So was the 2008 hack on the Pentagon really the work of a foreign government, or was it just a common or garden worm introduced into the U.S. military networks by lax security procedures? In situations like this, I think Occams Razor is a good principle to follow (the popular interpretation of this principle being that the simplest explanation is usually the correct one).

Are we to believe that a foreign government trying to hack into the Pentagon would use a relatively benign worm based on an existing and two-year old worm, SillyFDC, that had limited ability once installed? Or would they go for something a bit more sophisticated? Let’s remember we are told that all sides have very powerful malware available that could be deployed if circumstances are right. So it seems curious that a government intelligence agency would take a known code base, with a known history, play with it a bit and use it to attack the Pentagon.

The alternative theory is that for the Pentagon, like any big organisation, security is a huge task that may be under-funded; and – if it is like most organisations – is reactive rather than proactive. We knew, even in 2008, that viruses could spread by USB keys and that they had to be treated with great care. Obviously even more so in the case of the military. But as this was the first significant security breach, it would be understandable if the policy had been to trust internal users to be sensible and security conscious, and so let security procedures lapse.

I am hoping here, that the alternative – that nobody thought of this attack vector – cannot possibly be true.

However, people are a problem and soldiers are just ordinary folks (better armed and organised than your average reading group admittedly), so it isn’t greatly surprising that something like this would happen. After all, it has happened to a lot of other organisations. So perhaps this is just human and organisational failure rather than some dark scheme.

Obviously it is a real worry as almost certainly the herder of this worm was not from the US; they may have extracted data and they may have tried to sell it. That’s what writing viruses, trojans and worms is all about. It is possible that they were really expecting credit card details and account logon details, so a pile of military secrets might not be what they normally traded in.

Having said all this, it has probably happened to quite a few companies. The important thing is, what has been the reaction? Was it to impose a quick ban on all USB keys (which is one way to deal with this, but it could impact normal business)? I expect that is not all that has been done. If this way in to the Pentagon was missed in the first place, are there others? Any security breach like this, for any organisation, calls for a complete review of security.

If this hasn’t been done, then it should be – and soon. Yesterday, if possible.