Military Ban Goes Too Far...and Not Far Enough
Private First Class Bradley Manning fired the shot heard around the cyber world when he shared confidential data with WikiLeaks. In response to the data breach, the United States military is implementing new policies governing removable media that are draconian in some ways, yet may not really solve the problem.
Ironically, it is a leaked document obtained by Wired that reveals the new military ban on removable media--perhaps a testament to the weakness of the policy before the policy even gets in gear. Wired's Danger Room quotes the military order, "Unauthorized data transfers routinely occur on classified networks using removable media and are a method the insider threat uses to exploit classified information. To mitigate the activity, all Air Force organizations must immediately suspend all SIPRNET data transfer activities on removable media."
I am a little surprised that removable media was ever allowed without strict supervision in the first place. When I was in the United States Air Force--way back in the early 90's--my shop had a ban on listening to music thanks to some infinitesimally small possibility that signal intelligence could somehow feedback through the speakers and could somehow be picked up by enemy agents from the parking lot of our hardened underground bunker. There was never any discussion about how these enemy agents were supposed to have access to the parking lot on a secure base, but that is another story.
Given that level of paranoia twenty years ago, it seems that banning the use of uncontrolled removable media would be a no-brainer. But, I suppose a lot has changed over the last two decades regarding computer technology and the Internet, and the military--like many organizations--is still struggling with striking the balance between embracing the communications and productivity benefits while managing the information security risks. Apparently, it's a work in progress.
So, the military suspends all data transfer activities on removable media. The extreme response--accompanied by the threat of court-martial--will most definitely mitigate the risk of unauthorized data exposure, but it will also impede the efficiency and productivity of military members. USB thumb drives in particular represent one of the greatest risks, but are also in some ways mission-critical for getting data from Point A to Point B.
The response is a bit like all of the smoke and mirrors security travelers are subjected to by the TSA at airport security checkpoints. The lengthy lines of barefoot travelers, and apparently meticulous scanning provide a façade of protection that makes some feel safer. However, I have had TSA randomly select my bag for further inspection and still miss hair gel or other items that I mistakenly forgot to pull aside in little three ounce containers in a ziplock bag. So, color me skeptical about TSA actually stopping a real attack.
Similarly, if the military ban is just a policy--without any monitoring or security controls to back it up--it still won't prevent someone with authorized access from storing and sharing classified data should they choose to do so. There is already a military rule against exposing classified information, and the threat of court-martial appears to have had little effect on Manning's actions. And, the fact that backup tapes, backup discs, and removable hard drives are still in use provides ample opportunity for gigabytes of classified data to be lost or stolen.
The military policy is good--but it's too broad and it's just a start all at the same time. The military should restrict the use of removable media, but allow it for specified roles or under certain authorized scenarios so that the policy does not get in the way of legitimate data transfer needs.
At the same time, the military should be using all of the tools at its disposal to monitor and control sensitive information. Rights Management Services on Windows PCs can be used to limit or restrict what authorized users are able to do with data once they have accessed it--preventing the data from being forwarded or printed, or even revoking access to the data after the fact. There are also third-party tools that can block sensitive information from being transferred to unauthorized removable media, or encrypt data on servers and backup media to prevent unauthorized access.
The WikiLeaks exposure of classified information is a very serious data breach for the military--and one that requires the military to examine its information protection policies and procedures. But, what is needed is a reasonable and effective response, not one that throws the baby out with the bath water and ultimately falls short of the goal like TSA airport security.