June 22, 2013
WASHINGTON (Reuters) – The Pentagon has granted many exceptions, possibly numbering in the thousands, to allow staff members who administer secure computer networks to use flash drives and other portable storage devices, department spokesmen say.
The exceptions to policies barring the use of such devices could make it easier for rogue employees to remove sensitive documents. But officials say waivers go to people who update software and run helpdesk services for the Pentagon’s vast computer network and are needed to run the system efficiently.
The U.S. government’s handling of sensitive documents has come under scrutiny since Edward Snowden, a systems administrator for a contractor with the National Security Administration, copied classified materials at a Hawaii installation and leaked them to the news media.
Snowden used a simple flash drive to store the materials, according to a government source close to the investigation.
Storage devices have been a concern at the Defense Department since the 2008 Buckshot Yankee incident, in which a malicious software worm known as agent.btz was uploaded to military networks by a thumb drive.
Then-Deputy Secretary Bill Lynn declassified the incident in 2010 and U.S. Cyber Command, which was established in the wake of Buckshot Yankee, banned the devices.
About that same time, according to prosecutors, Private Bradley Manning, an Army intelligence analyst, copied thousands of documents onto CDs and a digital camera card and leaked them to the anti-secrecy website WikiLeaks.
Since then, the Pentagon has bolstered efforts to prevent removal of classified data, Lieutenant Colonel James Gregory said. The department is in 100 percent compliance with directives to disable or tightly control use of removable media devices on the Pentagon’s secure network, he said.
That means most users have restricted profiles and their computers do not recognize flash drives and other devices, like BlackBerrys, that may be plugged into USB ports, Pentagon spokesmen say.
The different military branches also have established programs to control and track personnel authorized to download data from the secure network, they say. Automatic systems instantly report if someone connects an unauthorized device, or inappropriately uses credentials for accessing the system.
While use of flash drives is largely barred, exceptions are granted to systems administrators who install software and manage helpdesk services for the department’s millions of computers and nearly 600,000 mobile devices in some 15,000 networked groups.
Lieutenant Colonel Damien Pickart, a Pentagon spokesman, said the department was unable to specify how many exceptions had been given because authority is delegated to smaller units within the service and is not tracked at the department level.
Given the size of the system, it could be in the thousands, he said.
Steven Bucci, a former Pentagon official and now a cyber security expert for the conservative Heritage Foundation think-tank, said a computer network the size of the Pentagon’s needed a large number of administrators at different levels to run efficiently.
Concentrating access and control in the hands of a small number of people could create even bigger risks if one of the trusted few decided to divulge information, he added, because they would have been exposed to a wider array of information.
“There is a certain point where you have to start trusting people and that becomes a very imperfect system,” he said. “If you have a malicious insider – someone who has the authority to do stuff but then decides to violate the rules – you’ve got a problem, and there’s … very little you can do to stop that.”
Decisions on who gets waivers are made by colonels or generals who have been granted that authority for their installations, brigades or other units, Pentagon officials said.
The Pentagon declined to comment on Snowden’s case, citing an ongoing criminal investigation.
Bucci said that after the Manning case, the Pentagon tightened network security about as far as it could.
“What it comes down to then is the leadership, trying to watch your people, listen for those signals,” he said. “But, heck, I mean even if you’ve got the best, most competent leaders and supervisors in the world, sometimes you’re still going to miss those people.”