FCW Insider: Buzzing about DOD and malware
In recent weeks, we have heard bits and pieces of information about
a malware attack against Defense Department systems. Security experts
have a lot of questions, but DOD, so far, has not been forthcoming with
So for the Buzz of the Week, appearing in the Dec. 8 issue of FCW, I decided to focus on the questions. Here is what I wrote:
Questions about DOD, thumb drives and malware
Here is what we do know: A malicious bit of software known as Agent.btz has found its way into some Defense Department systems.
We also know that DOD officials have prohibited the use of most
types of portable data-storage media on government computers — that
includes USB-based thumb or flash drives, memory sticks, and camera
flash memory cards. Such devices are widely used to move data or
programs from one system to another. But they are also effective
carriers of computer viruses and other malware.
According to a report by the Los Angeles Times, Agent.btz infected
U.S. Central Command systems in Iraq and Afghanistan and even worked
its way into highly secure networks. Senior DOD leaders have briefed
President George W. Bush on the situation, the Times reports.
DOD officials have confirmed some of the basic facts, but they are
leaving many questions unanswered. Security experts say one question
immediately comes to mind: What made this piece of malware so effective
against DOD defenses?
Other questions quickly follow, even if we assume that DOD’s cyber
experts are able to track down the problem. For example, what other
vulnerabilities exist that have yet to be exploited? And to what extent
could such a cyberattack undermine military operations?
question the feds might be asking: How long before my thumb drive is
taken away? It is not likely to come to that, but look for stricter
policies on when and how those devices might be used.
For example, NASA Chief Information Officer Jonathan Pettus recently
issued a memo that instructed employees not to use their personal USB
drives or other removable media on government computer systems.
Likewise, the memo directed employees not to use government-owned
removable devices on personal machines or machines that do not belong
to the agency, department or organization.
Security concerns about removable media are nothing new, especially
at DOD. But this time don’t hold your breath hoping that officials will
quickly forget the matter and return things to normal.
Posted by John Stein Monroe on Dec 05, 2008 at 12:18 PM