Security incidents, year in review

NELLIS AIR FORCE BASE, Nev. --  2015 proved to be a year of catastrophic electronic security breaches in the United States, with electronic media being one of the biggest contributors to violations of security procedures.

Last year, we saw an Office of Personnel Management data breach of approximately 20 million government employees’ background investigation information. The Ashley Madison scandal, which threatened to release the inappropriate behavior of thousands made headlines and just recently, the U.S. voter registry was hacked, stealing 191 million people’s information.

These incidents and many others were the result of covert operations, by skilled cybercriminals into protected systems. The unique missions at Nellis and Creech Air Force Bases certainly make us prime cybercrime targets, but when we make mistakes or fail to follow security protocols, we make a cybercriminals job even easier.

We had a combined total of 49 security incidents in 2015, a significant increase from the previous year’s total of 37.

Security incidents are incidents involving classified material and our failure to properly secure it. This includes leaving safes open, sending classified via non-classified internet protocol (NIPR), insecure materials, as well as exposing classified materials to additional risks by failing to follow established procedures.

There are two types of security incidents: security infractions and security violations.

A security infraction is a security incident involving failure to comply with security requirements which cannot reasonably be expected to result in the loss or potential compromise of classified information.

A security violation is an incident that reasonably could be expected to result in the loss or potential compromise of classified information. Deliberate acts are also categorized as security violations.

While each situation is different, the resulting investigations have a common theme; failing to follow established procedures. More than half of last year’s security incidents would have been avoided if members simply completed required end of day security checks.

Reporting potential incidents was also a concern in 2015. Several incidents were delayed in required reporting (24 hours/next duty day) to the installation Information Protection Office. Failure to report a security violation is in itself a security violation and may raise serious concerns with the member’s integrity, trustworthiness and reliability, and may jeopardize their security clearance.

Do not wait to report potential incidents for any reason. Contact your security manager or commander as soon as you become aware. If it turns out to be a false alarm, no harm has been done. All offices involved have Department of Defense mandated reporting and investigation timelines.

Information security is everyone’s responsibility. Stay current on your security training. If you don’t know, ask your unit security manager. When dealing with classified information, stay focused on the job at hand. Security is a team sport, but it starts with you.