Computing Rules Change, Security Concerns Still Remain
Although the U.S. Defense Department keeps its finger on the pulse of secure communications, it's cautiously easing up on its banning of thumb drives. That's not to say the department is becoming lax, however, because it has imposed tight restrictions on the use of these and other portable data storage devices. Better to keep the pressure cuff on than to end up having to stanch the potential flow of classified information into the hands of the enemy if a device is lost or stolen. In this issue of SIGNAL Magazine, Henry S. Kenyon describes the department's efforts to stay in step with 21st century cyberspace while being mindful of its security. In his article, "Permission Granted for Some Removable Media," Kenyon takes the questions straight to the command in charge of Defense Department network security: STRATCOM's Joint Task Force-Global Network Operations (JTF-GNO). USB drives and flash and thumb drives will be used only as a last resort, says Robert Schier, deputy chief of current operations, Deputy J-33, JFCC-NW/JTF-GNO. They'll also be restricted to department computers complying with all security requirements:
We're only using properly inventoried and government-procured and -owned devices. You can't bring your personal thumb drive that you use in your tent and use it for something else-it won't work. It must be a government-procured device.
Another important caveat: Defense Department-owned devices won't work on nondepartmental computers unless users receive authorization. No specific hierarchy exists, but commanders make the call for their own organizations. STRATCOM enforces the rules with a process that scans, detects and removes malicious software from approved removable devices before data is transferred from system to system. Defense Department leaders had their "lightbulb moment" after the department tested new mitigation procedures. Officials realized previous restrictions were hampering their access to developing cyberspace technologies, so they had to find a way to move forward without jeopardizing data and systems. It's a shift in thought processes as well, with staff exposed to and trained in a new paradigm that recognizes technology's march forward while emphasizng personal accountability. Schrier says this initiative is going on now:
Culturally, we want people to be more aware and to really think of cybersecurity as a critical part of their warfighting capability.
Staffers have participated in live demos, with the services covering all aspects and scenarios involving the use of removable media devices-a necessary first step before releasing the revised guidelines. Security is the lifeblood of Defense Department operations, and the department is making strides to improve connectivity and to keep pace with technology. But can such a far-reaching organization relax its protocol even slightly and still trust that rules will be followed? Will the people involved buy in to the new culture and make it work? Tell us your thoughts; give us your suggestions.