John FoleyEditor, InformationWeek
Government Technologist: DoD Must Confront Child Porn Issue
An Inspector General report detailing more than a dozen investigations of suspected child porn at the Department of Defense deserves an aggressive response. The scope of the problem, which extends to DoD computers and networks, warrants a full-scale review of IT policies and processes to block this offensive garbage.
The 94-page IG report, released in response to a Freedom of Information Act filing by the Boston Globe, provides a seldom-seen look into the who, what, where, when, and how of child porn access by employees and contractors of the U.S. military. In several of the cases involved, it appears that more rigorous IT governance might have identified problems earlier or even prevented them. Keep in mind that there's risk associated with this nasty problem -- government systems may be exposed to malware, and the perpetrators are vulnerable to blackmail and threats.
DoD launched its investigations, most of which took place between 2007 and 2009, in the wake of an Immigration and Customs Enforcement (ICE) probe, known as Operation Flicker, into child porn Web sites. Combing through the transaction records of those sites, ICE agents turned up the names of 5,000 customers, including those using .mil e-mail addresses or the ZIP codes of military post offices. ICE shared its findings with the Defense Criminal Investigative Service (DCIS), which launched its own investigation.
In one case, an Oracle employee with top secret clearance and under contract to the National Security Agency was identified as a subscriber to the child porn Web sites under investigation by ICE agents. On the same day that a search warrant was issued for that person's home computer, it appears that he traveled to his office and tampered with work computers. A second search warrant resulted in the discovery of child porn on an office computer and, in March 2008, he was indicted on possession of child porn. (It's unclear from the IG report, which is heavily redacted, if the offices involved were those of NSA, Oracle, or another employer.) The suspect fled and is thought to be hiding in Libya.
In another case, the Defense Contract Management Agency, which works with DoD suppliers, seized a government computer used by a contract worker. Forensic analysis revealed 40 thumbnail images suspected of being child porn, and the employee admitted having a thumb drive with 2,700 images that he said might "raise some eyebrows." During the course of the investigation, he admitted to playing online games on his work computer for an average of three hours during the work day.
That guy got off the hook. The U.S. Attorney's office declined to prosecute him based on an inability to verify the ages or identities of the young people in the photographs and the fact that a majority of the images didn't constitute child porn. The DCMA tried to recoup $20,000 in back wages, based on the time spent gaming, but the effort was unsuccessful, and the case was closed. His only penalty was a 30-day suspension for misuse of government time and resources.
There are also the examples of a Navy non-commissioned officer who downloaded child porn while stationed on the U.S.S. Mason, a destroyer class ship, and of a DARPA program manager whose computer, during a routine virus check, revealed what appeared to be child porn and lots of it.