It may seem passé to be discussing an attack from 2008. Two years is an eternity in the cyberworld. But the incident discussed in a recent New York Times article (see also CNN) was a watershed moment worthy of revisiting.
In 2008, a flash drive was plugged into a laptop on an American military base. It contained the Agent.btz virus, and proceeded to propagate from device to device, machine to machine, planting its tentacles across both secure and non-secure networks within the government. Details of what information or what systems were compromised were never made public, but we know the attack was severe enough to warrant a security brief for the President of the United States. The effort to counter this attack was dubbed Operation Buckshot Yankee.
I was there, working with our government and civilian customers, when the DoD ban of all portable devices went into effect (it was later relaxed, but the initial ban was without exception across all their sub-agencies and contractors). All of the computer systems within the Defense Department were running the latest antivirus software with firewalls, intrusion detection, internet filtering, and advanced policy management settings. Millions, if not billions, of dollars had been spent on IT security. Yet one tiny device, with a payload less than 1MB, went undetected and wreaked havoc. All that money, manpower, and technology, and Uncle Sam was reduced to physically banning the use of USB sticks.
It reminds me of a Dr. Seuss story that I used to read to my kids, Yertle the Turtle. There’s a line in that story, “his burp shook the throne of the king”. One tiny turtle, at the bottom of a stack, caused the entire system to collapse. This flash drive “burp” got the attention of the highest levels of government. It’s as if a light bulb went off in the heads of the top brass, “This really happened? How could our cyber defenses be so ineffective? There has to be a better approach.”
I saw two things happen next. First, the collective recognition within the government that traditional “react-and-respond” security was ineffective against today’s cyber threats. New approaches, like the “proact-and-prevent” paradigm of whitelisting, were needed. Bit9 was already successful within the government sector, but this raised awareness to a new level.
The second thing that happened is, when the global ban of all things removable went out, the world didn’t end. It quickly evolved into more relaxed policies and selective/monitored exceptions, and it’s certainly not the ideal way I would recommend transforming a security posture. But under fire, it was necessary. The posture transformed from “let everything in and then see if it behaves badly” to “block everything until it is verified to be good”. That model has always been the way the government approaches personnel security, but it had not been applied to cyber security. People were so used to the old way of thinking about security that they feared change. This incident and the Operation Buckshot Yankee response showed that approval based protection works.
Whether you’re talking about people, or removable devices, or software, positive security is more effective than negative security.