The military has implemented a new policy stating removable media can not be used on SIPRNET computers. While this may seem like a good thing the implementation may be lacking. The private sector has warned of the exposure caused by removable media for years. From a practical stand point banning all removable media is nothing more than a good sounding idea.
“Users will experience difficulty with transferring data for operational needs which could impede timeliness on mission execution,” the document admits. But “military personnel who do not comply … may be punished under Article 92 of the Uniformed Code of Military Justice.” Article 92 is the armed forces’ regulation covering failure to obey orders and dereliction of duty, and it stipulates that violators “shall be punished as a court-martial may direct.”
The military understands that efficiency will be impacted by their decision and they appear to be sticking by their guns on disciplining anyone who disobeys orders. The key point here is a loss of efficiency via this policy . Private sector businesses rely on efficiency to maintain profitability. Before implementing such a policy at your business, it is important to determine if it is the right thing to do. The CFO is going to be interested in the impact any proposed policy has on the bottom line. The loss of efficiency is something that will have to be weighed against security. Based on the content of the Wired.com article it appears that no preventative technological controls are going to be used, otherwise punishing soldiers with a courts martial would not be mentioned. The best solution would be to use technology to disable removable media as a supplement to the policy. Policies that depend on the honesty of the workforce are seldom successful. The anonymous sources in the article that intend to keep using removable media show that policies alone do not equal security.