The Pentagon's Failed Flash Drive Ban Policy

September 16th, 2016

If CIOs are looking at government data management and security policies to set an example, they should think again, says Zack Whittaker for ZDNet.

Whittaker cites a recent Reuters news agency report on the Pentagon’s flash-drive ban policy, which said:

The Pentagon has granted many exceptions, possibly numbering in the thousands, to allow staff members who administer secure computer networks to use flash drives and other portable storage devices, department spokesmen say. […] But officials say waivers go to people who update software and run helpdesk services for the Pentagon’s vast computer network and are needed to run the system efficiently.

Whittaker then opines that the U.S. government, despite these major leaks from “whistleblowers,” hasn’t learned how best to deal with the problem.

Despite a number of leaks already flowing out of the U.S. government—notably the National Security Agency and PRISM leaks, and so on and so forth—the U.S. Department of Defense is allowing possibly “thousands” of staff to ignore the rules of portable storage devices on secure government machines for the sake of efficiency.

Exactly how Edward Snowden leaked the documents to U.K. and U.S. newspapers remains unclear. The chances are that it was by plugging in a USB stick and downloading sensitive and classified materials for his later perusal.

It’s like the U.S. hasn’t learned a thing from one whistleblower to another, he continues.

Take Pvt Bradley Manning, who’s currently holed up in a military court awaiting his fate. He was able to download vast quantities of secure and sensitive data from government networks onto a disc disguised as a copy of Lady Gaga’s at-the-time latest album and leak it to whistleblowing site WikiLeaks. That was a massive data breach that caused the U.S. government a huge amount of embarrassment with its allies and frenemies around the world.

Three years on, there’s been a clampdown across government departments, including the military. And in response to this, smartphones and tablets sans removeable storage, such as iPhones and iPads, have also garnered support across the public sector space, thanks to its in-built storage that helps prevent physical data thefts.

But it’s not enough. It’s far from enough, and it’s likely the reason why data was leaked in this instance. Removeable storage policies, as boring as they sound, aren’t just about keeping data in. They’re also designed to keep bad data out, such as malware.

In 2009, at the height of the Conficker worm outbreak, the U.K. Houses of Parliament suffered a worm attack when Conficker spread across its networks. The cause? An unauthorized USB flash drive, which ultimately cost millions of pounds to clean up. More than 15 million computers around the world were ultimately affected by the worm.

There are sensible precautions that governments and their departments have to take to ensure that data, which more often than not ultimately includes information on their electorate and citizens, remains secure.

But they’re not. Least of all the U.S., which should be setting an example.

Nobody can get data security quite right. Nobody has it dead-set perfect, and it’s not an exact science. But there are steps to mitigate data breaches, security lapses, and even whistleblowing—to a greater or lesser extent—seeing as whistleblowing can go either way in regards to “the greater good of public knowledge” versus national security.

Just because the government is doing something, or not doing something, doesn’t necessarily make it the right decision. And CIOs in the private and public sector should take note of the mistakes that others make in order to prevent their own foul-ups.

Yes, it may well be that the U.S. government is allowing a handful of people in the vast ocean of employees it has to run around with carte blanche access to do what they want. But all it takes is one. It’s perhaps time the U.S. woke up to the fact that in some cases, it has to be a one-policy-fits-all situation.

Source: ZDNet