FCW Insider: Buzzing about DOD and malware

In recent weeks, we have heard bits and pieces of information about a malware attack against Defense Department systems. Security experts have a lot of questions, but DOD, so far, has not been forthcoming with the answers.

So for the Buzz of the Week, appearing in the Dec. 8 issue of FCW, I decided to focus on the questions. Here is what I wrote:

Questions about DOD, thumb drives and malware

Here is what we do know: A malicious bit of software known as Agent.btz has found its way into some Defense Department systems.

We also know that DOD officials have prohibited the use of most types of portable data-storage media on government computers — that includes USB-based thumb or flash drives, memory sticks, and camera flash memory cards. Such devices are widely used to move data or programs from one system to another. But they are also effective carriers of computer viruses and other malware.

According to a report by the Los Angeles Times, Agent.btz infected U.S. Central Command systems in Iraq and Afghanistan and even worked its way into highly secure networks. Senior DOD leaders have briefed President George W. Bush on the situation, the Times reports.

DOD officials have confirmed some of the basic facts, but they are leaving many questions unanswered. Security experts say one question immediately comes to mind: What made this piece of malware so effective against DOD defenses?

Other questions quickly follow, even if we assume that DOD’s cyber experts are able to track down the problem. For example, what other vulnerabilities exist that have yet to be exploited? And to what extent could such a cyberattack undermine military operations?
Here’s a question the feds might be asking: How long before my thumb drive is taken away? It is not likely to come to that, but look for stricter policies on when and how those devices might be used.

For example, NASA Chief Information Officer Jonathan Pettus recently issued a memo that instructed employees not to use their personal USB drives or other removable media on government computer systems. Likewise, the memo directed employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization.

Security concerns about removable media are nothing new, especially at DOD. But this time don’t hold your breath hoping that officials will quickly forget the matter and return things to normal.