Comm tool makes protecting personal info simple

  • Published
  • By Lt. Col. James Trachier
  • 60th Communications Squadron commander
TRAVIS AIR FORCE BASE, Calif. --  Travis Air Force Base is "America's First Choice", but in some categories it's best to be last.

Unfortunately, the 60th Air Mobility Wing led Air Mobility Command in the number of personally identifiable information breaches in 2013, and was second in the number of personnel whose information was placed at risk. The 349th AMW also struggled with PII breaches last year, finishing near the top of Air Force Reserve Command in numbers reported.

Although some breaches were a result of physical loss, such as a lost binder or stolen laptop, the majority occurred when Travis Golden Bears sent PII in unencrypted emails -- often to recipients outside the Air Force Information Network. A new software tool developed by 1st Lt. Chris Gheen, 60th Communications Squadron operations flight deputy commander, is helping to reverse this trend.

Alpha and recall rosters contain useful information, but Air Force Instruction 33-332, "The Air Force Privacy and Civil Liberties Program," stipulates this information be encrypted when transmitted electronically. While emailing such documents to a personal email address has been a common practice in the past, such actions constitute Privacy Act violations and create PII breaches.

Last year, 24th Air Force, the Air Force component of United States Cyber Command, stood up the Fidelis email scanning system as part of the Cyberspace Defense Analysis weapon system. Fidelis flags emails containing PII breaches for 24th AF cyber operators, who then disable the violator's account.

Fidelis is a powerful tool in the fight to reduce PII breaches, but it is largely reactive in nature. The Grizzlies of the 60th CS wanted to be more proactive, and they looked to an existing tool -- the Digital Signature Enforcement Tool -- as a model.

DSET automatically ensures users apply digital signatures to any outgoing email containing hyperlinks or attachments in accordance with Air Force Manual 33-152, "User Responsibilities and Guidance for Information Systems."

Gheen rose to the challenge and quickly developed a software prototype that warned users of potential PII breaches before the email could be sent. The new tool, called the PII Enforcement Protocol, or PIIEP -- pronounced "pipe" -- works in conjunction with Microsoft Outlook. It scans outbound email messages for PII, and halts the send when it detects potential PII.

"The goal was to reduce PII breaches here at Travis, but we wanted the interface to be familiar to the user community," said Gheen, who recently assumed duties as the 60th Mission Support Group executive officer. "Using the DSET pop-up as a baseline gives PIIEP the same 'look-and-feel,' so network users aren't intimidated or confused the first time they see a PIIEP warning message, PIIEP reminds users of their responsibility to protect PII, and gives them a final opportunity to confirm they are in compliance with Air Force and Department of Defense requirements."

Maj. Adrian Cercenia, 60th CS director of operations, assisted Gheen in developing PIIEP into a releasable version.

"Before Fidelis, PII breaches were mainly self-reported," said Cercenia, whose operations flight includes the Travis AFB Privacy Act Manager responsible for tracking PII breaches. "Once the 24th Air Force brought Fidelis online, we started seeing network accounts getting locked out by 24th AF cyber operators. We don't have permissions to unlock the accounts, and the offender had to staff an account reinstatement request through his or her group commander to 24th AF."

According to Cercenia, fielding PIIEP at the base level helps prevent PII breaches before they happen.

"Not only does PIIEP help better protect PII, it also reduces the number of account lockouts and the effort associated with unlocking them," Cercenia said.

The 60th CS Network Control Center began pushing PIIEP to Travis computers last week, and the 60th CS Communications Focal Point sent a notice to Airmen and all base users, advertising the tool's functionality. Although protecting PII remains an individual responsibility, PIIEP reminds users of that responsibility in advance of each potential email-based breach, making PIIEP an important new addition to the digital arsenal.