Pentagon's failed flash drive ban policy: A lesson for every CIO

Pentagon's failed flash drive ban policy: A lesson for every CIO

Summary: If CIOs are looking at government data management and security policies to set an example, they should think again. Despite a series of NSA leaks, the U.S. Dept of Defense allows 'thousands' of staff to use portable storage drives.

TOPICS: CXO, Data Management

From the Reuters news agency on Saturday:

(Reuters) — The Pentagon has granted many exceptions, possibly numbering in the thousands, to allow staff members who administer secure computer networks to use flash drives and other portable storage devices, department spokesmen say. [...] But officials say waivers go to people who update software and run helpdesk services for the Pentagon's vast computer network and are needed to run the system efficiently.

Yeah, that's a thing, apparently.

Despite a number of leaks already flowing out of the U.S. government — notably the National Security Agency and PRISM leaks, and so on and so forth — the U.S. Department of Defense is allowing possibly "thousands" of staff to ignore the rules of portable storage devices on secure government machines for the sake of efficiency.

Which is fine. You know, it's not as though the U.S. is pumping pretty much every resource into tracking down a former U.S. intelligence agency contractor, who leaked documents that may have jeopardized national security by revealing a mass dragnet surveillance program, whose location at the time of writing remains unknown.

Exactly how Edward Snowden leaked the documents to U.K. and U.S. newspapers remains unclear. The chances are that it was by plugging in a USB stick and downloading sensitive and classified materials for his later perusal.

It's like the U.S. hasn't learned a thing from one whistleblower to another.

Take Pvt Bradley Manning, who's currently holed up in a military court awaiting his fate. He was able to download vast quantities of secure and sensitive data from government networks onto a disc disguised as a copy of Lady Gaga's at-the-time latest album and leak it to whistleblowing site WikiLeaks. That was a massive data breach that caused the U.S. government a huge amount of embarrassment with its allies and frenemies around the world.

Three years on, there's been a clampdown across government departments, including the military. And in response to this, smartphones and tablets sans removeable storage, such as iPhones and iPads, have also garnered support across the public sector space, thanks to its in-built storage that helps prevent physical data thefts.

But it's not enough. It's far from enough, and it's likely the reason why data was leaked in this instance. Whether it was a whistleblower or a careless mistake — who hasn't accidentally emailed a top secret document to a Guardian journalist? — it would have happened eventually.

Removeable storage policies, as boring as they sound, aren't just about keeping data in. They're also designed to keep bad data out, such as malware.

In 2009, at the height of the Conficker worm outbreak, the U.K. Houses of Parliament suffered a worm attack when Conficker spread across its networks. The cause? An unauthorized USB flash drive, which ultimately cost millions of pounds to clean up, and left a small but costly dent in the U.K. taxpayer's kitty. More than 15 million computers around the world were ultimately affected by the worm.

You get the idea. There are sensible precautions that governments and their departments have to take to ensure that data, which more often than not ultimately includes information on their electorate and citizens, remains secure.

But they're not. Least of all the U.S., which should be setting an example.

Nobody can get data security quite right. Nobody has it dead-set perfect, and it's not an exact science. But there are steps to mitigate data breaches, security lapses, and even whistleblowing — to a greater or lesser extent — seeing as whistleblowing can go either way in regards to "the greater good of public knowledge" versus national security.

Just because the government is doing something, or not doing something, doesn't necessarily make it the right decision. And CIOs in the private and public sector should take note of the mistakes that others make in order to prevent their own foul-ups.

Yes, it may well be that the U.S. government is allowing a handful of people in the vast ocean of employees it has to run around with carte blanche access to do what they want. But all it takes is one. And, seeing as Snowden — love him or hate him, patriot or traitor — was in this position, it's perhaps time the U.S. smelled the coffee and woke up to the fact that in some cases, it has to be a one-policy-fits-all situation.

Topics: CXO, Data Management

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yeah, USB ports bad, DVD drives good

    There is no absolute security. If one of us pesky users can get to a computer, we can get the information. What are you going to do, scan for eidetic memories -- "Sorry Dr. Von Neumann, put the CAC card down and step away from the computer"? Look, all this security BS does is make it harder and harder to get real work done -- you remember work, it pays the bills? I feel like the only reason I come to work any more is to run whatever insane "security" fixall the maroons at HQ heard about yesterday from some quack consultant or (dare I say it) alarmist blog. I remember, once upon a time a long long time ago, our crack security office decided to physically lock all the photocopiers after hours and on weekends. Except they didn't do a thing about the fax machines sitting right next to the copiers. Right now, for example, I can't download official photographs I take in the course of my official work using an official camera because the IT maroons are using Symantec to disable USB ports. Thanks for the official help, guys!
    • @vesicant

      The word you're looking for is "moron". Maroon is a color.
      • Bugs Bunny..

        used to call morons that. Stylized, surely. "What a maroon," he'd say as he slapped his knee.
        Reference here perhaps, or possibly just wording. I thought it was kitschy.
        • Sadly, Its a Racist Legacy

          In antebellum (pre Civil War, for readers not from the USA) Carolinas, the term referred to a group of mixed-blood outcasts eking out a living in the backcountry. The state governments eventually suppressed them largely because they provided a safe harbor for escaped slaves.

          When I found this out, it tarnished fond memories of many a Bugs Bunny cartoon.
          • Tarnished memories of Bugs Bunny? Really?? ...

            If you're that sensitive, then I suggest you swear off all fiction that pre-dated political correctness, say from 1980 backwards. You'll lose access to a century or so of classic humor and prose, but your sensibilities will remain intact.
          • They didn't know!

            If it took Google research in 2013 to find that out, I doubt whether the writers for Warner Brothers, or most other people, knew it in the 1930's. The word already had two other connotations, a shade of violet (like burgundy) and a verb meaning to get lost in some small, isolated part of nature with no way to get home (which MAY have come from the original "maroons" having to hide from "civilization." The animators used it as a humorously incorrect variant of "moron" just for the sake of comedy.

            In Elizabethan England, darker-skinned people (not necessarily from sub-Saharan Africa) were referred to as Moors, the Muslim converts from today's Morocco and Algeria who had ruled Spain before the Reconquista of 1492. From "moor" to "maroon" is not that much of a stretch.

            Joke of the day: a tanker ship carrying blue paint and one carrying red paint collided in mid-ocean. What happened to the survivors? They were marooned.
          • Maroon

            Elmer Fudd was not dark skinned. The insult is not racial in nature. In fact the N word came from niggardly which meant cheap and originally was used to describe all cheap people, not just blacks. Words are not racist, people are.
          • Wow!

            You maroons are so easily distracted... We are talking about national security, security breaches, removable media... Sound familiar ADD club members?

            Try to keep up with the rest of the class.
          • It may not be a distraction...

            Perhaps Bugs Bunny and the variations of maroon/moron are all code for something we plebs don't understand.
          • The N word...

   an insulting alteration of "negro" (a perfectly respectable word that has fallen out of use over the past 50 years or so).
            John L. Ries
          • rubbish

            But keep spouting it. I await your forthcoming enlightenment on how Bugs' mispronouncing of "imbecile" to sound like im-bay-sil, was another racist legacy.

            Child Please.
        • whenever I saw that I wondered if someone on the team

          making the stories had once interacted with members of the commonwealth navies between WW1 and Korea and mis-noted the slang term often used for slow thinking or poor performing Midshipmen and officer cadets - - they were called macaroons after a sweet that was the cheapest sold in the canteens as they often stocked up on them to fill their bellies due to the low cost.
          Deadly Ernest
        • you know, it could have been intended as a double joke

          of Bugs messing up calling Elmer a moron but getting the word wrong
          Deadly Ernest
      • Not always.

        If we're going to be nitpicky, realize that someone who is "marooned" on a deserted island has *not* had their skin changed to a deep reddish shade. And while it was technically a mispronunciation of the word "moron", the word "maroon" was used quite often in Bugs Bunny cartoons to refer to Elmer Fudd & other intellectually-challenged characters.

        Given the context, I would say he's channeling Bugs Bunny, rather than claim he's using poor grammer.
      • Um, no

        Thanks for the official help, though.
    • So it's not easy to download from your USB, it would be a lot harder

      if you had no job because the organisation closed down due to excessive costs caused by data theft; I've seen that happen with private companies and a government agency that got closed down and all staff were tagged for no promotion as they couldn't pinpoint the source of the leak. But as the article said, one data breach cost one organisation fifteen million pounds, that's a lot of out of any budget.

      It is very rare for a PROPERLY trained security officer to advocate measures just for the fun of it; the trouble comes when some bureaucrat decides to extend the measure in an inappropriate way or to an inappropriate extent.
      Deadly Ernest
    • The difference is

      YOU do not have to make it easy for them to get so much data. portable media should not be allowed.

      I used to work with Sikorski back in the '70's. You could not even get a 5 1/4" Floppy disk into their facilities.

      Of course, things have changed, we have to be efficient to the point of stupid.
      • MissType

        Late '80's ....
  • The real reason

    The real reason the government is ticked off about Snowden is that he showed how sloppy they are. How many other 29-year-olds (of more dubious loyalties) have access to the information that Snowden leaked? Contractors are lined up at the trough, sucking up the dollars from taxpayers who are afraid of their own shadows. The real secret they're protecting is how we're getting screwed.
    • 1.4 million Contractors with access to

      the nations most guarded secrets do in fact sound pretty sloppy to me.