Policy," September 19, 2002 (b) DoD 5025.1-M, "DoD Directives System Procedures," current edition (c) DoD 5500.7-R, Joint Ethics Regulation (d) Chapter XX of title 10, United States Code Noun 1. United States Code - a consolidation and codification by subject matter of the general and permanent laws of the United States; is prepared and published by a unit of the United States House of Representatives U. S. 1. PURPOSE This directive: 1.1. Establishes policy for eliminating the high level of unofficial use of Department of Defense (DoD) information systems, including systems used to access NIPR Noun 1. NIPR - a clandestine group of leftist extremists who oppose Italy's labor policies and foreign policy; responsible for bombing building in the historic center of Rome from 2000 to 2002 , SIPR SIPR Secure Internet Protocol Router SIPR Scottish Institute for Policing Research SIPR Secret Internet Protocol, Routed SIPR Spurious IP Packet Rate SIPR Seniors Independence Research Program SIPR Special In-Progress Review SIPR Système d'Informations Périnatales Régional , and other information systems. 1.2. Assigns responsibilities, and prescribes procedures for the Military Departments, Combatant Commands (COCOMS), and agencies regarding the use of DoD information systems and reporting of violations of this instruction. 1.3. This instruction does not supplant or replace other regulations, policies, and instructions governing the use of government property or the protection, handling, and use of classified information. 2. APPLICABILITY AND SCOPE This directive applies to: 2.1. The Office of the Secretary of Defense The Office of the Secretary of Defense (OSD) is part of the United States Department of Defense and includes the entire staff of the Secretary of Defense. It is the principal staff element of the Secretary of Defense in the exercise of policy development, planning, resource , the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Office of the Inspector General Office of the Inspector General (or OIG) is a common sub-agency within cabinet-level agencies of the United States federal government and serves as auditing and investigative arm of the agency's programs focused on identifying waste, fraud and abuse. of the Department of Defense, the Defense Agencies, and all other organizational entities in the Department of Defense (hereafter referred to collectively as "the DoD Components"). 2.2. The Coast Guard when it is not operating as a Military Service in the Department of the Navy by agreement with the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States ; and the Commissioned Corps of the United States This is a list of corps of the United States. Active Corps (As of 2005)
USPHS abbr. United States Public Health Service ) and the National Oceanic and Atmospheric Administration (NOAA NOAA abbr. National Oceanic and Atmospheric Administration Noun 1. NOAA - an agency in the Department of Commerce that maps the oceans and conserves their living resources; predicts changes to the earth's environment; ), under agreements with the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (hereafter referred to collectively as "Other Uniformed Services"). The term "Military Services," as used herein, refers to the Army, the Navy, the Air Force, the Marine Corps, and the Coast Guard; and their respective National Guard and Reserve components. The term "Uniformed Services" refers to the Army, the Navy, the Air Force, the Marine Corps, the Coast Guard, the Commissioned Corps of the USPHS, and the Commissioned Corps of the NOAA. 2.3. DoD-owned information systems (IS) and DoD controlled IS operated by contractors or other entities on behalf of the DoD that receive, process, store, or display, or transmit DoD information, regardless of classification or sensitivity, consistent with Reference (x). 3. DEFINITIONS Terms used in this directive are defined in Enclosure 1. 4. POLICY Commensurate with the determination that Global Information Grid (GIG) is a war-fighting domain, it is DoD policy to protect the confidentiality, integrity, and availability of classified and unclassified, but protected information, located on the GIG; and, to ensure the DoD components have complete access to the GIG per mission needs. 4.1. Internet traffic from DoD information systems has exponentially increased each year, creating challenges to unhindered GIG access. These challenges include risks posed by malicious code, as well as clogged pipelines. Furthermore, it is estimated that in FY 2007 at least 60% of all internet traffic originating from DoD information systems is accessed for unofficial (non-mission related) purposes. 4.2. DoD information systems are also placed at risk through the interface of private computer systems and information transfer technologies. 4.3. With the growth and increasing complexity of malicious code, unofficial use of the DoD information systems on the NIPRNet must be curbed to the maximum extent practicable. 4.4. Unofficial use includes, but is not limited to: accessing internet sites not directly related to military duty, "web-surfing," accessing non DoD web-mail from DoD information systems, and, the transfer of official files from DoD computers to non-DoD computers without the prior authorization prior authorization, n See predetermination. prior authorization Health insurance A cost containment measure that provides full payment of health benefits only if the hospitalization or medical treatment has been of the first general officer in a chain of command or civilian equivalent. It also includes the use of privately owned (non-DoD appropriated) information transfer technologies such as personal thumb-drives, on DoD information systems. 4.5. This directive exempts DoD personnel deployed to the CENTCOM CENTCOM US Central Command CENTCOM Coalition Central Command AOR AOR The ISO 4217 currency code for Angolan Reajustado Kwanza. or other deployed regions, DoD personnel aboard naval vessels or space vehicles as a local commander may direct. 5. RESPONSIBILITIES 5.1. The Commander, United States Strategic Command United States Strategic Command (USSTRATCOM) is one of the ten Unified Combatant Commands of the United States Department of Defense. USSTRATCOM controls the nuclear weapons assets of the United States military. (CDRUSSTRATCOM CDRUSSTRATCOM Commander, United States Strategic Command (US DoD) ) shall: 5.1.1. Draft and implement policy to limit the unofficial access to the internet through DoD information systems, consistent with the authority to operate and defend the GIG. 5.1.2. Test and evaluate scientific and technological methods for limiting unofficial access to the internet. 5.1.3. In cooperation with the Assistant Secretary of Defense for Networks and Network Integration, draft and develop enforceable policy to hold accountable DoD agencies and personnel who place the GIG at increased risk. 5.1.4. Monitor compliance with DoD policy limiting the use of access to internet for official purposes and make a quarterly report to OSD (1) (On-Screen Display) An on-screen control panel for adjusting monitors and TVs. The OSD is used for contrast, brightness, horizontal and vertical positioning and other monitor adjustments. . 5.1.5. Develop policy for investigating Cyber intrusion and malicious code events. 5.1.6. Report to the Secretary of Defense the results of investigations, the availability of the GIG, and DoD compliance to this directive. 5.2. The Assistant Secretary of Defense for Networks and Network Integration (ASD/NII) shall: 5.1.1. In cooperation with USSTRATCOM, draft and implement policy to limit the unofficial access to the internet through DoD information systems. 5.1.2. In cooperation with USSTRATCOM, monitor compliance with this instruction 5.3 The General Counsel to the Office of the Secretary of Defense shall: 5.3.1. Modify DoD 5500.7-R, the Joint Ethics Regulation, to comport See COM port. with this policy, and modify other departmental regulations as needed as needed prn. See prn order. . 5.4. The Secretaries of the Military Departments shall: 5.4.1. Draft and implement punitive regulations to curb the use of DoD information systems to access the internet for unofficial purposes. 5.4.2. Modify existing service regulations to comport with this directive. 5.4.3. Educate members of their respective services as to the inherent dangers posed by internet access from DoD information systems. 5.4.4. Support CDRUSTRATCOM or the designated agency within the COCOM COCOM Coordinating Committee for Multilateral Export Controls COCOM Coordinating Committee COCOM Combatant Commander COCOM Corporate Communications COCOM combatant command (command authority) (US DoD) on all cyber intrusion investigations. 5.5. The Chairman of the Joint Chiefs of Staff shall: 5.5.1 Develop or modify joint doctrine and associated joint tactics, techniques, and procedures for the GIG and ensure the compatibility of the Chairman of the Joint Chiefs of Staff Instructions with this regulation. 5.6. Authorized Users of DoD information systems shall: 5.6.1. Access the internet only for mission related purposes as defined in enclosure (A) 5.6.1. Access only that data, control information, software, hardware, and firmware for which they are authorized access and have a need-to-know, and assume only those roles and privileges for which they are authorized. 5.6.2. Use only DoD issued hardware and software for transferring electronic data. 5.6.3. Report suspected violations of DoD policy to an immediate supervisor, or if not practicable, to the next highest level. 6. EFFECTIVE DATE This Instruction is effective immediately. ENCLOSURE DEFINITIONS E1. Global Information Grid (GIG) E1.1 The globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes all owned and leased communications and computing systems and services, software (including applications), data, security services, and other associated services necessary to achieve Information Superiority. It also includes National Security Systems as defined in section 5142 of the Clinger-Cohen Act of 1996. The GIG supports all Department of Defense, National Security, and related Intelligence Community missions and functions (strategic, operational, tactical, and business), in war and in peace. The GIG provides capabilities from all operating locations (bases, posts, camps, stations, facilities, mobile platforms, and deployed sites). The GIG provides interfaces to coalition, allied, and non-DoD users and systems. E1.2. Includes any system, equipment, software, or service that meets one or more of the following criteria: transmits information to, receives information from, routes information among, or interchanges information (DODD 8100.1). E3. NIPRNET. Non-Classified Internet Protocol Router Network. A computer network for unclassified, but sensitive information supporting the DoD (JP 6-0). E4. SIPRNET: Secret Internet Protocol Router Network Worldwide SECRET level packet switch network that uses high-speed internet protocol routers and high-capacity Defense Information Systems Network circuitry. Also called SIPRNET. See also Defense Information Systems Network. . The worldwide SECRET-level packet switch network that uses high-speed internet protocol routers and high-capacity Defense Information Systems Network circuitry (JP 6-0). E5. UNOFFICIAL USE: Use which does not relate to the functions or necessities of DoD personnel or mission sets. SECDEF GENERAL ORDER #1 From: Honorable Robert M. Gates SECDEF To: Date: 1. Statement of Military Purpose and Necessity: The amount of DoD network resources devoted to internet and web traffic has increased exponentially over the past several years. Analysis indicates the majority of this traffic occurs for non official purposes. Not only does this drain resources better devoted to the DoD mission, but each connection exposes DoD networks to additional risk. The aggregate risk across DoD associated with this unnecessary exposure is substantial and unacceptable. DoD personnel have long operated on the assumption that using DoD network resources for personal purposes was cost free. It is not. DoD networks must be reclaimed for official use only. 2. Prohibited Activities: a. Use of DoD computers and/or networks to access the internet and world wide web resources if the intended purpose of that access does not serve an official purpose. Examples of prohibited activities include recreational web surfing; personal use of social networking, gaming, and shopping sites; and the use of peer-to-peer networks. b. The connection of any personal electronic device or media to DoD computing equipment. c. Connection from DoD networks to any web-mail services hosted outside the .mil domain. d. The transfer of non-public DoD files to home systems; the transfer of files from home system back to DoD systems. 3. Email: This order does not place additional restrictions on whether DoD personnel may send personal email from DoD-supplied email accounts beyond what is already regulated through DoD Directive 5500.7, dated 30 August 1991 (Joint Ethics Regulation), or prohibited by other laws and policy. 4. Punitive Order: Paragraph 2 of this General Order is punitive. Persons subject to the Uniform Code of Military Justice may be punished thereunder. Civilians serving with or employed by the Armed Forces of the United States may face adverse administrative action for violation of this General Order. 5. Individual Duty: All persons subject to this General Order are charged with the individual duty to refrain from any use of DoD computers and networks in a manner that unnecessarily (other than an official purpose) connects them through the Internet/World Wide Web to non DoD systems. Questions regarding whether a particular use serves an official purpose should be referred, in advance, to a supervisor or commander. 6. Unit Commander Responsibility: Unit commanders and supervisors are charged to ensure all personnel are briefed on the prohibitions and requirements of this General Order. Commanders and supervisors are expected to implement monitoring programs to assist with enforcing this order. 7. Effective Date: This General Order is effective immediately. 8. Expiration: This general order will remain in effect until rescinded, waived, or modified. 9. Waiver Authority: Authority to waive or modify the prohibitions of this order is delegated to the first Flag, General Officer, or SES in an individual's chain of command or supervision. Any waiver or modification must be documented in writing and indicate the specific factors that justify the waiver or modification. (1) Memorandum from Deputy Secretary of Defense to Secretaries of the Military Departments et al., subject: The Definition of "Cyberspace" (12 May 2008) [hereinafter Dep SECDEF Memo]. The memorandum defines cyberspace as: "A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the internet, telecommunications networks, computer systems, and embedded processors and controllers." Id.; see also U.S. DEP'T OF DEF. JOINT PUB. 1-02, DICTIONARY OF MILITARY AND ASSOCIATED TERMS, 141 (12 Apr. 2001, as amended through 17 Mar. 2009). This definition is bolstered in part by U.S. DEP'T OF DEF. DIR. 8320.02, DATA SHARING IN A NET CENTRIC DEPARTMENT OF DEFENSE para. 4.1 (23 Apr. 2007) [hereinafter DODD 8320.02], which states, "Data is an essential enabler of network-centric warfare (NCW NCW Network Centric Warfare NCW Nederlands Christelijk Werkgeversverbond (Den Haag, Netherlands) NCW National Commission for Women (India) NCW National Council of Women (UK) ) and shall be made visible, accessible, and understandable to any potential user in the Department of Defense as early as possible in the life cycle to support mission objectives." (2) Dep SECDEF Memo, supra A relational DBMS from Cincom Systems, Inc., Cincinnati, OH (www.cincom.com) that runs on IBM mainframes and VAXs. It includes a query language and a program that automates the database design process. note 1. (3) See, e.g., Lieutenant General Keith Alexander, Warfighting in Cyberspace, 46 JOINT FORCE Q. 58, 58-61 (3d Quarter 2007); General James E. Cartwright, USSTRATCOM, a Command for the 21st Century, 42 JOINT FORCE Q. 71 (3d Quarter 2006); JOINT CHIEFS OF STAFF, JOINT PUB. 3-1 I, JOINT OPERATIONS, at III-22 (13 Feb. 2008) [hereinafter JP 311]; JOINT CHIEFS OF STAFF, JOINT PUB. 3-13 INFORMATION OPERATIONS, at I-4 (13 Feb. 2006) [hereinafter JP 3-13]. A facet of cyberspace as a warfighting domain was already accepted in terms of net-centric warfare (NCW). See, e.g., DODD 8320.02, supra note l, at E 1.1.18 which defines NCW as: An information superiority-enabled concept of operations that generates increased combat power by networking sensors, decision makers, and shooters to achieve shared awareness, increased speed of command, higher tempo of operations, greater lethality, increased survivability, and a degree of self-synchronization. In essence, NCW translates information superiority into combat power by effectively linking knowledgeable entities in the battlespace. Also note, in the 2004 National Military Strategy for the United States, the Chairman of the Joint Chiefs of Staff noted "the Armed Forces must have the ability to operate across the air, land, sea, space and cyberspace domains of the battlespace." CHAIRMAN OF THE JOINT CHIEFS OF STAFF, NATIONAL MILITARY STRATEGY OF THE UNITED STATES 18 (unclassified version, 2004) [hereinafter NAT'L MIL. STRATEGY]. (4) U.S. DEP'T OF HOMELAND SEC., THE NATIONAL STRATEGY TO SECURE CYBERSPACE, (February 2003) [hereinafter NATIONAL CYBERSPACE STRATEGY]. This article's argument comports with the third of five priorities set out in the Strategy, to raise national cybersecurity awareness. (5) Two articles containing an impressive holistic discussion of cyberspace as a commons rather than a property are: Dan Hunter, Cyberspace as Place and the Tragedy of the Digital Anticommons, 91 CAL, L. REV. 439 (2003); Jonathan J. Rusch, Cyberspace and the "Devil's Hatband," 24 SEATTLE U. L. REV. 577 (2000). (6) See, e.g., Gregory F. Intoccia & Joe Wesley Moore, Communications Technology, Warfare, and the Law: Is the Network A Weapon System?, 28 Hous. J. INT'L L. 467 (2006); Davis Brown, A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict, 47 HARV HARV High Alpha Research Vehicle (NASA test plane) HARV High Altitude Research Vehicle HARV High Altitude Reconnaissance Vehicle . INT'L L.J. 179 (2006); Ruth G. Wedgwood, Proportionality, Cyberwar Refers to hostile attacks and illegal invasions of computer systems and networks. See information warfare. , and the Law of War, 76 INT'L L. STUD. 219, 222 (2002); DOROTHY E. DENNING, INFORMATION WARFARE AND SECURITY 65 (1999). (7) U.S. DEP'T OF DEE., DIR 8100.01, GLOBAL INFORMATION GRID, OVERARCHING POLICY para. E.2.1.1 (Sept. 19, 2002; certified current Nov. 21, 2003) [hereinafter DODD 8100.00], defines cyberspace as, the notional environment in which digitized information is communicated over computer networks. The DOD portion of cyberspace is referred to as the Global Information Grid, or "GIG." DODD 8100.01 defines the GIG as: The globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services necessary to achieve Information Superiority. (8) See, e.g., Vida M. Antolin-Jenkins, Defining the Parameters of Cyberwar Operations: Looking for Law in All the Wrong Places?, 51 NAVAL L. REV. 132, 132-133 (2005). (9) Offensive actions fall under the rubric of Computer Network Attack (CNA (Certified NetWare Administrator) See Novell certification. ) which is doctrinally defined as "actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves." JP 3-13, supra note 3, at II-5. Defensive actions fall under the rubric of computer network defense (CND) which is doctrinally defined as "actions taken ... to protect, monitor, analyze, detect, and respond to unauthorized activity within the Department of Defense information systems and computer networks." Id. Intelligence and other activities on the network, such as operations preparation of the battlespace, generally fall under the rubric of computer network exploitation (CNE (Certified NetWare Engineer) See Novell certification. ). Id. CNE is defined as enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks, Id. (10) See, e.g., Nick Wingfield, The Rise and Fall of Web Shopping at Work, WALL STREET J., Sep. 27, 2002, at B1; Charging By the Byte, N.Y. TIMES, June 14, 2008, at C2 (discussion of bandwidth costs); Michael W. Carroll Michael W. Carroll is an Associate Professor of Law at the Villanova University School of Law. He is also one of the founding Board Members of Creative Commons, a not-for-profit organization devoted to expanding the range of creative work available for others to legally build upon and , Open Access Publishing Open access publishing is the publication of material in such a way that it is available to all potential users without financial or other barriers. An open access publisher is a publisher producing such material. and the Future of Legal Scholarship : The Movement for Open Access Law, 10 LEWIS & CLARK L. REV. 741 (2006) (arguing for freedom of access to both primary secondary legal materials). (11) DEF. INFO. SERVICES AGENCY ANNUAL BUDGET REVIEW (2007) (on file with author and DISA). (12) Colonel Peter Marsksteiner, The Threat from Within: E-Mail Overload Degrades Military Decision Making, ARMED FORCES J., Sept. 2008, at 32, available at http://www.armed forcesjournal.com/2008/09/3640424/. (13) NATIONAL CYBERSPACE STRATEGY, supra note 4, at 6; see also, ROBERT H. ANDERSON ET AL., RAND MONOGRAPH REPORT: SECURING THE U.S. DEFENSE INFORMATION INFRASTRUCTURE 17-45 (2007). For a discussion on spoofing, see Marc M. Harrold, Prosecution Responses to Internet Victimization victimization Social medicine The abuse of the disenfranchised–eg, those underage, elderly, ♀, mentally retarded, illegal aliens, or other, by coercing them into illegal activities–eg, drug trade, pornography, prostitution. : Panel Discussion III, Working with Corporations on Case Investigations, 76 MISS. L. J. 875 (2007). (14) NAT'L INST. OF STANDARDS & TECH., SPECIAL PUB. 800-83, GUIDE TO MALWARE INCIDENT PREVENTION AND HANDLING 2-1 (Nov. 2005) [hereinafter NIST SP 800-83]. NIST recommendations are not binding on government agencies, and in particular, national security systems are exempt from NIST directives. Organizations should plan and implement an approach to malware incident prevention based on the attack vectors that are most likely to be used, both currently and in the near future. Because the effectiveness of prevention techniques may vary depending on the environment (i.e., a technique that works well in a managed environment might be ineffective in a non-managed environment), organizations should choose preventive methods that are well-suited to their environment and systems. An organization's approach to malware incident prevention should incorporate policy considerations, awareness programs for users and information technology (IT) staff, and vulnerability and threat mitigation efforts. Id., at 3-17; see, e.g., Federal Information Security Management Act of 2002 (FISMA FISMA Federal Information Security Management Act of 2002 FISMA Federal Information System Management Act ), 44 U.S.C. [section][section] 3541-49 (2006). (15) A good discussion of this problem in found in NAT'L INST. OF STANDARDS & TECH., SPECIAL PUB. 800-28-v2, GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE 3-3 (Mar. 2005) [hereinafter NIST SP 800-28-v2]. (16) NAT'L INST. OF STANDARDS & TECH., SPECIAL PUB. 800-53-r2, RECOMMENDED SECURITY CONTROLS FOR GOVERNMENT INFORMATION SYSTEMS B-6 (Dec. 2007) defines malicious code as software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of an information system, such as a virus, worm, Trojan Horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. (17) See, e.g., William H. McMichael & Bruce Rolfsen, Despite Network Virus--Avoid Thumb Drives, A.F. TIMES, Dec. 8, 2008, at 13. (18) NIST SP 800-28-v2, supra note 15, at 3-1); see also 3 HOSSEIN BIDGOLI, INFORMATION SECURITY: THREATS, VULNERABILITIES, PREVENTION, DETECTION, AND MANAGEMENT 44-45 (2006). (19) See, e.g., Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REV. 1003, 1023-26 (2001). A good discussion on the subject of malicious code is also found in State v. Corcoran, 522 N.W.2d 226 (Wis. Ct. App. 1994). (20) See, e.g., Lolita C. Baldor, Associated Press, Pentagon Bans Computer Flash Drives, THE SUNDAY OREGONIAN, Nov. 23, 2008, at A3. (21) See, e.g., Edmund X. DeJesus, Airborne Viruses, INFO. SECURITY MAG., Apr. 2001, at 9, available at http://islab.oregonstate.edu/news/2001-04-15.pdf. Notions of "air gap" protection have changed over time. Prior to the widespread use of wireless technology, the "air gap" was thought of as a pure protection. See, e.g., Steven A. Heinrich & Roxana Dastur A dastūr is a Zoroastrian high priest who has authority in religious matters and ranks higher than a Mobad or Herbad. In modern usage the term dastūr refers mostly to Parsi priests in India. Boyce, Mary (2001). Zoroastrians, their religious beliefs and practices. Malladi, News of the Wired: Security, the Network, and the Networked Office, 56 OR. ST. B. BULL. 15, 16 (1995). The Oregon Bar advised law firms: The only foolproof protection against penetration of a system is an "air gap." The only way that a computer or a networked office can be fully protected from hackers is to have a physical gap separating every computer in that office system from the Internet or the telephone system. The term "air gap" means an absolute communications gap between the computer system and the Net or the telephone. However, wireless technology has rendered this type of security obsolete. (22) "Air gap" architecture is explained in BIDGOLI, INFORMATION SECURITY, supra note 18, at 522-524. (23) These factors are found in a number of Executive Statements and DOD publications. See, e.g., NAT'L MIL. STRATEGY, supra note 3, at 15-19; U.S. DEP'T OF DEF. DIR. 5205.2, OPERATIONAL SECURITY (OPSEC (OPerations SECurity) The U.S. military term for concealing critical information as part of a counterintelligence plan. A form of "security by obscurity," OPSEC determines what information adversaries can obtain or piece together from observation and to provide measures for ) PROGRAM (29 Nov. 1999) [hereinafter DODD 5205.2]. (24) See, e.g., GENERAL JAMES T. CONWAY For other persons named James Conway, see James Conway (disambiguation). James Terry Conway (born December 26, 1947) is a General in the United States Marine Corps. On November 13, 2006, General Conway became the 34th Commandant of the Marine Corps. , ADMIRAL GARY ROUGHEAD & ADMIRAL THAD THAD Theater High Altitude Defence THAD Total Heat-Affected Depth THAD Talking Head Avoidance Device (creative writing technique) W. ALLEN, A COOPERATIVE STRATEGY FOR TWENTY-FIRST CENTURY SEAPOWER (Oct. 2007), available at http://www.navy.mil/maritime/MaritimeStrategy.pdf. (25) See, e.g., Steven Myers, Cyberattack on Estonia Stirs Fears of 'Virtual War,' N.Y. TIMES.COM (1) (Computer Output Microfilm) Creating microfilm or microfiche from the computer. A COM machine receives print-image output from the computer either online or via tape or disk and creates a film image of each page. , May 18, 2007, http://www.nytimes.com (last visited Sept. 15, 2009); Associated Press, Estonian Links Moscow to Internet Attack, N.Y. TIMES, May 18, 2007, available at http://www.nytimes.com (last visited Sept. 15, 2009). The Estonian cyber experience is by no means the only conflict involving cyberspace which should concern national security. NATO NATO: see North Atlantic Treaty Organization. NATO in full North Atlantic Treaty Organization International military alliance created to defend western Europe against a possible Soviet invasion. operations in Kosovo were frequently the target of hackers. See, e.g., George K. Walker, Information Warfare and Neutrality, 33 VAND. J. TRANSNAT'L L. 1079, 1082-1084 (2000). (26) This definition is taken in part from U.S. DEP'T OF DEF. JOINT PUB. 1-02, DICTIONARY OF MILITARY AND ASSOCIATED TERMS, supra note 1, which defines "Official Information" as "information that is owned by, produced for or by, or is subject to the control of the United States Government." Id. at 390. (27) See Internet Denial of Service Attacks and the Federal Response: Joint Hearing Before the Subcomm. on Criminal Justice Oversight of the S. Judiciary Comm and the Crime Subcomm. of the H. Judiciary Comm., 106th Cong. 35-37 (2000) (statement of Michael A. Vatis, Director, FBI National Infrastructure Protection Center); see also Cyber Threats and the U.S. Economy: Joint Hearing Before the Econ. Comm., 106th Cong. (2000) (statement of Dr. Mark Graft, Sun Microsystems), 2000 WL 11068388. (28) See, e.g., White Hat, Malicious Code Study (2008) (on file with Joint Task Force Global Network Operations, Arlington, Va.); Symantec, Security Response Team White Papers, Privacy: A Study of Attitudes and Behaviors in US, UK and EU Information Security Professionals (Oct. 2003), http://www.symantec.com (last visited Sept. 17, 2009); McAFEE, MAPPING THE MAL-WEB REVISITED (Jun. 4, 2008), http://www.mcafee.com (last visited Sept. 17, 2009). (29) See, e.g., Antolin-Jenkins, supra note 8 at 133. Jenkins notes that 95% of military information traffic utilizes civilian networks at some stage of communication. Id., citing Ronald Knecht & Ronald A. Grove, The Information Warfare Challenges of a National Information Infrastructure (Mar. 22, 2009) (unpublished U.S. Army War College Strategy Research Project), available at http://www.dtic.mil/cgi-bin/. (30) DEF. INFO. SERVICES AGENCY REPORT (2007) (delivered to U.S. Congress, on file with author and DISA). (31) JOINT TASK FORCE GLOBAL NETWORK OPERATIONS REPORT (2008) (delivered to the Joint Chiefs of Staff, on file with author). (32) Id. (33) Id. Higher systems include Intelligence Community (IC) networks. (34) 10 U.S.C. [section] 2224(a) (2006). (35) 10 U.S.C. [section] 2224(b) (2006). (36) l0 U.S.C. [section] 2224(c) (2006). (37) SSN SSN abbr. Social Security Number : Applicant for Security Clearance, ISCR ISCR Investor Summit on Climate Risk Case No. 02-29244, 2005 DOHA LEXIS 681 (Defense Office of Hearings & Appeals Apr. 6, 2005); SSN: Applicant for Security Clearance, ISCR Case No. 02-16613, 2004 DOHA LEXIS 86 (Defense Office of Hearings & Appeals Mar. 10, 2004). Both of these cases involve a contractor's loss of clearance after violating government regulations on internet misuse prohibiting pornography. (38) U.S. DEP'T OF DEF., Din. 5500.7-R, JOINT ETHICS REG. (30 Aug. 1993) (C6, 29 Nov. 2007) [hereinafter JER]. The Department of Defense General Counsel manages the Joint Ethics Regulation and all programs underneath it. Id. [section] 1-407. (39) Id. at 43. (40) Id. [section] 1-300. (41) See Standards of Ethical Conduct for Employees of the Executive Branch, 5 C.F.R. [section] 2635 (1978). Department personnel are also required to comply with 5 C.F.R [section] 2635.101 (a) which states: Public service is a public trust. Each employee has a responsibility [to the United States Government and its citizens to place loyalty to the Constitution, laws and ethical principles above private gain. To ensure that every citizen can have complete confidence in the integrity of the Federal Government, each employee shall respect and adhere to the principles of ethical conduct set forth in this section, as well as the implementing standards contained in this part and in supplemental agency regulations. (42) See, e.g., Parker v. Levy, 417 U.S. 733, 755 (1974) (An accused must be on notice that his conduct is unlawful and that the article fairly informs "that the particular conduct which he engaged in was punishable"). Although the notice requirement of the Joint Ethics Regulation has apparently not been challenged at the appellate level, it is reasonable to assume it meets this due process standard. (43) See MANUAL FOR COURTS-MARTIAL, UNITED STATES pt. IV, [paragraph]16a (2008) [hereinafter MCM (MultiChip Module or MicroChip Module) A chip package that contains several bare chips mounted close together on a substrate (base) of some kind. ]. (44) Frizelle v. Slater, 111 F.3d 172, 177 (D.C. Cir. 1997). (45) United States v. Marcum, 60 M.J. 209 (C.A.A.F. 2006). (46) Id. at 210. The specification read: [D]id, at or near Seymour Johnson Air Force Base, on or about 9 May 9 2002, violate a lawful general regulation, to wit: the Joint Ethics Regulation, Department of Defense Directive 5500.7-R, Chapter 5, [paragraph] 5-400(a), dated 30 August 1993, by wrongfully accepting currency of some value for arranging for Federal Prison Camp Inmate [G] to meet in private with his friend [Ms. ADP] at a billeting room at the Southern Pines Inn, a willful violation of [his] lawful duties to supervise the work of the said Federal Prison Camp Inmate. (47) See United States v. Hays, 62 M.J. 158 (C.A.A.F. 2005). (48) See 5 U.S.C. [section] 1204 (2006) for the authority of the MSPB. See also, Fine v. Peters, 2000 EEOPUB LEXIS 4525 (U.S. Equal Employment Opp. Comm. 2000). (49) Barnes v. Dep't of Def., 2006 MSPB LEXIS 3148 (Merit Systems Protection Board 2006). (50) Siozon-Peterson v. Dep't of the Air Force, 2005 MSPB LEXIS 2067 (Merit Systems Protection Board 2005). (51) Reynolds v. Dep't of the Army, 2003 MSPB LEXIS 1087 (Merit Systems Protection Board 2003). (52) JER, supra note 38, [section] 2-301(a). (53) See, e.g., United States v. Cornell, 15 M.J. 932 (C.M.A. 1983) (determining that personal telephone use could be charged as larceny, instead of under the JER); United States v. Abeyta, 12 M.J. 507 (A.C.M.R. 1981) (determining that personal telephone use could be charged as larceny, instead of under the JER). (54) MCM, supra note 43, pt. IV, [paragraph] 46b(1); see also United States v. Batiste ba·tiste n. A fine, plain-woven fabric made from various fibers and used especially for clothing. [French, from Old French, perhaps after Baptiste of Cambrai, 13th-century textile maker. , 11 M.J. 791 (A.F.C.M.R. 1981) (theft of urine sample a proper charge for larceny even though urine generally possesses no known value). Unlike urine, which has a theoretical owner, it is unlikely the prosecution could claim that the government was deprived of the GIG or that the GIG possesses a quantifiable--albeit nominal--value. It may be the case that the Internet is public and therefore abandoned property. See, e.g., United States v. Meeks, 32 M.J. 1033, 1035-1036 (A.F.C.M.R. 1992); United States v. Walls, 2 C.M.R. 650 (A.F.B.R. 1951). Moreover, the proof required to determine that a user who accesses the Internet for unofficial uses intended to deprive the government of its property could not likely be met by any reasonable quantum. (55) See JER, supra note 38, [section] 2-301(a). The JER notes: "Federal Government communication systems and equipment (including Government owned telephones, facsimile machines, electronic mail, interact systems, and commercial systems when in use is paid for by the Federal Government) shall be for official use and authorized purposes only." (56) Id. (57) JER, supra note 38, [section] 2-301(a)(2)(d) reads: Do not put Federal Government communication systems to uses that would reflect adversely on the DOD or the DOD Component (such as uses involving pornography; chain letters; unofficial advertising, soliciting or selling except on authorized bulletin boards established for such use; violations of statute or regulation; inappropriately handled classified information; and other uses that are incompatible with public service).... (58) See JER, supra note 38, [section] 2-301(a)(2)(b). (59) Id. [section] 2-301(a)(2)(c). (60) Id. (61) U.S. DEP'T OF DEF. DIR. 8500.01E, INFORMATION ASSURANCE (Oct. 24, 2002; certified current as of Apr. 23, 2007) [hereinafter DODD 8500.01E]. (62) Id. para. 4.12. DOD information systems shall regulate remote access and access to the Internet by employing positive technical controls such as proxy services and screened subnets, also called demilitarized zones (DMZ), or through systems that are isolated from all other DOD information systems through physical means. This includes remote access for steelwork. Id. (63) U.S. DEP'T OF DEF. INSTR INSTR Instrument INSTR Instructor INSTR Instruction given (on overtime forms) . 8500.2, INFORMATION ASSURANCE (IA) IMPLEMENTATION (Feb. 6, 2003) [hereinafter DODI 8500.2]. (64) Id. para. 5.12. DOD information systems shall regulate remote access and access to the Internet by employing positive technical controls such as proxy services and screened subnets, also called demilitarized zones (DMZ), or through systems that are isolated from all other DOD information systems through physical means. This includes remote access for steelwork. Id. (65) CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION 6211.02C, DEFENSE INFORMATION SYSTEM NETWORK (DISN): POLICY, RESPONSIBILITIES AND PROCESSES (9 Jul. 2008) [hereinafter CJCSI 6211.02C]. (66) Id. encl. B, para. 9.r. DOD and non-DOD personnel (including supporting contractor personnel) are held personally and individually responsible and accountable for providing proper protection of classified information, controlled unclassified information, ISs, and/or networks under their custody and control.... DOD officials who hold command, management (e.g., DAA and Information Assurance Manager), or supervisory positions (e.g., Information Assurance Officer or supervisors) will ensure that the Information Security Program is efficiently implemented and managed within their areas of responsibility.... Id. (67) Id., para. n. (68) CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION 6510.01E, INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND) (15 Aug. 2007, current as of 12 Aug. 2008) [hereinafter CJCSI6510.01E]. (69) While this document articulates roles and responsibilities of commands and individuals, a CJCSI is not a regulation of a punitive nature. (70) U.S. DEP'T OF ARMY, REG. 25-1, KNOWLEDGE MANAGEMENT AND INFORMATION TECHNOLOGY (4 Dec. 2008) [hereinafter AR 25-1]. (71) Id. at i. The regulation notes, "Portions of this regulation, which prescribes specific prohibitions, are punitive, and violations of these provisions may subject offenders to nonjudicial or judicial action under the Uniform Code of Military Justice." Id. (72) Id. at para. 6-1.f(5) (prohibiting the use of Army communications systems in ways "that could reasonably be expected to cause, directly or indirectly, congestion The condition of a network when there is not enough bandwidth to support the current traffic load. congestion - When the offered load of a data communication path exceeds the capacity. , delay, or disruption of service to any computing facilities or cause unwarranted or unsolicited interference with others' use of communications") While the regulation provides examples of conduct which could cause a detriment, the list is not all-inclusive. The list reads: (a) Create, download, store, copy, transmit, or broadcast chain letters. (b) "Spam" to exploit list servers or similar broadcast systems for purposes beyond their intended scope to amplify the widespread distribution of unsolicited e-mail. (c) Send a "letter-bomb" to re-send the same e-mail message repeatedly to one or more recipients, to interfere with the recipient's use of e-mail. (d) Broadcast unsubstantiated virus warnings from sources other than systems administrators. (e) Broadcast e-mail messages to large groups of e-mail users (entire organizations) instead of targeting the relevant audience. (f) Employ applications for personal use using streaming data, audio, and video; malicious logic and virus development software, tools, and files; unlicensed software; games; Web altering tools/software; and other software that may cause harm to Government computers and telecommunications systems. (g) Disseminating large files over e-mail instead of using shared drives.... Id. (73) See, e.g., United States v. Hernandez-Landaverde, 65 F. Supp. 2d 567 (S.D. Tex, 1999). Specific intent is defined at common law as follows: The intent to accomplish the precise criminal act that one is later charged with. General intent is defined as "the state of mind required for the commission of certain crimes not requiring specific intent. General intent usually takes the form of recklessness (involving actual awareness of a risk and the culpable taking of that risk), or negligence (involving blameworthy inadvertence)." Id. at 571 (citing BLACK'S LAW DICTIONARY 813 (7th ed. 1999)). (74) AR 25-1, para. 6-1.d(1) ("The Joint Ethics Regulation, Section 2-301, serves as the basis for Army policy on the use of telecommunications and computing systems. Users will abide by these restrictions to prevent security compromises and disruptions to Army communications systems."). (75) AR 25-1, para. 6-1.e. The regulation states the following: Authorized use includes brief communications made by DOD employees while they are traveling on Government business to notify family members of transportation or schedule changes. They also include personal communications from the DOD employee's usual workplace that are most reasonably made while at the work place (such as checking in with spouse or minor children; scheduling doctor and auto or home repair appointments; brief Internet searches; e-mailing directions to visiting relatives). Such communications may be permitted, provided they-- (1) Do not adversely affect the performance of official duties by the employee or the employee's organization. (2) Are of reasonable duration and frequency, and, whenever possible, are made during the employee's personal time, such as during lunch, break, and other off-duty periods). (3) Are not used for activities related to the operation of a personal business enterprise.... Id. (76) U.S. DEP'T OF AIR FORCE, INSTR. 33-129, Communications and Information: WEB MANAGEMENT AND INTERNET USE (3 Feb. 2005, incorporating changes through 12 Sep. 2009). (77) See id. para. 2.1, which states: "Appropriate Use. Government-provided hardware and software are for official use and authorized purposes only. Appropriate officials may authorize personal uses consistent with the requirements of DDOD DDOD Digital Dissertations on Demand 5500.7-R, Joint Ethics Regulation (JER)...." (78) Id. paras. 2.2.1-2.2.14 list prohibited actions. Para. 2.2.9 prohibits attempts to "circumvent or defeat security or modifying security systems without prior authorization or permission (such as for legitimate system testing or security research)." (79) The basis for this construct is deeply rooted in American Constitutional jurisprudence. See, e.g. 10 U.S.C. [section][section] 111, 113 (2006); Martin v. Mott, 25 U.S. (12 Wheat.) 19 (1827) (authority over all military forces under the President's constitutional status as commander in chief); Little v. Bareme, 6 U.S. (2 Cranch.) 170 (1804) (presidential authority over all service members not unlimited but very broad). (80) SECDEF may issue a general order which binds all service members (and by implication all civilian federal employees of the Department), notwithstanding that directives, regulations, and instructions are almost always conveyed in a specific format. See, e.g., United States v. Brown, 25 C.M.R. 20 (C.M.A. 1957); United States v. Snyder, 4 C.M.R. 15 (C.M.A. 1952). (81) 1986 DOD Reorganization Act, Pub. L. No. 99-433, 100 Stat. 1013 (codified cod·i·fy tr.v. cod·i·fied, cod·i·fy·ing, cod·i·fies 1. To reduce to a code: codify laws. 2. To arrange or systematize. as amended in scattered sections of 10 U.S.C.). (82) See United States v. Voorhees, 16 C.M.R. 83, 96 (C.M.A. 1954) ("A general order or regulation is lawful if not contrary to or forbidden by the Constitution ... an Act of Congress or the lawful order of a superior authority"). (83) See MCM, supra note 43, pt. IV, [paragraph][paragraph] 14 & 16. (84) Id., pt. IV, [paragraph] 16(c)(l)(a); expressly gives to the SECDEF the authority to issue a punitive general order. A general order from the SECDEF may only be superseded by an order from the President or by a rescission from the SECDEF. No service or commanding general orders may contradict or modify the order. Unlike a directive or policy memo, an order is clearly applicable to all service members without distinction of position or rank (unless the order permits distinctions or exceptions based on legitimate service requirements). (85) United States v. Deisher, 61 M.J. 313, 317 (C.A.A.F. 2005); United States v. New, 55 M.J. 95, 100 (C.A.A.F. 2001); United States v. Hughey, 46 M.J. 152, 154 (C.A.A.F. 1997); MCM, supra note 43, pt. 14, [paragraph] c(2)(a). (86) United States v. New, 55 M.J. 95, 107 (C.A.A.F. 2001), quoting from Article 92: The order must relate to military duty, which includes all activities reasonably necessary to accomplish a military mission, or safeguard or promote the morale, discipline, and usefulness of members of a command and directly connected with the maintenance of good order in the service. The order may not, without such a valid military purpose, interfere with private rights or personal affairs. However, the dictates of a person's conscience, religion, or personal philosophy cannot justify or excuse the disobedience of an otherwise lawful order. (87) The MCM reflects the fact that a myriad of regulations, instructions, and manuals govern virtually every aspect of military life, and that most of these issuances are not intended to establish the criminal offense of violating a lawful general regulation. See United States v. Nardell, 45 C.M.R. 101 (C.M.A. 1972); United States v. Hogsett, 25 C.M.R. 185 (C.M.R. 1958). (88) See, e.g., United States v. Tolkach, 14 M.J. 239 (C.M.A. 1982). (89) See United States v. Pope, 63 M.J. 68, 73-75 (C.A.A.F. 2007); see also Cole v. Arkansas, 333 U.S. 196, 201 (1948). (90) U.S. CONST CONST Construction CONST Constant CONST Construct(ed) CONST Constitution CONST Under Construction CONST Commission for Constitutional Affairs and European Governance (COR) . amend. V; see also Skinner v. Oklahoma Skinner v. State of Oklahoma, Ex. Rel. Williamson, 316 U.S. 535 (1942)[1], was the United States Supreme Court ruling which held that compulsory sterilization could not be sentenced as a punishment for a crime. , 316 U.S. 535 (1942). In Skinner, the Court held that "when the law lays an unequal hand on those who have committed intrinsically the same quality of offense ... it has made as invidious in·vid·i·ous adj. 1. Tending to rouse ill will, animosity, or resentment: invidious accusations. 2. a discrimination as if it had selected a particular race or nationality for oppressive treatment." Skinner at 541 (citing Yick Wo v. Hopkins An 1896 U.S. Supreme Court decision, Yick Wo v. Hopkins, 118 U.S. 356, 6 S. Ct. 1064, 30 L. Ed. 220 (1886), held that the unequal application of a law violates the equal protection clause of the Fourteenth Amendment to the U.S. , 118 U.S. 356 (1886)); see also Gaines v. Canada, 305 U.S. 337 (1938). (91) For a good discussion of equal protection in military law see United States v. Courtney, 1 M.J. 438, 441 (C.M.A. 1976), and, most recently, United States v. Paulk, 66 M.J. 641 (A.F. Ct. Crim. App. 2008). In Paulk, the Air Force Court determined it was not a violation of equal protection if Air Force judges were non-tenured for a fixed term of service, while Department of the Army military judges and Coast Guard military judges served for fixed-tenure terms. The Navy-Marine Corps Court of Criminal Appeals determined similarly to the Air Force Court in United States v. Gaines, 61 M.J. 689 (N-M. Ct. Crim. App. 2005). (92) United States v. Batchelder, 442 U.S. 114 (1979); 3 R. ROTUNDA rotunda In Classical and Neoclassical architecture, a building or room that is circular in plan and covered with a dome. The Pantheon is a Classical Roman rotunda. The Villa Rotonda at Vicenza, designed by Andrea Palladio, is an Italian Renaissance example. AND J. NOWAK, TREATISE ON CONSTITUTIONAL LAW: SUBSTANCE AND PROCEDURE [section] 18.38, at 488, 18.41 at 495 (3d ed. 1999). (93) United States v. Means, 10 M.J. 162 (C.M.A. 1981). (94) Id, at 165. In Means, the Court determined that the commissioned officer status of an accused is a permissible factor in determining to refer a trial for courts-martial. The court held: Even if appellant's officer status had been a principal factor--indeed, the decisive factor--in the convening authority's decision to refer the case to a general court-martial, appellant would still have no valid constitutional grievance. For the Government to make distinctions does not violate equal protection guarantees unless constitutionally suspect classifications like race, religion, or national origin are utilized or unless there is an encroachment on fundamental constitutional rights like freedom of speech or of peaceful assembly. The only requirement is that reasonable grounds exist for the classification used. Id. (95) 10 U.S.C. [section] 121 (2006). "The President may prescribe regulations to carry out his functions, powers, and duties under this title." Id. (96) For a comprehensive overview on the drafting and promulgation of regulations, as well as amending current regulations, see generally U.S. DEP'T OF DEF. INSTR. 5025.1, DOD DETECTIVES PROGRAM (Oct. 28, 2007) [hereinafter DODI 5025.1]. (97) "Coordination with Unions Granted National Consultation Rights. DOD issuances containing substantive changes in conditions of employment, including personnel policies and practices and other bargaining unit matters that affect DOD civil service and non-appropriated fund employees, shall be forwarded to the appropriate unions for comment...." Id. at Encl. 3, para. 7.h. (98) DODD 8320.02, supra note 1, para. 5.1.1.3, directs ASD/NII CIO to: Develop the policies and procedures to protect Net-Centric data while enabling data sharing across security domains and with multinational partners, other Federal Agencies, and State and local governments in accordance with law, policy, and security classification, in coordination with the Under Secretary of Defense For Intelligence and the Under Secretary of Defense For Policy. (99) JOINT CHIEFS OF STAFF, JOINT PUB. 6-0, JOINT COMMUNICATIONS SYSTEM 11-20 (20 Mar 2006) [hereinafter JP 6-0]. The joint doctrine states, "USSTRATCOM has overall responsibility for GIG operations and defense in coordination with CJCS and combatant commands. CDRUSSTRATCOM is responsible for coordinating and directing DOD-wide CND. USSTRATCOM through its JTF-GNO component executes the DOD mission." Id. (100) See, e.g., id. at II-21-23; Cartwright, supra note 3, at 73. (101) JP 6-0, supra note 99, at II-21. (102) Memorandum from Secretary of Defense to Secretaries of the Military Departments et al., subject: Assignment and Delegation of Authority The action by which a commander assigns part of his or her authority commensurate with the assigned task to a subordinate commander. While ultimate responsibility cannot be relinquished, delegation of authority carries with it the imposition of a measure of responsibility. to Director, Defense Information Systems Agency (DISA) (18 Jun. 2008) (on file with USSTRATCOM). Upon receipt, the military departments will organize to execute global network operations and network defense under the Service Headquarters assigned to USSTRATCOM. Defense agencies will align their global network operations and network defense capabilities to provide USSTRATCOM visibility and insight into network status. Military departments and agencies will respond to USSTRATCOM's orders and direction, allowing USSTRATCOM to defend the Global Information Grid. Id. (103) Eliserio v. United Steelworkers of Am., Local 310, 398 F.3d 1071 (8th Cir. 2005). (104) Id., at 1079. While the court found that five separate complaints of Internet misuse were made against the appellant, it also found that the appellant was the only employee disciplined by Firestone, the employer, in an eight-year period. Moreover, the appellant was not notified of any infractions for the first four complaints. Id. (105) Thompson v. State Civil Serv. Comm'n, 863 A.2d 180 (2004). Thompson also raised claims that his firing resulted from disparate treatment based on his union activities. See Thompson v. County of Beaver, 2006 U.S. Dist. LEXIS 807 (W.D. Pa. 2006). (106) Thompson, 863 A.2d. at 183. (107) McCann v. Dep't of Envtl. Protection, 952 A.2d 43 (Conn. 2008). (108) Id. (109) Id. The policy stated: All computer resources, including devices, programs, and data, electronic or hard copy, owned or leased by the State of Connecticut, and facilities of the State of Connecticut, which include but are not limited to the department, shall only be used for legitimate and authorized business. Id. (110) Id. (111) McCann v. Connecticut, 2007 Conn. Super. LEXIS 1528 (Conn. Super. Ct. 2007). (112) Id. at 8. (113) McCann, 952 A.2d at 46. (114) Id. (115) See, e.g., Julian E. Barnes, Cyber-attack on Defense Department Computers Raises Concerns, L.A. TIMES, Nov. 28, 2008, available at http://articles.latimes.com (analysis of Russian based cyber actions against DOD computers and the DOD's response); see also U.S. Faces Cyber Threat from China, SAN FRAN FRAN Functional Reactive Animation . CHRON CHRON Chronicles CHRON Chronology ., Nov. 28, 2008, at B-10, available at http://www.sfgate.com (articulating that the Chinese government may have over 250 "hacker teams" in its employ, targeting the DOD and defense contractors). (116) See, Colonel Steven Korns & Major Joshua Kastenberg, Georgia's Cyber Left Hook, PARAMETERS, 2008, at 60; see also John Markoff, Before the Gunfire, Cyber Attacks, N.Y. TIMES, Aug. 12, 2008, available at http://www.nytimes.com. Lieutenant Colonel Joshua E. Kastenberg (B.A., University of California, Los Angeles UCLA comprises the College of Letters and Science (the primary undergraduate college), seven professional schools, and five professional Health Science schools. Since 2001, UCLA has enrolled over 33,000 total students, and that number is steadily rising. (1990); J.D., Marquette University (1996); LL.M LL.M Legum Magister (Master of Laws) ., Georgetown University (2003)) is the Staff Judge Advocate A legal adviser on the staff of a military command. A designated officer of the Judge Advocate General's Corps (JAGC) of the U.S. Army, Navy, Air Force, or Marine Corps. , 332d Air Expeditionary Wing A wing or wing slice placed under the administrative control of an air and space expeditionary task force or air and space task force by Department of the Air Force orders for a joint operation. Also called AEW. See also air and space expeditionary task force. , Balad Air Base, Iraq. Prior to his current assignment, he served as the Staff Judge Advocate, Joint Task Force-Global Network Operations Joint Task Force-Global Network Operations (JTF-GNO) is a subordinate command of the United States Strategic Command. Mission statement The Joint Task Force-Global Network Operations directs the operation and defense of the Global Information Grid (GIG) across , a standing joint task force under the command of United States Strategic Command. Under the Unified Command Plan, it is the sole cyber-defense operational command for the Department of Defense. He is a member of the Wisconsin Bar. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion