WikiLeaks Disclosures Prompt Defense Department Ban on USB Drives
The Pentagon's new restrictions on removable media and file transfers may impact how United States troops abroad communicate with family and friends back home, according to a privacy and computer security expert.
The new rules, outlined by the U.S. Department of Defense in a memo shortly after WikiLeaks started posting 250,000 cables from U.S. embassies and diplomats, ban military service personnel from using any removable media on any classified machines. The "crackdown" on removable media will likely include "rewritable CD drives, USB flash drives and multimedia storage like SD cards," said Darren Hayes, Computer Information Systems Program Chair at New York's Pace University, to eWEEK.
Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued a "Cyber Control Order" on Dec. 3, outlining the new rules and directing all personnel to "immediately cease use of removable media on all systems, servers and stand-alone machines residing on SIPRNet," according to a CNN report.
Similar directives have been issued to other military branches, the report said.
SIPRNet (Secret Internet Protocol Router Network) is a separate and private network belonging to the Defense Department. While access to the SIPRNet system is restricted to only military staff, federal government employees can log on with their secure username and password regardless of their post or location, according to the Daily Mail.
The Air Force order also directs all staff to "immediately suspend all SIPRNet data transfer activities on removable media," said the CNN report.
The orders are in line with the Nov. 28 memo that said all Defense Department classified computers will have the "ability to write on removable media" disabled as a "temporary technical solution."
U.S Army Private Bradley Manning said he downloaded the files from SIPRNet to a CD that was marked as containing music by performer Lady Gaga, according to chat transcripts published by Wired.
"Bottom line: It is now much more difficult for a determined actor to get access to and move information outside of authorized channels," wrote Pentagon spokesman Bryan Whitman in the Defense Department memo.
The military has banned USB devices before, the last time in 2008 shortly after disks helped spread malware onto the department's computers. The ban was lifted earlier this year, but the debate about whether military personnel should still have access to USB drives still continues, said Hayes.
Data transfer between classified and unclassified computers is not being entirely removed, according to Whitman. The number of classified systems that can transfer materials to unclassified systems on NIPRNet will be limited, and under the new rules, two people have to be involved in the transfer, said the memo.
The ban can "only do so much," said Thom VanHorn, vice president of global marketing at Application Security. The problem is user access control: People have access to information they do not need. Information needs to be secured, and access privileges need to be "properly assigned" so "employees only have access to the information necessary to do their jobs," he said.
A former senior intelligence official recently told the Washington Post that access to SIPRNet "ballooned to about 500,000 or 600,000 people, including embassy personnel, military officials from other countries, state National Guard officials and Department of Homeland Security personnel," since 9/11.
While the new rules would prevent information from easily being downloaded and carried away, the focus should be on network monitoring, experts said.
"As a second step," organizations should "monitor access to ensure it isn't being abused or misused," said VanHorn.
It's "strange" that the DoD didn't already monitor user activity, so it's more "likely" that "policies weren't adhered to," said Hayes.
Considering the sheer volume of cables posted to WikiLeaks, it's unlikely that all that data would have been downloaded "without getting noticed" if there'd been a monitoring tool, Hayes said. Even if it happened over a "long period of time," the tools are "on the lookout for large clusters of data" on the network, he said.
Administrators should be looking at what is downloaded and whether it matches the user's job role. Monitoring should have "most scrutiny on the most highly privileged users," said VanHorn.
Regardless of what was in place before, "procedures to monitor and detect suspicious, unusual or anomalous user behavior" will be in place soon, according to the Defense Department memo. About 60 percent of SIPRNet are now connected to a host-based security system, which allows administrators to remotely monitor unusual data access or usage, said the memo. The military is also "accelerating" deployment to the remaining systems.
The Pentagon will also "rethink computer security procedures," such as restricting access to personal e-mail accounts, even on NIPRNet, said Hayes.
U.S. forces in Iraq trying to access WikiLeaks are being shown a warning page reminding them they should not be viewing classified documents over the NIPRNet, according to Gawker. This can be expanded to restrict access to personal e-mail sites like Google Gmail, Yahoo and Microsoft Hotmail, said Hayes.
Hayes said social networking sites such as Facebook pose a challenge for DoD. "The Department of Defense hasn't decided how to deal with social networks," Hayes said, as these sites help troop morale to be able to keep in touch with friends and family at home, but it can be "a medium" for an individual to "leak classified documents."
"Many have argued that it is important for members of the military stationed abroad to have access to technology that facilitates communication with family," said Hayes.
These new guidelines are a result of two reviews ordered by Defense Secretary Robert Gates shortly after the Iraq war logs were posted on WikiLeaks over the summer to determine "what policy, procedural and/or technological shortfalls" occurred, according to the Defense Department statement.