Soldiers, you are now cleared to use your thumb drives again. U.S. Strategic Command has lifted its ban on the tiny drives, memory sticks, CDs and other removable flash media on military networks.
The repeal, first reported by InsideDefense.com, may be good news for troops, who depend on the drives to move data in bandwidth-starved locations. But it may be good news for hackers, too. The original network security concerns which prompted the ban havent really been addressed, one Strategic Command cyber defense specialist tells Danger Room: Not much changed. StratCom simply does not have the support to enforce such a ban indefinitely.
StratCom prohibited the drives use back in November 2008 after the Agent.btz virus began working its way through military networks. A variation of the SillyFDC worm, Agent.btz spreads by copying itself from thumb drive to computer and back again. Once on a PC, it automatically downloads code from another location. And that code could be pretty much anything, iDefense computer security expert Ryan Olson said at the time.
There was also talk that such infections might be deliberate attacks on the Defense Departments networks. The ban was billed in one StratCom e-mail as a way to counter adversary efforts to penetrate, disrupt, interrupt, exploit or destroy critical elements of the GIG [Global Information Grid]. Jim Lewis, with the Center for Strategic and International Studies, told 60 Minutes last November that some foreign power infiltrated the classified network of U.S. Central Command through the use of thumb drives. (Later, Lewis said he did not have direct knowledge of the incident.)
Troops in the field and at secure facilities often rely on thumb drives, CDs and other removable media to transport information when bandwidth is scarce and networks are unreliable. Even after the ban went into effect, takeaway storage continued to be used constantly as a substitute.
StratCom hopes to keep the spread of any viruses to a minimum by only allowing properly inventoried, government-procured and owned devices on military networks. But at least one StratCom specialist is skeptical that the limitations will have much of an impact.
Simply put, DoD [Department of Defense] cannot undo 20+ years of tacitly utilizing worst IT security practices in a reasonable amount of time, especially when many of these practices are embedded in enterprise wide processes. While a more restrictive policy on such devices is useful and better than no policy at all, it still pivots on what I like to call the original sin fallacy of cybersecurity: the unsubstantiated given in most policies that all users will always follow the rules and self-police, the specialist notes.
At the National Security Agency and other highly classified organizations, USB ports and writable drives are removed from desktop computers. Drivers of the devices are disabled. In many wings of Defense Department, that would bring information-sharing to a grinding halt.
Folks at all levels being routinely tasked to do things with their IT by senior leaders for which they are not provided the enterprise tools for and often require them to use poor security practices or violate existing policy to accomplishment, the StratCom specialist observes.
It would be like ordering a subordinate to hand-deliver a message by car to someone in 10 minutes but that person is 10 miles away so they have to drive 60 mph. The law says the speed limit is 55, but the driver is forced to speed to accomplish the task. And then leaders lament the deaths and injuries caused by speeding and create policies demanding drivers stop speeding and increase the punishment on those that do. Nice little Catch 22 we create for ourselves.
Photo: USMC
Source: www.wired.com
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
Tags: Defense Department networks, military networks, thumb drives, writable drives