HomeNews

News Search

Tool to safeguard PII scheduled for AF-wide December rollout

JOINT BASE SAN ANTONIO-LACKLAND, Texas (AFNS) -- The Digital Signature Enforcement Tool is scheduled for Air Force-wide integration Dec. 5, providing Microsoft Outlook email users with an interactive, automated virtual assistant to help ensure the security of personally identifiable information.

"I can't overstate the operational importance of preventing PII breaches," said Maj. Gen. B. Edwin Wilson, the commander of 24th Air Force and Air Forces Cyber. "It's not an IT problem, it's a total-force problem, and DSET is an effective tool the total force can use, right now, to help reduce inadvertent PII breaches."

Beyond potential identity theft, PII breaches can lead to significant compromises in operational security. For example, a well-meaning member working to meet an operational deadline sends an unencrypted email, containing PII on several unit members, to a "non .mil" email account.

The sender could be attempting to get ahead on a project or be providing a status update to unit members on pending unit movements.

Unknown to the sender, hackers have compromised email transport infrastructure between the sender's desktop and one of the destination, "non .mil" desktops. Hackers intercepting this unencrypted email traffic can utilize the newly acquired personal information to form specifically targeted attacks, known as spear phishing, to acquire additional information such as account numbers or passwords.

Unfortunately, the attack does not stop there. Once an attacker has acquired enough information, he can simulate user accounts or even pass off communications on behalf of the service member, who is likely still unaware that his information has been compromised. Those false communications could be leveraged to gain digital access to Air Force systems, or even physical access to installations and personnel. Obviously, the negative implications caused by PII breaches are severe, and equipping the force with tools to mitigate the risk is paramount.

DSET version 1.6.1, an updated version of the DSET 1.6.0 software already in use by the Air National Guard, Air Force Reserve Command, and Air Force Space Command, contains fixes for some previously identified software bugs as well as enhancements to make the digital tool more effective.

"DSET 1.6.0 launched back in July to three major commands," said Alonzo Pugh, a cyber business system analyst for 24th Air Force.

"Feedback has been overwhelmingly favorable for the use of the tool, and version 1.6.1 is definitely ready for Air Force-wide usage."

DSET is regarded as a short-term fix to help all Air Force network users protect PII, specifically if that information is to be included in an email communication. DSET 1.6.1 still only scans for PII in the form of social security numbers, leaving overall responsibility on the user to safeguard the sensitive information in all of its forms.

"First, the user should ask him or herself if the PII in the email is truly necessary," Pugh said. "DSET scans the email draft before transmission. If PII is identified, DSET will notify the user through a series of pop-up windows. This interactivity allows the user to make a conscious decision of how to proceed with the information in question."

According to Pugh, if the information must be transmitted, encrypting the PII is all that is necessary to protect the data during transmission. DSET will trigger when it detects potential PII in an email, giving the user the opportunity to delete the information if not necessary to the communication, encrypt the information, or override and transmit the email as originally written.

If the file containing PII is already encrypted - through the Microsoft Office "protect" permission feature or some other software - DSET will not trigger and the email can be sent as usual to any recipient's email address, whether ".mil," ".com," etc. However, if the email itself is encrypted through Microsoft Outlook, the communication is only safe to transmit to a recipient's ".mil" email address. An email encrypted in this fashion cannot be sent to any "non-.mil" addresses. If the user attempts to do so, DSET and Microsoft Outlook will provide pop-up boxes explaining the user's options.

"I can't overstress the importance of reading the information in the pop-up box," Pugh said. "Read the training materials on the use of DSET; read the training slides on how to use Microsoft Office features to encrypt various documents; understand how these tools can help you safeguard PII."

To prepare for the Air Force-wide release of DSET, you can access training here:

  - DSET tutorials

  - DSET Quick Reference Guide

  - Additional training on how to encrypt Microsoft Office documents

Users have multiple tools at their disposal to protect PII if encrypting email is not feasible, but if electronic transmission of sensitive PII is operationally required, users can leverage approved Department of Defense file exchange services at: https://safe.amrdec.army.mil/safe/.

More information regarding DSET implementation can be found at: http://www.24af.af.mil/news/story.asp?id=123417788.

(Information courtesy of 24th Air Force Public Affairs)
USAF Comments Policy
If you wish to comment, use the text box below. AF reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The AF and the AF alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the AF, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying AF endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

AF does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. AF may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. AF does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the AF or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.