DOD brass takes jaundiced view of thumb drives

The Pentagon partially lifts the ban on portable storage devices, but suspicions remain

The thumb drive, the ubiquitous device that has revolutionized portable computer storage and cornered the market on conference souvenirs, can’t quite shake its reputation in the Defense Department as a modern-day Typhoid Mary.

Although officials at the Strategic Command recently announced that they were relaxing a 15-month-old ban on thumb drives and similar removable media, defense and security experts do not foresee any dramatic surge in the devices' use on defense networks. DOD had instituted its ban after the technology was blamed for a nasty outbreak of viruses in late 2008. The official policy might have changed, but suspicions remain.

The problems with thumb drives — technically known as USB flash drives — are their ubiquity and convenience. The devices fit comfortably in a jacket pocket or on a key ring and therefore move easily from computer to computer and town to town, picking up or spreading who-knows-what viruses or malware before being secreted away again.

So no one should be surprised that the military services are not ready to re-embrace the technology just yet.

The lifting of the ban “may be good news for troops, who depend on the drives to move data in bandwidth-starved locations,” writes Noah Shachtman for Wired’s "Danger Room" blog. “But it may be good news for hackers, too. The original network security concerns, which prompted the ban, haven’t really been addressed, one Strategic Command cyber defense specialist tells Danger Room: ‘Not much changed. Stratcom simply does not have the support to enforce such a ban indefinitely.’”

The Army, for one, is playing it safe. The Army Global Network Operations Security Center is studying how to reintroduce the devices without compromising security, writes Todd Lopez for the Army News Service.

At a minimum, Army officials need a way to limit use to products approved by the government and purchased through government contracts. Also, they want to ensure the security controls on Army networks are properly configured to handle the devices.

The Air Force is also taking a conservative approach. The service is keeping a ban in place until its security experts craft new guidelines and procedures for managing portable drives, according to a release from the Air Force Space Command.

“This will not be a return to 'business as usual,'" said Maj. Gen. Michael Basla, vice commander of the Air Force Space Command. “There will be strict limitations on using flash media devices when the Air Force returns to limited access and use. These limitations will be vital to our cybersecurity.”

Caution is warranted, said Dale Meyerrose, former chief information officer at the Office of the Director of National Intelligence and now Harris’ vice president and general manager for cyber integration.

The threats posed by removable drives increased significantly in the past two years and continue to be a serious problem. One of the biggest concerns is what happens to the devices before they even reach users.

“The underlying threat to removable media and drives is in the corrupting of the supply chain,” Meyerrose said. “The opportunity to implant and hide viruses, Trojans and malware in devices and software during design and manufacture will always undermine security, no matter how fast technological protections advance. Cyber trust is not possible without supply chain integrity.”

Unfortunately, an outright ban often inspires people to find creative ways to beat the system, which can result in even worse security problems. For example, an employee stymied by the ban might opt to send confidential documents to a personal e-mail account and download them from home.

“In this case, I think DOD is making a very smart decision by recognizing that people will find a way to get their jobs done and, instead of rejecting technology, [are] trying to find a way to embrace it,” said Richard Ford, a computer science professor of assured information at the Florida Institute of Technology.

“The technology genie can't be put back in the bottle," Ford said. "The trick is to find a way to, if not tame it, at least keep it manageable.”

About the Author

Doug Beizer is a staff writer for Federal Computer Week.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected