Army to hold commanders and sysops liable for hacks

The Army is preparing new computer security regulations that would make base commanders and system operators liable under the military's criminal code for the security of their information systems.

Col. Mike Brown, the Army deputy director of information security, said the new policy will be based on existing provisions of the Uniform Code of Military Justice and will outline the responsibilities that various Army personnel have for safeguarding their systems. In addition, the policy will describe punishments for people who are found to have failed in their duties.

"There was nothing in the current [computer security] regulation that holds either the commander or the security guys responsible," Brown said. "We're going to try to enforce those security policies to make people accountable and to hold them accountable for what they are supposed to be doing."

Brown said the policy will describe who is responsible for different aspects of computer security and what they are supposed to do. For example, systems operators may be required to do "vulnerability assessments," but security of communications systems would be under the purview of intelligence officers.

He said, however, that officials had not settled on details, such as what sanctions would be in store for those who did not abide by the policy, and he said it will take six to eight months to complete the regulations.

Lawyers familiar with military law said the policy would probably be compatible with existing rules governing the physical security of Army property. Eric Marcotte, a partner with Winston & Strawn, Washington, D.C., who practices military law in the Air Force National Guard, said officials could prosecute personnel for breaches in computer security under current "dereliction of duty" laws.

"I think it's more of a message that the military is going to place emphasis on enforcement of this aspect of their duties," Marcotte said, adding that convictions in military courts require proof that a person's actions were "derelict." Civilian employees are not covered by the military code.

Nevertheless, some security experts questioned whether criminal sanctions are appropriate because information systems are so difficult to safeguard. "Today's computer systems can be very, very complicated," said Allen Church, an agency expert in secure Internet technology with the General Services Administration. Spelling out specific responsibilities for keeping systems secure would be "an endless task," he said.

"I could see where this would very likely encourage computer system people not to make any changes to their systems and keep the oldest technology," Church said. "Don't get on the Internet, don't get on any network, just keep your system hard-wired. There would be very little incentive to try something new."