The clampdown by the Department of Defense will have implications for how United States troops abroad will communicate with folks back home.
The Pentagon's new restrictions on removable media and file transfers may
impact how United States
troops abroad communicate with family and friends back home, according to a
privacy and computer security expert.
The new rules, outlined by the
U.S. Department
of Defense in a memo shortly after
WikiLeaks
started posting 250,000 cables from U.S. embassies and diplomats, ban
military service personnel from using any removable media on any classified
machines. The "crackdown" on removable media will likely include
"rewritable CD drives, USB flash drives
and multimedia storage like SD cards," said Darren Hayes, Computer
Information Systems Program Chair at New York's
Pace University,
to eWEEK.
Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued
a "Cyber Control Order" on Dec. 3, outlining the new rules and
directing all personnel to "immediately cease use of removable media on
all systems, servers and stand-alone machines residing on SIPRNet,"
according to a
CNN
report.
Similar directives have been issued to other military branches, the report
said.
SIPRNet (Secret Internet Protocol Router Network) is a separate and private
network belonging to the Defense Department. While access to the SIPRNet system
is restricted to only military staff, federal government employees can log on
with their secure username and password regardless of their post or location,
according to the Daily Mail.
The Air Force order also directs all staff to "immediately suspend all
SIPRNet data transfer activities on removable media," said the CNN report.
The orders are in line with the Nov. 28 memo that said all Defense
Department classified computers will have the "ability to write on
removable media" disabled as a "temporary technical solution."
U.S Army Private Bradley Manning said he downloaded the files from SIPRNet
to a CD that was marked as containing music by performer Lady Gaga, according
to
chat
transcripts published by Wired.
"Bottom line: It is now much more difficult for a determined actor to
get access to and move information outside of authorized channels," wrote
Pentagon spokesman Bryan Whitman in the Defense Department memo.
The military has banned USB devices
before, the last time in 2008 shortly after
disks
helped spread malware onto the department's computers. The ban was lifted
earlier this year, but the debate about whether military personnel should still
have access to USB drives still continues,
said Hayes.
Data transfer between classified and unclassified computers
is not being entirely removed, according to Whitman. The number of classified
systems that can transfer materials to unclassified systems on NIPRNet will be
limited, and under the new rules, two people have to be involved in the
transfer, said the memo.
The ban can "only do so much," said Thom VanHorn, vice president
of global marketing at Application Security. The problem is
user
access control: People have access to information they do not need.
Information needs to be secured, and access privileges need to be
"properly assigned" so "employees only have access to the
information necessary to do their jobs," he said.
A former senior intelligence official recently told the Washington Post that
access to SIPRNet "ballooned to about 500,000 or 600,000 people, including
embassy personnel, military officials from other countries, state National
Guard officials and Department of Homeland Security personnel," since
9/11.
While the new rules would prevent information from easily being downloaded
and carried away, the focus should be on network monitoring, experts said.
"As a second step," organizations should "monitor access to
ensure it isn't being abused or misused," said VanHorn.
It's "strange" that the DoD didn't already monitor user activity,
so it's more "likely" that "policies weren't adhered to,"
said Hayes.
Considering the sheer volume of cables posted to WikiLeaks, it's unlikely that
all that data would have been downloaded "without getting noticed" if
there'd been a monitoring tool, Hayes said. Even if it happened over a
"long period of time," the tools are "on the lookout for large
clusters of data" on the network, he said.
Administrators should be looking at what is downloaded and whether it matches
the user's job role. Monitoring should have "most scrutiny on the most
highly privileged users," said VanHorn.
Regardless of what was in place before, "procedures to
monitor and detect suspicious, unusual or anomalous user behavior" will be
in place soon, according to the Defense Department memo. About 60 percent of
SIPRNet are now connected to a host-based security system, which allows
administrators to remotely monitor unusual data access or usage, said the memo.
The military is also "accelerating" deployment to the remaining
systems.
The Pentagon will also "rethink computer security procedures,"
such as restricting access to personal e-mail accounts, even on NIPRNet, said
Hayes.
U.S.
forces in Iraq trying to access WikiLeaks are being shown a warning page
reminding them they should not be viewing classified documents over the NIPRNet,
according to Gawker. This can be expanded to restrict access to personal e-mail
sites like Google Gmail, Yahoo and Microsoft Hotmail, said Hayes.
Hayes said social networking sites such as Facebook pose a challenge for
DoD. "The Department of Defense hasn't decided how to deal with social
networks," Hayes said, as these sites help troop morale to be able to keep
in touch with friends and family at home, but it can be "a medium"
for an individual to "leak classified documents."
"Many have argued that it is important for members of the military
stationed abroad to have access to technology that facilitates communication
with family," said Hayes.
These new guidelines are a result of two reviews ordered by Defense
Secretary Robert Gates shortly after the Iraq war logs were posted on WikiLeaks
over the summer to determine "what policy, procedural and/or technological
shortfalls" occurred, according to the Defense Department statement.
Email
Print
