[Infowarrior] - Pentagon Lifts Thumb Drive Ban

Richard Forno rforno at infowarrior.org
Thu Feb 18 17:56:05 UTC 2010 

Danger Room What’s Next in National Security
Hackers, Troops Rejoice: Pentagon Lifts Thumb Drive Ban
	• By Noah Shachtman
	• February 18, 2010  |
	• 12:00 pm  |
	• Categories: Info War
http://www.wired.com/dangerroom/2010/02/hackers-troops-rejoice-pentagon-lifts-thumb-drive-ban
Soldiers, you are now cleared to use your thumb drives again. U.S.  
Strategic Command has lifted its ban on the tiny drives, memory  
sticks, CDs, and other “removable flash media” on military networks.

The repeal, first reported by InsideDefense.com, may be good news for  
troops, who depend on the drives to move data in bandwidth-starved  
locations. But it may be good news for hackers, too. The original  
network security concerns which prompted the ban haven’t really been  
addressed, one Strategic Command cyber defense specialist tells Danger  
Room: “Not much changed. STRATCOM simply does not have the support to  
enforce such a ban indefinitely.”

STRATCOM prohibited the drives’ use back in November, 2008 after the  
Agent.btz virus began working its way through military networks. A  
variation of the “SillyFDC” worm, Agent.btz spreads by copying itself  
from thumb drive to computer and back again. Once on a PC, “it  
automatically downloads code from another location. And that code  
could be pretty much anything,” iDefense computer security expert Ryan  
Olson said at the time.

There was also talk that such infections might be deliberate attacks  
on the Defense Department’s networks. The ban was billed in one  
STRATCOM e-mail as a way to counter “adversary efforts to penetrate,  
disrupt, interrupt, exploit or destroy critical elements of the GIG  
[Global Information Grid].” Jim Lewis, with the Center for Strategic  
and International Studies, told 60 Minutes last November that “some  
foreign power” infiltrated the classified network of U.S. Central  
Command through the use of “thumb drives.” (Later, Lewis said he did  
not have direct knowledge of the incident.)

Troops in the field and at secure facilities often rely on thumb  
drives, CDs, and other removable media to transport information when  
bandwidth is scarce and networks are unreliable. Even after the ban  
went into effect, takeaway storage continued to be used constantly as  
a substitute.

STRATCOM hopes to keep the spread of any viruses to a minimum by only  
allowing “properly inventoried, government-procured and owned devices”  
on military networks. But at least one STRATCOM specialist is  
skeptical that the limitations will have much of an impact.

“Simply put, DoD [Department of Defense] cannot undo 20+ years of  
tacitly utilizing worst IT security practices in a reasonable amount  
of time especially when many of these practices are embedded in  
enterprise wide processes. While a more restrictive policy on such  
devices is useful and better than no policy at all, it still pivots on  
what I like to call the ‘original sin’ fallacy of cyber security: the  
unsubstantiated given in most policies that all users will always  
follow the rules and self police,” the specialist notes.

At the National Security Agency and other highly-classified  
organizations, USB ports and writable drives are removed from desktop  
computers. Drivers of the devices are disabled. In many wings of  
Defense Department, that would bring information-sharing to a grinding  
halt.

“Folks at all levels being routinely tasked to do things with their IT  
by senior leaders for which they are not provided the enterprise tools  
for and often require them to use poor security practices or violate  
existing policy to accomplishment,” the STRATCOM specialist observes.

It would be like ordering a subordinate to hand deliver a message by  
car to someone in 10 minutes — but that person is 10 miles away so  
they have to drive 60 mph.  The law says the speed limit is 55, but  
the driver is forced to speed to accomplish the task. And then leaders  
lament the deaths and injuries caused by speeding and create policies  
demanding drivers stop speeding and increase the punishment on those  
that do. Nice little Catch 22 we create for ourselves.

[Photo: USMC]

More information about the Infowarrior mailing list