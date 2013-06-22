By David Alexander
| WASHINGTON, June 22
many exceptions, possibly numbering in the thousands, to allow
staff members who administer secure computer networks to use
flash drives and other portable storage devices, department
spokesmen say.
The exceptions to policies barring the use of such devices
could make it easier for rogue employees to remove sensitive
documents. But officials say waivers go to people who update
software and run helpdesk services for the Pentagon's vast
computer network and are needed to run the system efficiently.
The U.S. government's handling of sensitive documents has
come under scrutiny since Edward Snowden, a systems
administrator for a contractor with the National Security
Administration, copied classified materials at a Hawaii
installation and leaked them to the news media.
Snowden used a simple flash drive to store the materials,
according to a government source close to the investigation.
Storage devices have been a concern at the Defense
Department since the 2008 Buckshot Yankee incident, in which a
malicious software worm known as agent.btz was uploaded to
military networks by a thumb drive.
Then-Deputy Secretary Bill Lynn declassified the incident in
2010 and U.S. Cyber Command, which was established in the wake
of Buckshot Yankee, banned the devices.
About that same time, according to prosecutors, Private
Bradley Manning, an Army intelligence analyst, copied thousands
of documents onto CDs and a digital camera card and leaked them
to the anti-secrecy website WikiLeaks.
Since then, the Pentagon has bolstered efforts to prevent
removal of classified data, Lieutenant Colonel James Gregory
said. The department is in 100 percent compliance with
directives to disable or tightly control use of removable media
devices on the Pentagon's secure network, he said.
That means most users have restricted profiles and their
computers do not recognize flash drives and other devices, like
BlackBerrys, that may be plugged into USB ports, Pentagon
spokesmen say.
The different military branches also have established
programs to control and track personnel authorized to download
data from the secure network, they say. Automatic systems
instantly report if someone connects an unauthorized device, or
inappropriately uses credentials for accessing the system.
While use of flash drives is largely barred, exceptions are
granted to systems administrators who install software and
manage helpdesk services for the department's millions of
computers and nearly 600,000 mobile devices in some 15,000
networked groups.
Lieutenant Colonel Damien Pickart, a Pentagon spokesman,
said the department was unable to specify how many exceptions
had been given because authority is delegated to smaller units
within the service and is not tracked at the department level.
Given the size of the system, it could be in the thousands,
he said.
Steven Bucci, a former Pentagon official and now a cyber
security expert for the conservative Heritage Foundation
think-tank, said a computer network the size of the Pentagon's
needed a large number of administrators at different levels to
run efficiently.
Concentrating access and control in the hands of a small
number of people could create even bigger risks if one of the
trusted few decided to divulge information, he added, because
they would have been exposed to a wider array of information.
"There is a certain point where you have to start trusting
people and that becomes a very imperfect system," he said. "If
you have a malicious insider - someone who has the authority to
do stuff but then decides to violate the rules - you've got a
problem, and there's ... very little you can do to stop that."
Decisions on who gets waivers are made by colonels or
generals who have been granted that authority for their
installations, brigades or other units, Pentagon officials said.
The Pentagon declined to comment on Snowden's case, citing
an ongoing criminal investigation.
Bucci said that after the Manning case, the Pentagon
tightened network security about as far as it could.
"What it comes down to then is the leadership, trying to
watch your people, listen for those signals," he said. "But,
heck, I mean even if you've got the best, most competent leaders
and supervisors in the world, sometimes you're still going to
miss those people."
(Reporting By David Alexander; Editing by Marilyn W. Thompson
and Claudia Parsons)