Deployed troops to get new security tool, allowing access to latest computers

Troops in the Middle East should soon have faster, safer access to the latest computers on the market, as a result of a small disk the Defense Department developed that instantly standardizes the security settings on Microsoft Windows desktops deployed overseas, Pentagon officials said.

Military personnel assigned to the Combined Joint Operations Area in Afghanistan and Iraq are expected to begin using copies of the so-called unified golden master within the next several months. A golden master is a model of an operating system and all the code -- typically stored on a DVD -- needed to run a computer safely.

The disks are intended to address the long-standing problem of securing computers during combat operations, when there isn't enough staff or expertise to consistently install patches -- fixes to program bugs. For personnel focused on installing email and other essential collaboration tools, configuring security controls becomes a secondary priority, some information assurance experts said.

Defense officials are scheduled to provide more details on the initiative later this month at the National Cybersecurity Innovation Conference, hosted by the SANS Institute, a computer security training center.

Officials would not say when they plan to start using the disks, but SANS Research Director Alan Paller said rollout is anticipated this summer.

Synchronizing and updating hardware settings "is a complicated and time-consuming process that is outside the normal area of expertise for most organizations," Defense spokeswoman April Cunningham said. The new tool eliminates the need for military personnel to adjust more than 1,200 settings. It also provides three enhanced security features for the Microsoft operating system that are designed to keep out malicious software, including AppLocker, Data Execution Prevention and Structured Exception Handler Overwrite Protection.

The improvements "should dramatically reduce security incidents and the time spent responding to such incidents," Cunningham said.

The disk is designed for workstations operating on networks belonging to the U.S. Central Command, which oversees forces in the Middle East, and NATO's International Security Assistance Forces.

The Pentagon also plans to distribute a version of the CENTCOM device departmentwide, Defense officials said. The "DoD Unified Master Gold Disk Standard" would allow the combatant commands, services and agencies to tailor the basic settings to meet their individual needs, Cunningham added.

The disk has the potential to ease security compliance for civilian agencies, too. Non-Defense agencies using Windows computers are supposed to be adhering to a suite of settings called the U.S. Government Configuration Baseline, formerly known as the Federal Desktop Core Configuration. Those requirements, developed in 2008, are based on a model the Air Force developed in partnership with the National Security Agency; Defense Information Systems Agency; National Institute of Standards and Technology; as well as representatives from the Army, Navy and Marine Corps.

But, no agencies have fully applied all the settings on their workstations, according to federal auditors.

Critics of the civilian standard settings said they are not compatible with certain applications that run on Windows. In the past, vendors have agreed to offer versions of their software that work with the government-specific settings, but only after rolling out commercial market formats.

Consumers have no interest in paying for the government baseline features and certain specifications disable programs that some government users need, said Trey Hodgkins, vice president for national security and procurement policy at industry group TechAmerica. Because of the lag time between commercial and government availability, U.S. adversaries -- terrorist groups such as al Qaeda, for example -- have access to the most cutting-edge computer systems on the market before the U.S. government does, he explained.

"Most systems have mixtures of software that have to be installed separately and [the parts sometimes alter] the underlying operating system, chewing up administrator time and delaying deployment," Paller said. "The White House tried to solve these problems with its Federal Desktop Core Configuration initiative, but [chief information security officers] didn't have the discipline to stick to it. The direct result of that failure is the deep persistent presence of malicious code from very bad people across most federal agencies."

To make it easier for agencies to follow the civilian specifications, the Pentagon said it plans to offer its disk to White House officials for consideration.