The abrupt shuttering of an Army-run secure document-sharing service is grinding to a snail’s pace work done by the Navy’s lawyers, doctors, personnel administrators, law enforcement and even the U.S. Naval Academy Band.
The Army turned off its Aviation and Missile Research Development and Engineering Center (AMRDEC) Safe Access File Exchange system, called SAFE by users, a month ago because of the potential security risk, Kerensa Crum, an AMRDEC spokesperson, told USNI News. The shutdown was a preventative measure, Crum said, and the Army is not aware of any data breach because of the risk.
However, without the SAFE system, users from all military branches were sent scrambling to figure out ways to securely share large documents containing sensitive but not classified information with colleagues, other government agencies, contractors and retirees, Capt. Vince Augelli, OPNAV N2/N6G Cyber Security Branch Chief, told USNI News last week. Registered mail and courier services have suddenly become in vogue.
“There’s no sugar-coating the fact that this has a huge impact and it’s slow; it’s slower and doesn’t have the capacity of the electronic solution used in that SAFE file exchange,” Augelli said. “I know the users are frustrated with that and I’m extraordinarily frustrated with that because I can’t give them a better answer.”
There was never a requirement created to build a secure means of transferring large amounts of sensitive but unclassified data, Augelli said. Department of Defense use of the SAFE system evolved as word spread of its existence. Now with SAFE shuttered, Augelli said there are no alternatives. Commercial solutions, such as Dropbox or Google Docs, might be part of a future solution, but as of now, Augelli said DoD has not reviewed or certified any commercial secure file transfer system. A DoD cloud computing system could work, but the development of such a system is still far off, and Augelli said the need to share data exists now.
“For the near term, smaller files containing PII, PHI, and FOUO material can be encrypted and sent via email. For larger files, burning the data to disk and using registered mail is the only solution that meets PII/PHI criteria,” Vice Adm. Matthew Kohler, the deputy chief of naval operations for information warfare, said in an administrative message released to the Navy.
A similar message was distributed to the Marines Corps by Brig. Gen. L. M. Mahlock, the chief information officer of the Marine Corps. Mahlock’s statement said her office is developing long-term solutions, suggesting SAFE might not come back online.
“The AMRDEC Public Affairs Office states that it has yet to determine whether the site will be reinstated. This leaves the Marine Corps without a method of securely transferring files (with a file size in excess of the Microsoft Outlook limitations) on the Non-Classified Internet Protocol Router (NIPR) Network,” Mahlock’s statement said.
Encrypted email works for small files, but only if both the sender and receiver have a Common Access Card, Augelli said. For large documents sent to recipients outside the government, such as retirees, contractors and state law enforcement agencies, Augelli said the only solution is to burn data onto a disc and use a courier, registered mail or delivery service to deliver the data to its intended recipient.
“That’s a stop-gap measure. That is not a way to get business done on a daily basis, which is why we really need to have that DoD enterprise solution there, so that everyone is not just relying on a single service’s tool,” Augelli said.
DoD use of SAFE was so widespread because the system worked, Augelli said. SAFE allowed a user with a Command Access Card (CAC) to upload a document, designate a recipient and ensure it got there encrypted regardless of whether the recipient had a CAC or other means to download the information. Plus, SAFE only held data for a finite amount of time. After recipients downloaded documents, Augelli said they disappeared from the system. In theory, if hackers accessed SAFE, there would be no data to steal.
“Almost every shore echelon II command somewhere was using this tool to some degree, and that did take us by surprise in terms of how widespread the use of this was,” Augelli said.
Navy SAFE system users included lawyers sharing large legal documents, physicians sharing medical files, Navy Personnel Command sending documents to retirees, and NCIS agents who had data to share with the FBI, Department of Justice and state law enforcement agencies, Augelli said. Even the U.S. Naval Academy Band used the system to submit their visitor request forms for when they performed at the White House about once a quarter.
However, SAFE was never intended to be used by all military branches as the primary means of transferring large documents, Crum said. Initially, the Army created SAFE to transfer sensitive but unclassified data between ARMDEC staff, commands, and contractors.
Long-term, Augelli said DoD needs to develop a large file transfer system for use by the entire defense enterprise. This would include active duty personnel, civilian employees, retirees, other federal and state agencies.
Until a system exists, Augelli said, “the old-fashioned courier is, unfortunately, part of this workaround, and it’s very laborious and costly.”