That's the view of Joel Brenner, national counter-intelligence executive, who said he views the use of thumb drives on national security information systems as "the electronic equivalent of unprotected sex and the biggest sources of what I call ETDs, or electronically transmitted diseases."
Brenner, who was speaking at the 4th annual Multi-INT conference, sponsored by the Institute for Defense and Government Advancement in Vienna, Va., said thumb drives allow potential spies to steal more data than any spy in history, such as Aldrich Ames, Christopher Boyce, or Andrew Daulton Lee, who had to laboriously copy paper files before handing them over to Soviet intelligence agents.
Today, Brenner said, "You can walk into may corporate and government offices, slip a thumb drive into a USB port and download in seconds more information than all those traitors stole together. We've come a long way from Whittaker Chambers stuffing information in a hollow pumpkin."
Brenner also considers Apple iPods a security threat, even if they are never connected to a government network to download files. Brenner conceded that it would be nice for employees to use iPods in "classified spaces. But, it's also a recording device. The ear buds work real well that way. Or didn't you know that?"
While Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, is in no rush to lift the Defense Department's thumb drive ban in the near future, Brenner told his audience of intelligence professionals, "I'm not telling you to abandon these dandy devices. Inexpensive electronics have brought us massive productivity gains and convenience."
But, Brenner added, that convenience has to be balanced against potential vulnerabilities caused by "unwitting or careless" use of the gizmos.
It sounds like the intelligence community - unlike Defense - views its employees as responsible adults. How refreshing.
COMMENTS
USB removable Thumb Drives have no place in govt, banking, security, police, health, or any other place with sensitive data.
Great early post -
There is gun control at work and on federal property, we can have weapons at home and other non-posted areas. I retain my 2nd amendment rights and abide the law. Thumb drives pose an unacceptable risk to the government networks. This is not an individual's choice, nor is it up for vote. If you don't like it, don't compute on a government system. Using a thumb drive on a system without the system owner's permission, is like rape. You can own a system, you can buy time on a public systems, NO means NO on other people's (or government) systems. You're not the one who has to wash off the ETDs!
Kurt Warner 10/31/09 12:14 am ET
There is a valid reason for this restriction. It's a bit complex, but its there. Honestly, 99% of users, and even most computer folks dont have the background to understand why it was done in the first place. You just have to trust that there is a reason, and deal with it.
If you realy want to know, go to your classified network and find the order that prohibits it. Then look up all the jargon, and all the background knowledge that you need to understand the jargon.
NetSec 03/25/09 01:02 pm ET
There is gun control at work and on federal property, we can have weapons at home and other non-posted areas. I retain my 2nd amendment rights and abide the law. Thumb drives pose an unacceptable risk to the government networks. This is not an individual's choice, nor is it up for vote. If you don't like it, don't compute on a government system. Using a thumb drive on a system without the system owner's permission, is like rape. You can own a system, you can buy time on a public systems, NO means NO on other people's (or government) systems. You're not the one who has to wash off the ETDs!
AMS 03/09/09 03:09 pm ET
Interesting article, but USB port control software combined with Anti-Virus and encrypted USB devices can largely control this threat. In fact, remotely managed USB devices give you a very fine grained ability to remotely control where data goes. Adding in USB port control software pretty much eliminates the threat described here, and keeps mobile workers empowered. Will NSA and DOD come out with some best practices for agencies to implement?
Just like "unsafe sex", "unsafe USB" can be prevented by some pretty cost-effective and well established technologies that have been available in the market for years.
IRONKEY 03/05/09 03:27 pm ET
i/o port control software has existed for over three years. It controls all i/o ports in terms of what can be uploaded or downloaded by permission, which can vary by group or individual. The software also does AV scans for all data coming on/off any drive - i/o port. Also only allows approved USB to be used so one cannot bring in their own USB and use it. Futhermore, users are barred from ever downloading certain document types. A lot of other functionality exists + HW encrypted USB. The problem with USB and other i/o ports is one of the govt. not buying the right technology, which has existed for years.
Brendan Curley 03/02/09 12:52 pm ET
A CD is limited to 700MB, DVD to 4GB and the burn process takes longer then downloading to a flash drive. Hopefully our security screening process works well enough to minimize inside threats. There are always the audit trails if they are properly configured.
Also, most people who infect the network with a thumb drive do so unwittingly. Technology to protect needs to catch up with the hackers and virus writers. It will always need to catch up because protection in IT is reactive, not proactive.
You can't relate gun ownership with thumb drives. "I" can check to see if my weapon is loaded without firing it.
AMS 03/02/09 11:33 am ET
I recently attended a five day seminar in which high ranking military and civilian members from the Office of the Secretary of Defense (OSD), Headquarters Department of the Army (HQDA), the Army's Assistant Chief of Staff for Installation Management (ACSIM), and the Installation Management Command (IMCOM), gave dozens of Power Point presentations. Strangely, all of the presentations were on thumb drives.
William K. Streiff 03/02/09 09:44 am ET
Though it's now well known that if I use a thumb drive on a government computer, I'm dead meat (the IT folks WILL know if we do it), I can still steal as much as I want by using the CD/DVD recording device that is still present on most government computers, whether unclassified, SMIL, or otherwise. In fact, many times when wanting to move documents from the unclassified system to the SMIL (a classified system), we do just that, though NEVER the other way around, hopefully. In summary, then, there are still massive holes in the security of our systems, and even without the thumb drives, massive amounts of information can be stolen by evil entities that have some heinous grudge against the government.
J P Castle 03/02/09 09:32 am ET
People who support the ban of thumb drives are also likely to support gun control. They have demonized the device instead of concentrating on those who would wrongly use the device. Those who want to steal data are still going to do it. Those who want to use guns to do evil are still going to find guns to do it, no matter how many are banned and/or collected.
Regulate the evil doers, not the devices!
John 03/02/09 08:06 am ET