DOD brass takes jaundiced view of thumb drives

The Pentagon partially lifts the ban on portable storage devices, but suspicions remain

The thumb drive, the ubiquitous device that has revolutionized portable computer storage and cornered the market on conference souvenirs, can’t quite shake its reputation in the Defense Department as a modern-day Typhoid Mary.

Although officials at the Strategic Command recently announced that they were relaxing a 15-month-old ban on thumb drives and similar removable media, defense and security experts do not foresee any dramatic surge in the devices' use on defense networks. DOD had instituted its ban after the technology was blamed for a nasty outbreak of viruses in late 2008. The official policy might have changed, but suspicions remain.

The problems with thumb drives — technically known as USB flash drives — are their ubiquity and convenience. The devices fit comfortably in a jacket pocket or on a key ring and therefore move easily from computer to computer and town to town, picking up or spreading who-knows-what viruses or malware before being secreted away again.

So no one should be surprised that the military services are not ready to re-embrace the technology just yet.

The lifting of the ban “may be good news for troops, who depend on the drives to move data in bandwidth-starved locations,” writes Noah Shachtman for Wired’s "Danger Room" blog. “But it may be good news for hackers, too. The original network security concerns, which prompted the ban, haven’t really been addressed, one Strategic Command cyber defense specialist tells Danger Room: ‘Not much changed. Stratcom simply does not have the support to enforce such a ban indefinitely.’”

The Army, for one, is playing it safe. The Army Global Network Operations Security Center is studying how to reintroduce the devices without compromising security, writes Todd Lopez for the Army News Service.

At a minimum, Army officials need a way to limit use to products approved by the government and purchased through government contracts. Also, they want to ensure the security controls on Army networks are properly configured to handle the devices.

The Air Force is also taking a conservative approach. The service is keeping a ban in place until its security experts craft new guidelines and procedures for managing portable drives, according to a release from the Air Force Space Command.

“This will not be a return to 'business as usual,'" said Maj. Gen. Michael Basla, vice commander of the Air Force Space Command. “There will be strict limitations on using flash media devices when the Air Force returns to limited access and use. These limitations will be vital to our cybersecurity.”

Caution is warranted, said Dale Meyerrose, former chief information officer at the Office of the Director of National Intelligence and now Harris’ vice president and general manager for cyber integration.

The threats posed by removable drives increased significantly in the past two years and continue to be a serious problem. One of the biggest concerns is what happens to the devices before they even reach users.

“The underlying threat to removable media and drives is in the corrupting of the supply chain,” Meyerrose said. “The opportunity to implant and hide viruses, Trojans and malware in devices and software during design and manufacture will always undermine security, no matter how fast technological protections advance. Cyber trust is not possible without supply chain integrity.”

Unfortunately, an outright ban often inspires people to find creative ways to beat the system, which can result in even worse security problems. For example, an employee stymied by the ban might opt to send confidential documents to a personal e-mail account and download them from home.

“In this case, I think DOD is making a very smart decision by recognizing that people will find a way to get their jobs done and, instead of rejecting technology, [are] trying to find a way to embrace it,” said Richard Ford, a computer science professor of assured information at the Florida Institute of Technology.

“The technology genie can't be put back in the bottle," Ford said. "The trick is to find a way to, if not tame it, at least keep it manageable.”

About the Author

Doug Beizer is a staff writer for Federal Computer Week.


  • Comment
    Diverse Workforce (Image: Shutterstock)

    Who cares if you wear a hoodie or a suit? It’s the mission that matters most

    Responding to Steve Kelman's recent blog post, Alan Thomas shares the inside story on 18F's evolution.

  • Cybersecurity
    enterprise security (Omelchenko/

    Does Einstein need a post-SolarWinds makeover?

    A marquee program designed to protect the government against cybersecurity threats is facing new scrutiny in the wake of Solar Winds Orion breach, but analysts say the program was unlikely to have ever stopped the hacking campaign.

Stay Connected