Misuse that may warrant some form of adjudicative action commonly falls under one of the following categories. Many of these examples can also be adjudicated under other guidelines such as Personal Conduct, Mishandling Protected Information, Criminal Conduct, or Psychological Conditions.
- Any illegal or unauthorized entry into any information technology system, whether motivated by curiosity or simply by the challenge of penetrating the system. This includes exceeding one's level of authorized access within a system or unauthorized intrusion into another government or company system by evading access controls.
- Any unauthorized monitoring of electronic communications or system services.
- Systematic browsing of files that are beyond one's need-to-know. Some evidence suggests that browsing is often a precursor to criminality. It can be analogous to a burglar casing a target to see how vulnerable it is. If the person doing the browsing sees an opportunity to steal valuable information with little chance of detection, it can greatly increase any temptation to engage in theft.
- Malicious use of another person's computer terminal without authorization when that person leaves the terminal unattended.
Modification, Destruction or Manipulation
- Any illegal or unauthorized modification or destruction of application software, files or records in an information technology system. This includes sabotaging or manipulating personnel records, research results, design specifications, etc. For example, two employees at a DoD medical laboratory changed drug test results in the computer system to show positive results as negative. Their purpose was not to help people get around the drug screening, but to reduce their own workload. Positive tests required additional work.
- Deliberately creating or allowing any unauthorized entry point or other system vulnerability in an information technology system.
- Denial of service, or disrupting a web site in a manner that renders it unusable to internal or external users. For example, in 1999 an Army Private First Class, who had been given a nonjudicial punishment for storing game files on a critical Army system, shut off access to the system by other personnel for over three hours. Given a second punishment, the same individual later deleted over 1,000 work-related files on the system by introducing a Trojan virus that allowed him to remotely control the workstations of other employees. The final offense resulted in a court martial and prison sentence.
Use of IT System for Fraud, Theft, or Personal Gain
- Selling or otherwise exploiting for personal advantage classified, proprietary, Privacy Act, or other protected information.
- Manipulating financial records so that, for example, checks or money transfers are made out or sent to the wrong person.
- Manipulating logistics records to steal equipment. For example, equipment may be stolen by having it shipped to the wrong location. Thefts of equipment may be covered up by manipulating inventory records.
- Theft or illegal use of credit card numbers, altering of telephone billing accounts, cellular telephone billing numbers or any other communications fraud. As telephone systems are increasingly managed by computer, and as new technology merges all telecommunications, data transmission, cable television and teleconferencing, fraudulent use of these systems has increased. In a recent case, a foreign national employed by the U.S. Army at an overseas location altered phone records on line to make unlimited free phone calls.
Introduction of Unauthorized Software
- Installing, downloading, or using any unauthorized software or computer files, particularly without the use of an approved virus protection program.
- Inserting viruses and other malicious software (worms, Trojan Horses, logic bombs, trap doors) to destroy records or to penetrate or impair system functions.
- The downloading, introduction, or use of hacking tools and the use of an information system to illegally enter other government or private sector systems or networks. In 1998 an Air Force enlisted man installed software on several office computers that allowed him to control them from his home personal computer. These intrusions and their source were detected by the AF Communication Emergency Response Team (AFCERT). A search of his personal computer revealed evidence of hacking, software piracy, and the possession of child pornography.
Misuse of Government or Corporate IT Systems
- Sending or soliciting sexually oriented messages or images. Downloading, creating, storing or displaying computer files of a sexual nature.
- Use of official equipment or systems to further an individual's private business enterprise. Apparently with no intention to harm the government system, in 1998 four enlisted service members set up their own local area network and a nongovernment commercial web site on a government server for the purpose of conducting a personal computer business after duty hours. While not a malicious act, this misuse of a military network may have compromised the network's capacity for meeting official requirements. 6
- Transmission of offensive or harassing statements, including disparagement of others based on their race, national origin, sex, sexual orientation, age, disability, religious or political beliefs. Internet and e-mail access may make harassment easier because of its impersonal nature. Perpetrators need not be face-to-face with or engage in any truly personal contact with their victims. According to one report, the frequency of harassment has increased significantly as the use of local area networks and the Internet has increased.
- Sexual harassment in the workplace using an IT system including solicitation, sexually explicit comments, obscene jokes, or other inappropriate communications sent by e-mail to a coworker with the intent to exploit, seduce, humiliate, embarrass or compromise that individual.
Failure to Protect Information
- Negligence or lax security habits in handling information technology that persist despite counseling by management. Examples of negligence include failure to protect a password and failure to promptly install software patches or updates as required.
- Removing electronic media containing classified information from the office to work on them at home.
- Processing classified information on a home PC or any other computer kept in an area that is not approved for secure storage, or moving a computer that has been used for classified material from a secure area to a nonsecure area. (Classified files can be recovered on the hard drive even after they have been deleted or erased by the user.)