Military Overuses PII Raises ID Theft RiskReport: Uninformed, Cavalier Culture Limits Efforts to Curb PII Use
That's the thrust of a paper written by four senior Army officers and West Point faculty members, entitled The Military's Cultural Disregard for Personal Information, which appears on the website of Small Wars Journal.
"In an era when an individual's Social Security number and date of birth have become the keys to identity theft, the ubiquitous use of the Social Security number by the military services is reckless," the paper says. "The problem is compounded by an uninformed, sometimes cavalier, culture and attitude surrounding the protection of PII that is common in the military."
In an interview, one of the paper's authors addresses the ubiquitous of Social Security numbers in military life. "We use the Social Security number in every aspects, both mundane and sensitive," Lt. Col. Gregory Conti says. "We use the Social Security number as an identifier and as a password. Children 10 years old and up have a military ID card with their sponsor's Social Security number on it. It's in every facet of our lives. It's in our recycling bins. We shout it out in formation; we thumbtack it to bulletin boards. It's everywhere, so we're courting disaster in how we us it."
Most senior military leaders understand the harm of exposing PII and have taken steps to limit their use, but a significant disconnect between high-level policy and a culture that promotes use of personal identifiable information exists, the paper says. "As a result," the authors write, "the military services lag a decade or more behind best practices found in other sectors of government, industry, and academia in the proper use and handling of PII.
"While positive progress has been made by the services, such progress is slow, ad-hoc, frequently ignored, and overshadowed by the common usage of the Social Security number as a way of tracking and identifying individuals. The systemic leakage of personal information in day to day operations, and a pervasive attitude of disregard for personal privacy is unsettling. Such issues are not tolerated outside the military - the time for substantive change within the military has arrived."
This problem is magnified for military personnel deployed to Afghanistan and Iraq when much damage could occur without their knowledge, placing additional stress on already strained families back home, the paper says. And, the authors write, identity theft that uses PII occurs after death, creating immense problems for surviving family members.
The paper lists a dozen examples of the military's misuse of PII (see Dozen Misuses of PII in the Military). It also enumerate six common misconceptions - myths, in the words of the authors -- about how the military protects and employs personal information:
- Military data does not spill,
- Birth date and SSN cannot be guessed,
- Last 4 numbers of SSN are safe to use as a secret or public identifier,
- The Privacy Act will protect privacy,
- Individual efforts to fix systemic problems will likely succeed, and
- People will follow confusing and unenforced policy and procedures.
Some progress on limiting overuse of PII has been made: Service members and their families no longer must write their Social Security numbers on checks and promotion lists no longer contain SSNs. And, the military routinely wipes all data from hard drives before disposal. But, the underlying problem remains, and the authors offer these recommendations:
- Broadly Employ a Service Number System, Protect the SSN: "The biggest step, and we believe the most important, is for the Department of Defense to discontinue the use of the Social Security number, whether as a "secret" password or unique identifier, and institute a service number system."
Better Understand the Problem: "These insights will yield an understanding of what is being done well and what is being done poorly and will help focus subsequent efforts."
Change Culture and Raise Awareness: Empower officials to "find and recommend fixes to local policies and procedures that could lead to the abuse of PII, much like unit intelligence officers are empowered to enforce rules that keep classified data secure."
Make Privacy Easy: "Let's face it, people are busy. Even if people are aware of the importance of privacy we still need to make the process easy."
Appoint Dedicated Defense Department and Service Component Chief Privacy Officers: "Without empowered, resourced and visible senior leadership, progress in protecting PII will occur slowly."
Adopt Best Practices from Government Agencies and the Private Sector: "Outside the military, the need to protect PII is not a recent discovery. Both the private sector and government agencies have developed best practices that the military can adopt."
The authors point out that America defeated the world's fourth largest army in the Gulf War. "For our enemy to be successful now they must find new ways to attack us, and we are giving them an easy attack vector with the current culture of promiscuous PII use and leakage," they write.
Besides Gregory Conti, a military intelligence officer and director of West Point's Cybersecurity Research Center, the paper was written by Maj. Dominic Larkin, a field artillery officer and West Point instructor of electrical engineering and computer science; Lt. Col. David Raymond, an armor officer and assistant professor of electrical engineer and computer science; and Col. Edward Sobiesk, an armor officer and director of West Point's Information Technology Program. The paper reflects the views of authors and not necessarily those of the military or the United States Military Academy.