Pentagon's failed flash drive ban policy: A lesson for every CIO
From the Reuters news agency on Saturday:
(Reuters) — The Pentagon has granted many exceptions, possibly numbering in the thousands, to allow staff members who administer secure computer networks to use flash drives and other portable storage devices, department spokesmen say. [...] But officials say waivers go to people who update software and run helpdesk services for the Pentagon's vast computer network and are needed to run the system efficiently.
Yeah, that's a thing, apparently.
Despite a number of leaks already flowing out of the U.S. government — notably the National Security Agency and PRISM leaks, and so on and so forth — the U.S. Department of Defense is allowing possibly "thousands" of staff to ignore the rules of portable storage devices on secure government machines for the sake of efficiency.
Which is fine. You know, it's not as though the U.S. is pumping pretty much every resource into tracking down a former U.S. intelligence agency contractor, who leaked documents that may have jeopardized national security by revealing a mass dragnet surveillance program, whose location at the time of writing remains unknown.
Exactly how Edward Snowden leaked the documents to U.K. and U.S. newspapers remains unclear. The chances are that it was by plugging in a USB stick and downloading sensitive and classified materials for his later perusal.
It's like the U.S. hasn't learned a thing from one whistleblower to another.
Take Pvt Bradley Manning, who's currently holed up in a military court awaiting his fate. He was able to download vast quantities of secure and sensitive data from government networks onto a disc disguised as a copy of Lady Gaga's at-the-time latest album and leak it to whistleblowing site WikiLeaks. That was a massive data breach that caused the U.S. government a huge amount of embarrassment with its allies and frenemies around the world.
Three years on, there's been a clampdown across government departments, including the military. And in response to this, smartphones and tablets sans removeable storage, such as iPhones and iPads, have also garnered support across the public sector space, thanks to its in-built storage that helps prevent physical data thefts.
But it's not enough. It's far from enough, and it's likely the reason why data was leaked in this instance. Whether it was a whistleblower or a careless mistake — who hasn't accidentally emailed a top secret document to a Guardian journalist? — it would have happened eventually.
Removeable storage policies, as boring as they sound, aren't just about keeping data in. They're also designed to keep bad data out, such as malware.
In 2009, at the height of the Conficker worm outbreak, the U.K. Houses of Parliament suffered a worm attack when Conficker spread across its networks. The cause? An unauthorized USB flash drive, which ultimately cost millions of pounds to clean up, and left a small but costly dent in the U.K. taxpayer's kitty. More than 15 million computers around the world were ultimately affected by the worm.
You get the idea. There are sensible precautions that governments and their departments have to take to ensure that data, which more often than not ultimately includes information on their electorate and citizens, remains secure.
But they're not. Least of all the U.S., which should be setting an example.
Nobody can get data security quite right. Nobody has it dead-set perfect, and it's not an exact science. But there are steps to mitigate data breaches, security lapses, and even whistleblowing — to a greater or lesser extent — seeing as whistleblowing can go either way in regards to "the greater good of public knowledge" versus national security.
Just because the government is doing something, or not doing something, doesn't necessarily make it the right decision. And CIOs in the private and public sector should take note of the mistakes that others make in order to prevent their own foul-ups.
Yes, it may well be that the U.S. government is allowing a handful of people in the vast ocean of employees it has to run around with carte blanche access to do what they want. But all it takes is one. And, seeing as Snowden — love him or hate him, patriot or traitor — was in this position, it's perhaps time the U.S. smelled the coffee and woke up to the fact that in some cases, it has to be a one-policy-fits-all situation.