My last duty station in the Marine Corps was as a part of the Inspector-Instructor staff at the 25Th Marine Regiment in Fort Devens, Massachusetts. I-I duty is a unique monster, one worthy of its own analysis, but one thing my time at the regiment afforded me as a lowly sergeant, was the opportunity to work alongside a number of senior ranking officers and enlisted Marines in a more peer-like capacity than most Marines are afforded in the Fleet Marine Force.
When there are only 30 of you, you tend to get familiar with one another, and although rank never left the room when I interacted with field grade officers, it did tend to fade into the background as our shared challenges superseded the pomp and circumstance we tend to afford to the shinier collars that grace our halls. Marines make mission, and when that means sitting in a mini-van with a Lieutenant Colonel for six hours just to collect some toys for charity, you do it, and you may be forgiven for getting to know the guy behind the rank insignia a bit along the way.
It was that familiarity that often found me conversing with senior leaders in their offices, often with papers strewn about and a dozen metaphorical fires burning at once – as we worked to solve problems faced by the unit, whether it was getting a full honors funeral organized, planning a training revolution for our reservists, or trying to manage the administrative and logistical nightmare it is to stand up and deploy a reserve battalion.
The Marine Corps actually utilizes a fairly robust, if outdated, software suite called the Marine Corps Total Force System (MCTFS) to manage seemingly innumerable data points that can be pulled, analyzed or accessed through a number of different “portals.” 3270, which looks like MSDOS and works in a similar fashion, is the most common one for desk-types, Marine Online is the common portal for everyone else, and other specialized programs like Cognos Impromptu offered different methods of pulling and viewing the same data pools. One source with multiple channels of access may sound complicated, but I’m told it’s actually a much more consolidated and efficient system than is employed by other branches (though I have no first hand experience to with other systems to verify).
Each of those portals, as well as logging on to the computer, accessing your e-mail, or breathing (it seemed) required a different alpha numeric password, to be reset every 60 days with no duplicates. Want to change info housed in MCTFS? That’s one password. Want to see that info you changed? Different password. Want to submit a travel request? That’s another one. Looking or a roster of everyone in the company? Different password. Hoping to send an e-mail to the CO? Another password. Want to get on Sharepoint to see the new training docs? Password. God help you if you wanted to request leave … you get the point.
In the course of doing my job, I probably had a dozen passwords to memorize anew each time they required an update, and some officers, like the Regimental Personnel Officer, must have had twice that. Each password, a complex string of letters and numbers, sometimes random, sometimes not, and if you needed a reset out in the Wild West that is I&I duty (far detached from the Mama Bear that is the fleet), you were in for a wait. And that’s where all this complex security would break down and wither away… right there on our messy desks: most guys would just get frustrated and start writing their passwords down.
I guarantee you that I could walk into leadership elements all around the Marine Corps right now and find little notebooks full of passwords in the desk drawers of many high ranking Marines. It’s not because they don’t value OpSec, it’s because it’s the only way for a human to keep track of 20 different 16-byte, constantly changing passwords intended for 20 different software platforms. Most of us struggle to remember our wife’s birthdays or to take a vitamin… but somehow thousands of Marines are expected to retain what amounts to hundreds of random numbers and letters just to access their work computers and the software therein.
In today’s world, digital security is paramount – and no matter what new and improved method you develop to ensure the enemy can’t access your systems, they’ll work to find a way to circumvent it, so there is no question in my mind that these passwords represent a legitimate need… But at a certain point, the complexity of the password, coupled with the frequency of resets and the total number of them required leads to a fundamental compromise of the effort, as frustrated Marines just say, “eh, no one comes in here anyway,” and they just write the password on a sticky and slap it on the side of their monitor.
As cyber warfare increasingly becomes a focal point in national war strategies, we need something better. Physical security like linking Common Access Cards (military IDs) to passwords to verify identity already exist and are in use, but sourcing software from so many different places (as each branch tends to do for budgeting) means the software housed inside the computer you just accessed uses its own security mechanisms, independent from the computer’s, and so forth.
It’s easy to assume your jotted down passwords will remain private inside your office, but then, that’s the mindset HUMINT experts make their living on. If we hope to continue to expand our logistical, operational planning, administrative, and other functions within the digital realm – and it’s clear that the military aims to do so – we need to do better in terms of creating a sustainable digital security environment.
Because it doesn’t matter how good your encryption, how complex your password, or how thorough your vetting of personnel… if the key to unlocking your systems is a spiral bound notebook laying on a desk, none of it really matters.
Feature image courtesy of the U.S. Marine Corps