DOD brass takes jaundiced view of thumb drives

The Pentagon partially lifts the ban on portable storage devices, but suspicions remain

The thumb drive, the ubiquitous device that has revolutionized portable computer storage and cornered the market on conference souvenirs, can’t quite shake its reputation in the Defense Department as a modern-day Typhoid Mary.

Although officials at the Strategic Command recently announced that they were relaxing a 15-month-old ban on thumb drives and similar removable media, defense and security experts do not foresee any dramatic surge in the devices' use on defense networks. DOD had instituted its ban after the technology was blamed for a nasty outbreak of viruses in late 2008. The official policy might have changed, but suspicions remain.

The problems with thumb drives — technically known as USB flash drives — are their ubiquity and convenience. The devices fit comfortably in a jacket pocket or on a key ring and therefore move easily from computer to computer and town to town, picking up or spreading who-knows-what viruses or malware before being secreted away again.

So no one should be surprised that the military services are not ready to re-embrace the technology just yet.

The lifting of the ban “may be good news for troops, who depend on the drives to move data in bandwidth-starved locations,” writes Noah Shachtman for Wired’s "Danger Room" blog. “But it may be good news for hackers, too. The original network security concerns, which prompted the ban, haven’t really been addressed, one Strategic Command cyber defense specialist tells Danger Room: ‘Not much changed. Stratcom simply does not have the support to enforce such a ban indefinitely.’”

The Army, for one, is playing it safe. The Army Global Network Operations Security Center is studying how to reintroduce the devices without compromising security, writes Todd Lopez for the Army News Service.

At a minimum, Army officials need a way to limit use to products approved by the government and purchased through government contracts. Also, they want to ensure the security controls on Army networks are properly configured to handle the devices.

The Air Force is also taking a conservative approach. The service is keeping a ban in place until its security experts craft new guidelines and procedures for managing portable drives, according to a release from the Air Force Space Command.

“This will not be a return to 'business as usual,'" said Maj. Gen. Michael Basla, vice commander of the Air Force Space Command. “There will be strict limitations on using flash media devices when the Air Force returns to limited access and use. These limitations will be vital to our cybersecurity.”

Caution is warranted, said Dale Meyerrose, former chief information officer at the Office of the Director of National Intelligence and now Harris’ vice president and general manager for cyber integration.

The threats posed by removable drives increased significantly in the past two years and continue to be a serious problem. One of the biggest concerns is what happens to the devices before they even reach users.

“The underlying threat to removable media and drives is in the corrupting of the supply chain,” Meyerrose said. “The opportunity to implant and hide viruses, Trojans and malware in devices and software during design and manufacture will always undermine security, no matter how fast technological protections advance. Cyber trust is not possible without supply chain integrity.”

Unfortunately, an outright ban often inspires people to find creative ways to beat the system, which can result in even worse security problems. For example, an employee stymied by the ban might opt to send confidential documents to a personal e-mail account and download them from home.

“In this case, I think DOD is making a very smart decision by recognizing that people will find a way to get their jobs done and, instead of rejecting technology, [are] trying to find a way to embrace it,” said Richard Ford, a computer science professor of assured information at the Florida Institute of Technology.

“The technology genie can't be put back in the bottle," Ford said. "The trick is to find a way to, if not tame it, at least keep it manageable.”

About the Author

Doug Beizer is a staff writer for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.