A cyber attack described as “the most serious breach of US military computer networks ever” stemmed from an infected USB flash drive, the US deputy defence secretary has revealed.
The attack, which happened two years ago, was the catalyst for the Pentagon overhauling its digital security strategy.
Writing in the journal Foreign Affairs this week, William Lynn said that the malware-laden drive was inserted into a US laptop by a “foreign intelligence agency” operating in the Middle East.
Before it was detected, the malicious code reached as far as the US Central Command network, where it was exposed to sensitive military documents, Lynn said.
“[It] spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he wrote. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”
Following the attack in 2008, the Pentagon formed a Cyber Command unit to identify and defend against cyber security threats. It also prohibited its workforce from using USB flash drives, although this ban has recently been lifted.
Lynn estimates more than one hundred foreign intelligence organisations are attempting to break into US military networks at any one time.
In May this year, the Pentagon’s undersecretary of defence for policy James Miller said that the government would consider a military response in retaliation to a cyber attack against the country.
See also: Mobile insecurity Is the new wave of Internet-connected mobile devices carving out a gaping hole in enterprise security?