DISA Breach Could Impact 200,000, Says Trump’s IT Agency

The U.S. Defense Information Systems Agency (DISA) confirms the “potential compromise” of individuals’ private data on its network. Another week, another PII breach.

DISA is, of course, the Defense Department agency charged with securing President Trump’s IT and communications, plus those of senior military figures. So that’s worrying.

Chief Information Officer Roger S. Greenwell Sr. (pictured) earlier this month told roughly 200,000 individuals who may have been affected about the leakage. But his notification was curiously content-free and DISA spokesdroids are similarly silent on specifics.

It turns out there are big changes afoot within DISA—possibly to fix architectural security holes. In today’s SB Blogwatch, we triangulate to speculate.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Sinnerwoman.

DISA CIO’s FYI Snail Mail

What’s the craic? With help from Raphael Satter and Idrees Ali, Christopher Bing searches for an angle, and comes up trumps—“agency that handles Trump’s secure communication suffered data breach”:

 [DISA] said Social Security numbers and other personal data in its network may have been compromised … between May and July 2019 … according to letters … sent to people possibly affected. … The agency provides direct telecommunications and IT support for the president, Vice President … their staff, the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members of the armed forces.

Pentagon spokesman Chuck Prichard said individuals possibly affected were being offered “information about actions that can be taken.” [He] did not say how many people could have been affected … saying only that DISA had investigated … “and taken appropriate measures to secure the network.”

The White House did not respond to a request for comment.

Zounds! Zack Whittaker adds—“US defense agency says personal data ‘compromised’ in 2019”:

 It’s believed Social Security numbers and other sensitive information may have been taken. … It’s not known if the data was stored on a classified system.

[DISA] “has begun issuing letters to people whose personally identifiable information may have been compromised in a data breach on a system hosted by the agency,” said … DISA spokesperson Charles Prichard. … “While there is no evidence to suggest that any of the potentially compromised PII was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised.”

Does anyone see the irony here? Davey Winder does—“U.S. Defense Agency … Confirms Data Breach”:

 I am used to reporting U.S. government warnings about critical cybersecurity risks. Less so about government agencies which have themselves been the victim of a cybersecurity incident, let alone agencies with responsibility for cybersecurity itself.

As well as overseeing Trump’s secure calls technology, DISA also establishes and supports communications networks in combat zones and takes care of military cyber-security issues. … That an agency with a vision to “connect and protect the war-fighter in cyberspace” should suffer such an incident is concerning, to say the least.

While many of the details surrounding this breach are likely to remain, understandably, confidential, given the nature of the DISA work, the letter itself has already been published on Twitter by one recipient. Signed by Roger S. Greenwell, the chief information officer at DISA, the letter [confirms] DISA will be offering free credit monitoring services to those who want it.

[This] data breach of its network … exposed data affecting as many as 200,000 users.

How did we get to hear about it? Andy Piazza—@klrgrz—was Patient Zero:

 Awesome. Got another #PII #breach letter from DoD. Is this like pokemon where I want to catch them all?

But how did this happen? Humbabella thinks she knows:

 “Data breach” usually means … an agency executive left their laptop in a hotel room.

Alternatively, @th34lpha blames a different vector:

 Well heck. With all the darn IT offshoring being done by government contract companies, it’s a wonder we have any security at all. Who the heck allows this ****?

What’s wrong at the agency? DISA cloud portfolio chief John Hale hinted at yesterday’s Cloud Security Workshop (via Melissa Harris):

 We’re seeing now the problems with [our] model. Once you’re inside, you’re inside.

Then lateral movement is the big fear that everybody has. … Once you get past your defense and you’re inside, that lateral movement from one system to the other, elevation of privilege down the chain, is the scary part.

The data in the cloud is what’s valuable, and access to that data is not guaranteed at any time, so in order to gain access to the data, there’s a myriad of pieces of information that have to come together for you to grant gained access to that material and that data into processing. That could be anything from who you are, where you are, what kind of device you’re on, what network you’re on. A myriad of factors ultimately drive to an authentication decision, so that you can gain access to that data and utilize it.

Where we see things going, is that integration between the mobile world and the cloud world [in] how the communications are going to happen between that, how zero trust is going to be directly influenced by the end-user device that they’re using to access the capabilities and how they’re able to process that information accordingly.

The missions are pushing toward zero-trust model, and we’re really hoping that commercial products catch up and leads up in that way, in that direction. Zero trust is one of those things where we’re looking at commercial partners to really help us get to that model and to help us across the board to make sure that we can continue to push the cloud capabilities to enable the warfighter to complete their mission.

Um, okay, yeah. Clear as mud. Jennifer Devon—@JenniferADevon—is a veteran of military intelligence:

 And you know who’s in the DoD database? Everyone who ever worked in military intelligence.

What else is the agency doing? Jason Miller brings us the thoughts of DISA executive deputy director Tony Montemarano:

 It’s not as controversial with no dramatic court case or battle between system integrators like with JEDI and DEOS, respectively. But the Fourth Estate consolidation and optimization effort may have more impact, be more significant and, most importantly, show the DoD path forward in its move to the cloud.

“We are taking the commodity IT of 13 other Fourth Estate organizations and bringing them together with DISA, not mission IT, but the desktops, the business applications, and trying to bring them together, the contracting and personnel,” [Montemarano] said. “Close to 1,000 new employees are coming to DISA effective the first of October.

“We have to come to grips with taking these independent, commodity environments and bringing them together. It’s a major undertaking when it comes to coming to grips with contracting, coming to grips with personnel, you can imagine the nightmare dealing with the whole thing, and everyone is cooperating.”

Montemarno received [an] uneasy laugh from the audience with the last comment.

Oh boy. Meanwhile, @t0ddpar0dy had to say it:

 Can’t spell disappointment without DISA.

And Finally:

Hip Hop’s Secret Weapon

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: DoD/DISA (public domain)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 643 posts and counting.See all posts by richi