DoD Confirms Flash Drive Breached its IT Security in 2008

In November of 2008, the US Department of Defense (DoD) military and civilian personnel were informed that DoD had immediately suspended  their use of USB and removable media devices, including digital cameras, switches, special data entry devices, personal digital assistants (PDA), hand held computers, printers, network hardware, and removable hard data storage devices (USB memory sticks, cards, etc).

Speculation at the time was that DoD's networks suffered  a massive hybrid worm/virus attack and that the attack originated in a USB type storage device and could also be spread by them, hence the ban.

According to news reports today, an article to be released later today by Foreign Affairs discussing DoD's  cyber strategy confirms the speculation. This Washington Poststory states that "Deputy Defense Secretary William J. Lynn  III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command."

Secretary Lynn writes in the Foreign Affairs article that:

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control... It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

Lynn also says that the DoD has found counterfeit hardware in systems that it has bought.

The Post story says that Secretary Lynn's article discusses in more detail DoD's approach to cyber security, which it calls "active defense."

The Post story also notes that some cyber security experts are concerned that the article will provide "adversaries useful information."

Exactly how escapes me.