As part of the ongoing WikiLeaks fall-out, the US Defense Department has issued a Cyber Control Order that instructs military personnel to "...immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET."  Given that much of the data in WikiLeaks originated in SIPRNET, this order is a natural reaction.  For readers interested in how SIPRNET functions, this article provides an excellent overview.

This order prohibits usage of any removable media (such as USB thumb drives or CDs) on all systems and threatens court-martial for any military person who uses such removable media.  This move appears drastic but not surprising, given the urgency to minimize further WikiLeaks type incidents.  The problem is that this order will not completely prevent future insider attacks and threats.  The ban prevents one attack vector, but it leaves other attack vectors open.  For instance, insiders could email documents to themselves and if they possess a smart phone and download those documents onto the removable media of the smart phone at a later date.  Or they could email content to a Gmail or Hotmail account. 

The US Government has had a difficult relationship with computer hardware.  Twenty years ago, a US government lab auctioned off a 5-ton out-dated Cray Supercomputer for $10K as salvage office equipment.  The government neglected to remember that the Cray contained at least $25K in salvageable copper and 24-carat gold (gold was used on the circuit cards because it is an excellent conductor), enabling the buyer to make a nice profit.

More recently, the Office of the Inspector General audited NASA and found that the NASA improperly disposed of hard drives and other computer media. Some of the drives containing sensitive data may have been sold off to the secondary market.  This provides another data point that prohibiting removable media does not solve the insider threat.

The purpose of this blog is not to show how many other mechanisms could work to subvert the removable media ban, but merely to demonstrate that organizations of all types must get serious about mitigating security threats and understand a step such as banning removable media does not solve the insider problem.  Organizations could look to solutions like DLP that can classify data and detect and prevent moving data to a USB drive, while still allowing the USB drive to function for legitimate business purposes.