14 December 2018

CDs, faxes make comeback as military file-sharing service taken offline

By CHAD GARLAND

The shuttering of a widely used military file-sharing service last month has left the services without an online option for transferring sensitive unclassified files, so they’re turning to CDs, DVDs, postal mail and even fax machines.

Both the Navy and Marine Corps issued official guidance late last month saying optical discs are the only way to securely send large files that contain private information like Social Security numbers or medical data, after the military disabled the Army’s Aviation and Missile Research, Development and Engineering Center Safe Access File Exchange, or AMRDEC SAFE.

Neither the Air Force nor the Army have issued similar guidance, but officials with those services said they also lack an online alternative.


There’s no indication when AMRDEC SAFE will be up and running after the military disabled the service early last month — a preventive measure after unnamed “government-internal agencies” discovered potential security risks, Kerensa Crum, a spokeswoman for the missile research center, said via email.

“We are unaware of any breach,” Crum said. “There is no established timeline for the restoration or sunset of SAFE.”

The research center based at the Redstone Arsenal in Alabama developed the file-sharing system to allow it to exchange large data files with its civilian industry partners, Crum said. It was not intended for widespread use by the Army or other branches.

Despite the creators’ intentions, the site was widely adopted within the military and the government.

Via the site, anyone could send messages containing up to 25 documents or 2 gigabytes to military, government or civilian email addresses. That’s significantly more than encrypted email, which is also approved for sending personal and medical information but is limited to 10 megabytes and can’t be sent to all email recipients.

Kelly DeWitt, now the deputy chief of staff at the missile research center, said last year that the center didn’t track usage data but knew several agencies were using it because of its security and file capacity.

Those comments came after news that the White House’s election integrity commission had proposed that state election officials use AMRDEC SAFE to submit the voluminous voter data the commission was seeking for a nationwide database.

Privacy rights groups and some lawmakers pushed back on the proposal, questioning the site’s security for transferring data that would include names, addresses, birthdates, partial Social Security numbers, felony conviction data and military status. It’s not clear whether their concerns prompted a security review that led to the closure of the site.

Within the Navy, some medical clinics relied on the site for sending electronic medical records. A program for selecting enlisted sailors to join the Judge Advocate General Corps required that application packets be submitted via the site this year.

The Marine Corps recently required nomination packets for its aviation awards to be submitted via AMRDEC SAFE and used the site to securely distribute copies of the commandant’s birthday message in October, prior to its public release.

Both services issued guidance on the use of other military operated file-sharing sites approved for distributing sensitive or protected unclassified materials that do not contain personally identifiable or private health information, such as the Army Research Laboratory’s SAFE site (https://safe.arl.army.mil/), which allows 2-gigabyte files.

The Corps’ information technology department is “exploring long-term solutions to the capability gap, including the potential expansion of [the Defense Information Systems Agency’s] Secure File Gateway System to meet the DOD need,” the service said in its guidance.

The Navy also said it would provide guidance on a potential DISA solution.

The Air Force has not issued specific guidance, a spokeswoman at the Pentagon said, but personnel are finding workarounds. In February, the service began blocking unencrypted emails containing personally identifiable information, requiring the use of AMRDEC SAFE if the sender or receiver did not have access to encrypted email.

Army officials in Washington did not immediately respond to questions about guidance or alternatives to the service, but a spokeswoman for the Army’s Landstuhl Regional Medical Center in Germany said staff there have been burning files like medical records to disc or sending them via fax if they’re too large or otherwise can’t be sent via encrypted email.

“There is no other online alternative that is secure enough for Personally Identifiable Information (PII) or Protected health information (PHI),” hospital spokeswoman Stacy Sanning said in an email.

Sanning said the discs must be sent via registered mail. The Navy and Marine Corps guidance also required the use of registered mail, but Marines may also use couriers of FedEx.

The change will have limited effect on operations for Navy medical personnel, the privacy office for the service’s medical bureau said via email Friday.

“Most PII/PHI can still be sent via encrypted email,” the email said.

Some troops and others on social media have lamented the closure in recent weeks, saying it was one of few government sites that were actually useful. One claimed to have found a creative workaround.

“I’m fine with AMRDEC SAFE being down,” quipped a Twitter user named Eric Jonathan Martin. “While you’ve been using the cloud to share files, I’ve been training carrier pigeons to send data through the original cloud: the sky!”

No comments: