Military still gives thumbs down to thumb drives
Ban of portable storage devices entices employees to find less-safe workarounds, experts content
- By Doug Beizer
- Mar 02, 2010
Despite relaxing the ban on using portable storage devices on Defense Department computer systems, it appears thumb drives will not return to the military services anytime soon.
The Air Force and Army plan to continue banning the devices on their systems for now, according to two reports.
The Army Global Network Operations Security Center is currently performing a study to determine how to safely start using thumb drives again, according to an Army News Service report. Army officials say two conditions must be met before the drives are approved for use: There must be a way to ensure that users are only using government-approved and purchased devices and that Army networks are properly configured, according to the report.
The ban on thumb drives is still in place for the Air Force too, according to an Air Force Space Command report. The ban will stay in place until new guidelines and procedures for using the portable drives are written.
DOD details strict flash drive rules
“This will not be a return to 'business as usual,'" Maj. Gen. Michael Basla, Air Force Space Command vice commander, said in the report. “There will be strict limitations on using flash media devices when the Air Force returns to limited access and use. These limitations will be vital to our cyber security.”
The cautious approach the services are taking is wise, according to Dale Meyerrose, the former CIO for the Office of the Director of National Intelligence and currently Harris Corp.’s vice president and general manager for cyber integration.
The threats posed by removable drives increased significantly over the last two years and continues to be a serious problem, Meyerrose said.
“The underlying threat to removable media and drives is in the corrupting of the supply chain,” Meyerrose said. “The opportunity to implant and hide viruses, Trojans, and malware in devices and software during design and manufacture will always undermine security—no matter how fast technological protections advance. Cyber trust is not possible without supply chain integrity.”
Despite the risks, DOD officials were wise to scale back the all out ban on thumb drives, said Richard Ford, a computer science professor of assured information at the Florida Institute of Technology.
The problem with bans is that employees find ways around them resulting in an even worse cybersecurity posture, he said.
“In industry, one hears horrible stories of people sending confidential documents to Gmail and downloading them from home, for example, to get around restrictions,” Ford said.
“At the end of the day, when the security medicine we're prescribing is, at least at face value, worse than the disease, workers find creative ways to beat the system, often to the detriment of security,” he said. “In this case, I think DOD is making a very smart decision by recognizing that people will find a way to get their jobs done, and instead of rejecting technology is trying to find a way to embrace it. The technology genie can't be put back in the bottle; the trick is to find a way to, if not tame it, at least keep it manageable.”
Meyerrose agrees that the ban causes people to use less secure workarounds in order to do their jobs. But rather than a ban DOD officials should provide users with trusted, certifiable sources for portable media devices, he said. DOD officials should also provide a transparent mechanism for creating a trusted avenue for moving digitized information in the work environment, he said.
“Such a move might have cost a little bit more than the ruthless banning edict, but it would have preserved user capability and really enhanced cybersecurity,” Meyerrose said.
Doug Beizer is a staff writer for Federal Computer Week.