To many in the U.S. military, the 2-month-old ban on flash memory devices throbs like a sore thumb.
Equipment maintenance personnel used to load digital repair manuals into thumb drives and carry thousands of pages of technical data in a coverall pocket.
Pilots would plan missions on computers in their operations room, store the plan in a thumb drive, then transfer it to their aircraft computers.
Photos, PowerPoint presentations, briefings, videos, maps, documents and all manner of digital data was stored, shared and transferred from computer to computer using thumb drives.
In Iraq and Afghanistan, they proved impervious to dust.
"They were kind of GI-proof," said Jon Anderson, a spokesman for the Defense Information Systems Agency. "Everybody used them. They were such a convenience factor."
But that stopped in late November when the U.S. Army discovered that thumb drives and other flash memory devices were being used to spread computer viruses, worms and other "malware." The Army promptly banned them, and the rest of the U.S. military followed suit.
"Over 40 percent of all viruses and worms are transferred from one computer to another by removable media like thumb drives," the Air Force said in a Nov. 25 notice announcing its ban.
There was another problem, too. Thumb drives were easy to lose and easy to steal. For example, drives containing sensitive military data turned up for sale in an Afghan bazaar outside Bagram air base - along with binoculars, compasses, uniform parts and other apparently pilfered gear.
Still, it was hard when the military signaled thumbs down on thumb drives.
"It was very disruptive on the day the ban was announced," said a security contractor who was at a military facility when word arrived.
The threat isn't just confined to thumb drives. Malicious software can be transferred by other forms of external memory: external hard drives, cell phones, digital cameras, memory cards, digital music players and personal digital assistants. So the Air Force announced that "none of these devices can be connected to a government computer."
Instead, troops are coping with awkward work-arounds. Some e-mail files to themselves when they need to transfer them to a different computer. Others use writeable compact disks, Anderson said.
Meanwhile, the military is examining solutions that may make it safe to use handy thumb drives again.
If any of the safeguards are going to work, they will involve much tighter security, industry experts say. They're likely to include:
■ Port controls that stop unapproved external devices from working when plugged into Defense Department computers.
■ Encryption and passwords on thumb drives and other flash memory devices to make data stored on them unreadable to outsiders.
■ Automatic scanning for malware.
The most comprehensive clampdown would involve installing enterprise-wide port control software.
At its most basic, port control renders computer USB ports inoperable. Computer switch maker Avocent, for example, offers a "USB lockdown feature" that blocks all USB devices except keyboards, mice and common access card readers.
"If a thumb drive or other USB device is inserted into a Secure Switch USB port, simply nothing happens," the company said.
But port control software can be a lot more sophisticated, too, said Pete Morrison, vice president for North American sales at Credant Technologies.
Besides simply blocking USB ports, Credant has developed software that will disable auto-run functions and executable files on flash memories, thus preventing them from installing malware on the computers they're plugged into.
Credant's Protector system can also be set to let only approved USB devices work. Or it can be set to let only certain devices work on certain computers when plugged in by certain users. It can also inspect files by type and allow or block them from being transferred from external devices. And it can be set to keep logs of system user activity, Morrison said.
Port controls protect computers and the networks they're connected to against infection by malware, but it doesn't solve the problem of sensitive information being disclosed because flash drives are lost or stolen.
For that, there's encryption.
A number of companies make flash drives that automatically encrypt the data that's stored on them.
SanDisk, for one, says that "rather than rely on users to secure files," some of its thumb drives "impose mandatory access control on all files, storing them in a hardware-encrypted, password-protected partition. This secures all stored data in the event of drive loss or theft."
SanDisk also offers thumb drives that actively scan files for viruses and malware, said Eric Krauss, of SanDisk's Enterprise Division.
Another thumb driver maker, IronKey, touts its product as "the world's most secure flash drive." It encrypts data and requires a password for unencryption, it contains anti-malware software that is automatically updated, and it can be disabled remotely to stop "rogue" employees from using it improperly, the company says.
The Defense Department is examining these and other technologies in an effort to improve computer and network security and again permit the use of flash drives, vendors say.
"Ultimately, the government will allow them to be used again. It's just not practical not to let them be used," Credant's Morrison said.
Because they are convenient and improve productivity, it will be difficult to maintain a ban on thumb drives. "It makes more sense to make sure that the information on them is encrypted and that you have some control on devices to protect against malware," he said.
Last fall, SanDisk predicted that the military's flash drive ban would be "short-term."
The military has been investigating solutions, and "you'll see a decision being made," said Krauss. "They're going to put more tools in place to manage what gets plugged in, they'll deploy scanning capabilities," and it is likely that at least some kinds of flash drives will be permitted again, he said.
"It would be wonderful to be able to use them again," DISA's Anderson said, but he seems less certain. "The prime concern isn't my convenience; it's the safety of the network."
The Army's Future Combat Systems (FCS) program is ready to test a few components that soldiers may have in their hands by 2010.
Help
