In a recent article in Foreign Affairs, US Deputy Secretary of Defense William Lynn wrote about the threats to classified US military computer networks. The article was spurred by the recent revelation that in 2008, the Department of Defense suffered a major breach in its networks from a USB drive that was infected with malware. The malicious code was put there by a foreign intelligence agency and uploaded onto a network run by the US Central Command from a laptop. This caused a major review of policies within the military that eventually banned removable USB flash drives from the Pentagon and other military environments.
In the spring I wrote about USB drives being left in dry cleaners across the UK and talked about how carelessness can lead to data breaches. I wouldn’t say the US military breach was carelessness, but I don’t think they appreciated the seriousness of something so innocuous as a USB drive.
It’s a simple, convenient device that makes most of our lives easier. Unfortunately because it’s so prevalent, most of us don’t think of it as a potential security hole. We tend to focus on bigger things, like protecting our laptops and our servers. The reality is that many data breaches are caused by using simple methods. For the same reason that locking your front door will deter most criminals, locking your systems against basic attacks will deter a lot of hackers. If you use a USB drive to share files, make sure your computer runs antivirus/anti-malware software on it as soon as you attach it to the computer.
The problem with high profile targets like the Pentagon is that we are no longer talking about your basic hackers or simple attacks. It’s no longer the teenager in a basement that’s the threat. Stealing confidential information is big business and the current threats are from organized crime and governments. In the old days, government spies would steal secrets on paper. Today they compromise networks through electronic means. Even though the US military has layers of security to prevent a sophisticated attack from compromising their networks, they weren’t thinking about the simple case of an infected USB drive.
According to a summary of William Lynn’s article, “Right now, more than 100 foreign intelligence organizations are trying to hack into the digital networks that undergird US military operations. The Pentagon recognizes the catastrophic threat posed by cyberwarfare, and is partnering with allied governments and private companies to prepare itself.”
The issue addressed is not simply one of technology. The US military changed their policy on USB drives and had to train it’s employees and partners on acceptable use. This is a good lesson for any business today. Review your policies on computer and network use to ensure that you don’t have any obvious security holes and then train your employees, customers and partners on acceptable use of these tools. Technology is important, but a simple violation of policy can cause as many problems as a computer virus.
Photo credit Ambuj Saxena