DOD unveils new employee phone monitoring policy
The new rules, which update a 1981 policy, also spell out for the first time the ground rules for network attacks by DOD officials to test how secure the military’s defenses are.
Defense Department officials have released new guidelines that govern the monitoring of employees phone calls and the mock penetration of military network defenses to identify potential security risks to DOD information.DOD Chief Information Officer John Grimes on Oct. 9 signed Instruction 8560.01, titled Communications Security Monitoring and Information Assurance Readiness Testing. The document replaces language from 1981 that regulated the circumstances under which DOD officials could listen in on employees telephone conversations for security reasons.Donald Jones, a senior policy analyst in Grimes office who helped craft the document, said the new instruction changes little in the way of telephone monitoring policies. However, the document does spell out for the first time ground rules for network attacks by DOD officials to test how secure the militarys defenses are, he said.Air Force officials have spoken recently of new plans to protect that services portion of DODs networks. The effort includes introducing what Air Force officials have dubbed cyber sidearms computer applications to help airmen alert others to potential security breaches and staged network intrusions by managers to test the usage of the software.Jones said these efforts, called "information assurance readiness testing" in DOD jargon, will have to comply with the new policy.Although the instruction puts the CIO in charge of overseeing the implementation of the new policy, DOD intelligence functions and the National Security Agency also play crucial roles. According to the document, the NSA director reports to the undersecretary of Defense for intelligence in executing communications monitoring missions across DOD.The new policy and the one from 1981 states that information gathered through monitoring DOD phone calls and probing network defenses generally cannot be used for criminal investigations. However, the new instruction redefines an exception to that rule: Intercepted information directly relating to a significant crime should be referred to senior officials for further action. The previous policy stated that senior commanders and law enforcement agencies could only get involved when information inadvertently unearthed during a monitoring operation could help prevent serious bodily harm or significant loss of property.