Incident: Thumb Drives Ban Lifted in Military Networks Despite Security Risks

Published Date: 2010-02-18

Postmortem Analysis
Timeline 1. The software failure incident involving the malware known as "Agent.btz" infiltrating the U.S. Central Command's computer systems occurred in 2008 [Article 6233]. 2. The incident was reported in an article published on June 16, 2011 [Article 6233]. Therefore, the software failure incident happened in 2008.
System 1. USB drives, memory sticks, CDs, and other removable flash media [564] 2. Malware known as "agent.btz" [564, 6233]
Responsible Organization 1. A foreign spy agency, suspected to be Russian intelligence, was responsible for the 2008 attack involving the malware "agent.btz" that infiltrated the U.S. Central Command's computer systems [Article 6233].
Impacted Organization 1. U.S. Central Command [564] 2. U.S. military networks [564] 3. Department of Defense [564] 4. U.S. federal nonmilitary computer networks [6233]
Software Causes 1. The software failure incident was caused by the spread of the Agent.btz virus through military networks via thumb drives, CDs, and other removable media [564]. 2. The malware known as Agent.btz infiltrated the computer systems of the U.S. Central Command in 2008, establishing a digital beachhead for a foreign intelligence agency to attempt to steal data [6233].
Non-software Causes 1. Lack of support to enforce the ban on thumb drives indefinitely [564]. 2. Inadequate network security concerns not being addressed [564]. 3. Reliance on poor security practices and violation of existing policies due to lack of enterprise tools [564]. 4. Troops using unauthorized thumb drives even during the ban [564]. 5. Insufficient restrictions on the use of removable media leading to cybersecurity risks [564]. 6. Persistent and evolving nature of the malware causing challenges in staying ahead of it [6233]. 7. The malware spreading through infected flash drives inserted into military laptops [6233]. 8. The malware establishing a digital beachhead for a foreign intelligence agency to steal data [6233].
Impacts 1. The software failure incident involving the Agent.btz virus led to the ban on the use of thumb drives, memory sticks, CDs, and other removable flash media on military networks by U.S. Strategic Command in November 2008 [564]. 2. The incident resulted in the infiltration of the computer systems of the U.S. Central Command in 2008, creating a "digital beachhead" for a foreign intelligence agency to attempt to steal data [6233]. 3. The attack established a persistent threat as new, more potent variations of the Agent.btz malware continued to appear, challenging efforts to keep ahead of it [6233]. 4. The incident raised concerns about the security of government and military computer networks, with the malware being described as "quite prolific" and constantly evolving [6233]. 5. The software failure incident highlighted the challenges in detecting and countering such attacks, as the malware was able to evade anti-virus defenses and remain a persistent threat [6233].
Preventions 1. Implementing strict policies and enforcement mechanisms regarding the use of removable media such as thumb drives, CDs, and memory sticks on military networks to prevent the spread of viruses like Agent.btz [564]. 2. Conducting regular virus scans and checks on all removable media devices before allowing them on military networks to ensure they are free from malware [564]. 3. Removing USB ports and writable drives from desktop computers in highly classified organizations like the National Security Agency to prevent unauthorized data transfers and malware infiltration [564]. 4. Creating a more secure and robust cybersecurity infrastructure within the Department of Defense to detect and counter evolving malware threats like agent.btz [6233].
Fixes 1. Implementing strict policies and controls on the use of removable media such as thumb drives, CDs, and memory sticks on military networks to prevent the spread of viruses and malware [564]. 2. Conducting thorough virus scans and checks on department-owned drives before allowing them on military networks [564]. 3. Creating and enforcing a more restrictive policy on the use of external devices to minimize cybersecurity risks [564]. 4. Developing and deploying cybersecurity measures to counter evolving and persistent malware like agent.btz, including continuous monitoring and updating of anti-virus software [6233]. 5. Enhancing network security protocols to detect and prevent unauthorized access and data exfiltration [6233].
References 1. InsideDefense.com [564] 2. iDefense [564] 3. 60 Minutes [564] 4. Stars & Stripes [564] 5. Reuters [6233] 6. Department of Homeland Security [6233] 7. U.S. Central Command [6233] 8. Pentagon [6233] 9. Defense Advanced Research Projects Agency (Darpa) [6233] 10. Invincea [6233] 11. Jeffrey Carr [6233]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the malware known as "agent.btz" infiltrating U.S. military networks has happened again within the same organization, specifically at the U.S. Central Command. The incident occurred in 2008, and new versions of the malware are still causing issues within U.S. networks [Article 6233]. (b) The incident involving the "agent.btz" malware has also affected multiple organizations beyond the U.S. military. The Department of Homeland Security mentioned that the malware is not limited to government computers and keeps evolving, posing a challenge to keep ahead of it. The extent of the damage and affected networks were not specified [Article 6233].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in Article 564, where the ban on thumb drives and other removable media on military networks was lifted by U.S. Strategic Command despite the original network security concerns not being fully addressed. The ban was initially imposed after the Agent.btz virus spread through military networks via thumb drives, highlighting a design flaw in the system's security measures [564]. (b) The software failure incident related to the operation phase is evident in Article 6233, where the malware known as "agent.btz" infiltrated U.S. military networks in 2008 due to the operation of inserting an infected flash drive into a U.S. military laptop at a base in the Middle East. This operation-related failure allowed the malware to establish a digital beachhead for a foreign intelligence agency to attempt to steal data, showcasing a vulnerability in the system's operational practices [6233].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident related to the malware attack involving the "agent.btz" worm was primarily within the system. The incident involved the infiltration of U.S. military networks by the malware, which established a "digital beachhead" for a foreign intelligence agency to attempt to steal data [Article 6233]. The attack spread undetected on both classified and unclassified systems, indicating a failure within the system's security measures to detect and prevent such intrusions [Article 6233]. (b) outside_system: The software failure incident also had contributing factors originating from outside the system. The incident involved the use of infected flash drives that were inserted into U.S. military laptops at bases in the Middle East, indicating an external source introducing the malware into the system [Article 6233]. Additionally, the suspected origin of the attack was attributed to a foreign spy agency, with strong suspicions pointing towards Russian intelligence, suggesting an external threat actor targeting the system [Article 6233].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The incident involving the malware known as "Agent.btz" spread through infected flash drives and computer systems without direct human involvement, establishing a digital beachhead for a foreign intelligence agency [564]. - New versions of the malware, including more potent variations, continue to evolve and persist in U.S. networks, indicating a persistent and evolving threat introduced without direct human participation [6233]. (b) The software failure incident occurring due to human actions: - The use of thumb drives and other removable media on military networks, despite security concerns and bans, contributed to the spread of malware like Agent.btz, highlighting human actions as a contributing factor to the security breach [564]. - The initial breach in 2008, where an infected flash drive was inserted into a U.S. military laptop, was a result of human actions that allowed the malware to infiltrate the systems, leading to significant consequences [6233].
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The incident involving the malware known as "agent.btz" infiltrating U.S. military networks in 2008 was attributed to an infected flash drive being inserted into a U.S. military laptop at a base in the Middle East, indicating a hardware-related entry point for the attack [Article 6233]. (b) The software failure incident occurring due to software: - The malware "agent.btz" itself, which infiltrated U.S. military networks, is a software-based threat that evolves and persists, challenging efforts to secure networks [Article 6233]. - The ban on thumb drives and other removable media on military networks by U.S. Strategic Command in response to the Agent.btz virus spreading through military networks highlights a software-related security concern [Article 564].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the articles is malicious in nature. The incident involved the infiltration of U.S. military networks by the "Agent.btz" malware, which was described as a worm that spreads by copying itself from thumb drive to computer and back again [564]. The attack established a "digital beachhead" for a foreign intelligence agency to attempt to steal data, leading to concerns about deliberate attacks on the Defense Department's networks [564]. Experts strongly suspect that the original attack was crafted by Russian intelligence, although the exact origin of the attackers remains closely-held information [6233]. (b) The incident was not non-malicious as it involved intentional actions by a foreign spy agency to breach U.S. military networks and steal data. The malware was designed to evade anti-virus defenses and continuously change its "signature" to remain a persistent threat [6233]. The attack was described as a network administrator's worst fear, with the malware operating silently and transferring data to servers under foreign control [6233].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The software failure incident related to the ban on thumb drives and other removable media on military networks was due to poor decisions made by U.S. Strategic Command. The ban was initially imposed in response to the Agent.btz virus spreading through military networks via thumb drives [564]. - The failure to effectively address the network security concerns and enforce the ban indefinitely despite the known risks of malware spreading through removable media indicates poor decisions in managing the security of military networks [564]. - The incident involving the malware agent.btz infiltrating U.S. military networks in 2008 was also a result of poor decisions, as it created a digital beachhead for a foreign intelligence agency to steal data. The attack was facilitated by the insertion of an infected flash drive into a U.S. military laptop, highlighting the consequences of inadequate security measures and decision-making [6233].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the articles. In Article 564, it is mentioned that the U.S. Strategic Command lifted the ban on thumb drives and other removable media on military networks despite ongoing network security concerns. The ban was initially imposed after the spread of the Agent.btz virus through military networks, which was a variation of the SillyFDC worm. The decision to lift the ban without fully addressing the underlying security issues reflects a lack of professional competence in ensuring the security of military networks [564]. (b) The software failure incident related to accidental factors is also highlighted in the articles. In Article 6233, it is discussed how the malware known as agent.btz infiltrated U.S. military networks in 2008 through an infected flash drive inserted into a military laptop at a base in the Middle East. This accidental introduction of the malware led to significant consequences, including the establishment of a digital beachhead for a foreign intelligence agency to attempt to steal data. The evolving and persistent nature of the malware indicates that the initial breach was accidental but had long-lasting effects on network security [6233].
Duration permanent, temporary (a) The software failure incident related to the malware known as "agent.btz" infiltrating U.S. military networks in 2008 was more of a permanent issue. The malware created a persistent threat that kept evolving and appearing in new, more potent variations even years after the initial breach [Article 6233]. The incident led to the establishment of the military's Cyber Command to counter such attacks [Article 6233]. (b) The temporary aspect of the software failure incident can be seen in the lifting of the ban on thumb drives and other removable media on military networks by U.S. Strategic Command. The ban was initially imposed in response to the spread of the Agent.btz virus through military networks via thumb drives. However, the ban was later partially lifted with new rules allowing the limited use of approved removable media under strict conditions [Article 564].
Behaviour crash, omission, byzantine, other (a) crash: The software failure incident described in Article 564 involved a crash scenario where the Agent.btz virus spread through military networks by copying itself from thumb drive to computer and back again, leading to a situation where the system lost its state and was not performing its intended functions [564]. (b) omission: The incident also involved an omission scenario where the malware omitted to perform its intended functions at an instance(s) by establishing a digital beachhead for a foreign intelligence agency to attempt to steal data within the U.S. Central Command's computer systems [6233]. (c) timing: There is no specific mention of a timing-related failure in the articles. (d) value: The incident did not involve a value-related failure. (e) byzantine: The software failure incident exhibited a byzantine behavior where the Agent.btz malware continuously evolved and changed its "signature" to evade anti-virus software, resulting in inconsistent responses and interactions with the host networks [6233]. (f) other: The incident also involved other behaviors such as the persistent and evolving nature of the malware, the challenge of keeping ahead of new versions of the malware, and the uncertainty surrounding the origin of the attackers responsible for the attack [6233].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence non-human (a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incidents described in the articles [564, 6233]. (b) harm: People were physically harmed due to the software failure - There is no mention of physical harm to individuals due to the software failure incidents described in the articles [564, 6233]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted by the software failure incidents described in the articles [564, 6233]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incidents described in the articles [564, 6233] primarily focus on the impact on military networks and data security, but there is no specific mention of individuals losing material goods, money, or data due to the incidents. (e) delay: People had to postpone an activity due to the software failure - The articles do not mention any activities being postponed due to the software failure incidents described in the articles [564, 6233]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incidents described in the articles [564, 6233] primarily focus on the impact on military networks and systems, which are non-human entities. (g) no_consequence: There were no real observed consequences of the software failure - The articles clearly describe significant consequences of the software failure incidents, such as the infiltration of military networks and the potential theft of data. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences of the software failures, such as the risk of data theft and the challenges in countering evolving malware, but these consequences are not described as theoretical as they are based on actual incidents. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - There are no other specific consequences mentioned in the articles beyond those related to data security breaches and the challenges in countering malware attacks.
Domain information, government (a) The failed system was related to the industry of information as it involved the production and distribution of data within military networks. The incident involved the use of thumb drives, memory sticks, CDs, and other removable flash media on military networks, which were initially banned due to security concerns related to the spread of malware like the Agent.btz virus [564]. (l) Additionally, the failed system was also related to the government industry as it impacted the Department of Defense's networks and operations. The incident led to the ban on certain removable media devices in military networks to prevent the spread of viruses and potential cyber attacks on critical elements of the Global Information Grid [564]. The attack on the U.S. Central Command's classified network through the use of thumb drives highlighted the vulnerability of government networks to such security breaches [564]. The creation of the military's Cyber Command in response to the attack further emphasizes the government's focus on cybersecurity and defense in the digital realm [6233].

Sources

Back to List