Limited-use policy requires approved hardware with unit commander’s OK.
Although the U.S. Defense Department has lifted its ban on the use of thumb drives, the new rule greatly restricts their use and empowers unit commanders with final authority over the application of removable data storage devices. The ruling also reflects an ongoing effort by the military to change its operational culture by raising awareness of cybersecurity issues.
The U.S. Strategic Command’s (STRATCOM’s) Joint Task Force–Global Network Operations (JTF-GNO), which is responsible for Defense Department network security, issued a communications tasking order allowing the limited use of removable data devices under very specific circumstances. The new rule is now in effect across the department. “We did not repeal the previous ban, and it is not, nor will it ever be, a return to what might be called ‘business as usual,’” maintains Robert Schrier, deputy chief of current operations, Deputy J-33, Joint Functional Component Command–Network Warfare (JFCC-NW)/JTF-GNO Consolidated Staff, Fort Meade, Maryland.
The rule places strict limitations on the use of removable data devices, also known as flash or universal serial bus (USB) drives. Schrier contends that the reason behind the decision to partially lift the ban is that there is now a greater awareness across the Defense Department about threats to government networks and the need to keep them secure.
Portable media devices will be used only as a last resort and only for operational mission requirements when all other options to transfer data have been exhausted. The emergency use of removable media will be permitted only on Defense Department computers that are in full compliance and possess the necessary hardware required to transfer the data safely. These requirements include using approved procedures and hardware to prevent unauthorized use. They also call for scanning flash drives to detect and/or remove any malicious software. To enforce the new order, random users and systems will be subject to periodic auditing.
“We’re only using properly inventoried and government-procured and -owned devices. You can’t bring your personal thumb drive that you use in your tent and use it for something else—it won’t work. It must be a government-procured device,” Schrier maintains. He adds that while specific subsets of USB/flash memory drives will be allowed for use in government information systems, personally owned devices will continue to be prohibited from all government networks and computers. He notes that if a non-authorized USB drive is inserted into a compliant computer, it will immediately be prevented from loading data. Likewise, all Defense Department-owned devices are prohibited from operating on nongovernment networks and computers unless the users have authorization from an approval authority, such as their unit commander.
There is no formal echelon cutoff for the rule. “Commanders at the unit level have it within their authority to determine what is in the best interest of their individual commands within the boundaries of the order. That’s commanders’ business, and we want that to be their business,” Schrier says. For example, a commander can choose whether or not his unit will use removable media.
Because the order has many steps in it, Schrier notes that there is a great degree of accountability built into the document. This accountability crosses all echelons, but it does not directly stipulate how commanders will carry out the order; that responsibility lies with them, he says.
Reiterating the order, Schrier maintains that flash media will only be used as a last resort to transfer information from one place to another and only when other authorized network resources are not available. The Defense Department’s combatant commands, individual services and agencies will establish their own approval authorities based on the responsibilities outlined in the communications tasking order to determine if flash media can be used in their organizations. “Just because we have said there’s a limited return to use, there may be some organizations that decide within their structure they will not allow any return to use, which is fine with us,” Schrier says.
To help enforce the new rule, STRATCOM has developed a process to scan, detect and remove malicious software from approved removable devices before data is transferred from one system to another. “We want to make sure that if someone has to transfer something from point A to point B, the file they want to transfer can go across and be transferred—that nothing extra gets transferred outside that file—and that no one can make a mistake and put the wrong device in the machine,” Schrier says.
Schrier shares that this electronic vetting process involved creating and setting security procedures in place. He adds that STRATCOM met with each of the services to demonstrate the new process to ensure that warfighters were comfortable before the written order was issued. “We didn’t just coordinate the written words of the order. We made sure that we coordinated the actual processes with all of the services,” he says.
The Defense Department decided to make removable media available again under strictly controlled conditions after it had tested the new mitigation procedures. Schrier explains that the department was aware that some key operational processes were affected by the ban on removable media, and adds that the military wanted to develop some means to allow these processes to operate more easily again.
However, he stresses that with all of the restrictions placed on USB drive use, it is a very limited policy. “If someone really wanted to use removable media, and they hadn’t read the new policy, when they do read it, they won’t be doing cartwheels and jumping for joy because it is easy,” he says.
In addition to the new rule, Schrier says that awareness of the computing environment within the Defense Department is now more heightened than in the past. Another factor behind the removable memory device rule is an ongoing effort to change the culture in the Defense Department regarding network and computer security. Under STRATCOM, the JFCC-NW/JTF-GNO Consolidated Staff is responsible for the operations and protection of the Defense Department’s information systems. Schrier says that to meet its mission goals, the staff focuses on three aspects: culture, conduct and capabilities. He explains that the limited return-to-use order for USB drives highlights all three of these areas.
On the cultural front, Schrier maintains that the Consolidated Staff will continue to expand the culture of cybersecurity consciousness across the Defense Department. In the case of the rule, he explains that the military is now fostering a culture where the use of removable media would not be considered outside of the limited circumstances in the order. “Culturally, we want people to be more aware and to really think of cybersecurity as a critical part of their warfighting capability,” he says.
Regarding conduct, Schrier says that every member of the Defense Department is now being held more accountable for their behaviors using military systems. He notes that operational commanders now are more involved in this process. “Those are two non-technical aspects right there that actually get you to much higher cybersecurity without actually changing technologically at all,” he says.
However, the department still is focusing on capabilities. What allowed STRATCOM to issue the limited return-to-use order was that new vetting and security capabilities were made available, Schrier contends. He adds that because the term “capabilities” can be misunderstood, the command did not simply develop purely technical capabilities, but also ensured that they were feasible operationally. Another key factor behind the rule was involving the services in the development process to permit them to test the new capabilities before the order was issued. For example, the Consolidated Staff conducted live demonstrations with the services covering every aspect of the order prior to its promulgation.
Culture remains an issue. Schrier believes that in the last 18 months a significant cultural shift has taken place in the Defense Department and that this change will continue in the right direction. “I see higher cultural awareness across the board,” he says.