Defense allows flash media on systems only as a 'last resort'

Vice Adm. Carl Mauney told Nextgov the new order "is not a repeal of the previous ban" on USB devices. Los Alamos National Security

The Defense Department announced on Thursday that troops and commanders are allowed to use flash media, including USB and thumb drives, under limited circumstances and only as a "last resort for operational mission requirements," the deputy commander of the U.S. Strategic Command said in a statement.

The announcement is the latest clarification for the Defense's flash media policy since STRATCOM, which has responsibility for the military's cyber defense, banned the use of all flash media in November 2008. The prohibition was in response to adversaries using devices such as thumb drives to attack Defense networks, infecting them with malicious software.

Vice Adm. Carl Mauney, STRATCOM deputy commander, said a communications tasking order sent to Defense commands on Feb. 12 informed them that they can use flash media only to transfer data for operational requirements "when other means of transferring data are not available."

Mauney did not define what operational mission requirement threshold must be met before someone could use flash media. But Rob Carey, the Navy's chief information officer, provided a list of tasks that met the criteria in his blog in September 2009.

Thumb drives "are often used for deploying operating system patches, anti-virus updates and other large data transfers in bandwidth constrained environments (e.g. shipboard/tactically deployed)," Carey wrote.

Some media reports on Thursday characterized the new order as a repeal of the flash media ban. But Mauney emphasized in a statement e-mailed to Nextgov that it "is not a repeal of the previous ban but a return to limited use of removable devices under very specific circumstances and guidelines. This is not a return to 'business as usual.' There remain strict limitations on using these devices."

The four services, combatant commands and Defense agencies will now have to determine whether selected flash media can be used within their organizations and comply with the new order, Mauney said.

He added that only properly inventoried, government-procured and -owned devices will be allowed on Defense's information systems. Personally owned devices, such as thumb drives used by deployed troops in the field to transfer data or thumb drives used by Defense commanders to store briefing slides, will continue to be prohibited on all military networks and computers.

Sue Pontius, president and chief executive of Spyrus Inc., a manufacturer of security products based in San Jose, Calif., said the company's USB encryption drives are one of the few products that the National Security Agency has approved on Defense networks. The product meets the Federal Information Processing Standards 140-2 Standard . It also incorporates an elliptical curve algorithm that supports public key cryptography and a hashing algorithm for improved data protection, she said.

SPYRUS is among a handful of vendors of hardware-encrypted secure storage that have been working with STRATCOM's Joint Task Force-Global Network Operations group to define the security needed to prevent malware from infecting removable storage devices and migrating onto networks.

In the meantime, troops and commanders can use only selected removable devices once all requirements for compliance are met. Mauney said that includes:

-- Using approved procedures and hardware that prevent unauthorized use, and scanning, cleaning and wiping the devices to remove malicious software;

-- Restricting use to operational mission requirements;

-- Prohibiting Defense-procured and -owned devices on nongovernment networks or computers without authorization from an approval authority;

-- Using flash media solely as a last resort to transfer data from one location to another, or when other authorized network resources are not available;

-- Auditing randomly selected users and drives periodically.

Mauney's statement and the order dovetail with Carey's policies on the limited use of flash media on Navy networks. "In the future, we expect that a government-owned and procured USB flash media that is uniquely and electronically identifiable for use in support of mission-essential functions on Defense networks," Caret wrote in his blog post.

The Navy and Marine Corps are upgrading applications to detect and alert officials to viruses and malware, and removing them from systems, he added. The service also is developing controls that deny network access to unauthorized USB flash media and revising operating procedures for scanning and cleaning flash media.

"The days of using personally owned flash media or using flash media collected at conferences or trade shows are long gone," Carey wrote. "What we connect to our home PCs is very different from what is and will be allowed to occur on [Navy Department] networks.

"I expect (and support) that only approved, identifiable flash media of known origin will be permitted for use; and only by authorized and trained personnel, in support of mission-essential functions that could not be performed via nonflash media means."