DOD lifts ban on USB drives

The Defense Department has lifted its 15-month-old ban on USB drives and other portable media, a restriction that had made life difficult for DOD personnel.

The ban was issued in November 2008 by the U.S. Strategic Command after a virus, a variation of the SillyFDC worm, was found to be spreading through military networks by copying itself from one removable drive to another. The ban covered all forms of USB flash media, such as thumb drives, memory sticks and cards, and camera memory cards, as well as some other removable media.

Related story:

DOD bans removable drives due to virus

However, the drives are useful for storing and transferring data, particularly in field locations with little or no bandwidth, so DOD officials began looking for ways to lift the restriction.

Navy Department Chief Information Officer Robert Carey wrote in his blog in October 2009 that his staff was working with a team from the Defense-wide Information Assurance Program to establish the minimum requirements for network security, in anticipation of lifting the ban.

“Although policy and processes were in place to facilitate the safe use of USB flash media, they were not being followed,” Carey wrote. “Unfortunately, it was our bad IT hygiene that resulted in the ban of this all too flexible use of storage media.”

However, Carey wrote, removable drives were too useful to allow the ban to continue for too long. “Such media provide a simple, inexpensive, reusable and ubiquitous means for transferring information between computers and servers on both public and private networks,” he wrote. “USB flash media are often used for deploying operating system patches, antivirus updates, and other large data transfers in bandwidth constrained environments,” such as aboard ships and in deployed areas.

Tom Conway, director of federal business development for security company McAfee, said new rules for using removable media would likely accompany the lift of the ban.

“Based on how the military is looking at [information technology] in general, there is going to be a lot more accountability,” he said. That could include control over who is allowed to use the devices, steps to ensure they are used in compliance with security practices, and enforcement if the devices are used improperly, he said.

“It’s a prudent first step,” Conway said. “But it’s not the only thing they can do.” He said portable flash drives are available with biometric authentication in addition to password protection, and some can be used with DOD’s Common Access Cards. He said DOD could establish defensewide security standards, but allow individual units, such as those in deployed areas, to increase security levels if needed.

In December, McAfee and Northrup Grumman signed a $9.7 million contract to secure 5 million DOD desktop and notebook PCs and servers via a host-based security system, which provides a top-level view of cybersecurity.

The lift of the ban was first reported by InsideDefense.com (subscription required). Wired magazine reported that the ban had been lifted on all forms of removable media.