House panel's file sharing investigation may be misguided

Congress should compel agencies to stop employees from downloading peer-to-peer applications, security professionals say.

A letter written by the panel cites an episode where blueprints and the avionics package for Marine One were found on a file server in Iran.Pablo Martinez Monsivais/AP

A House committee pushing the Justice Department and Federal Trade Commission to prosecute those who use file-sharing services to download sensitive information would do better to convince agencies to stop employees from downloading the popular applications in the first place, security professionals said.

In an April 20 letter to Attorney General Eric Holder, the House Committee on Oversight and Government Reform expressed concern about "the significant risk posed to American citizens and entities from the accessibility of sensitive private and government information on peer-to-peer file-sharing networks."

The committee also sent letters requesting updates about efforts to curtail risks associated with the technology to Jon Leibowitz, chairman of FTC, and Mark Gorton, chairman of the Lime Group, which owns the most widely used P2P file sharing application, LimeWire. A committee investigation revealed that LimeWire software permitted access to files containing confidential information belonging to government agencies and the public.

The software, known as P2P, allows computer users to exchange files, most commonly songs and video clips, directly from other computer users who have downloaded the file-sharing software. But the P2P applications, if not configured properly, also open other files on a computer users' hard drive, which could have documents that contain sensitive and private information.

The committee cited an episode where blueprints and the avionics package for the president's helicopter were found on a file server in Iran, and tracked the loss of the information back to a defense contractor in Bethesda, Md.

But the committee should shift much of the blame from file-sharing companies to agencies, said former government information technology managers. "The onus of responsibility and blame doesn't land totally on them," said Alan Balutis, director of the business solutions group at Cisco Systems and a former chief information officer at the Commerce Department. "I would take action against the [employees] who allowed this to happen, and use this as the basis for training or retraining on what one is supposed to be doing and not doing" to protect sensitive information.

Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002, said even those who downloaded the sensitive information may not be culpable. "This is not like a hack. No one is intruding into your network to get the information," he said. "You're providing an avenue in for files to be leached out to P2P sites, and legitimately accessed. Where are the grounds for prosecution? There aren't any."

"Anyone who would reach out to these sites from their office computer, who would expose sensitive and/or classified material, is breaking any number of existing rules and protocols," Balutis said.

He added that new regulations are not the answer; instead federal agencies and private organizations must strictly enforce existing policies, guidelines and standards with employees and partners.

Jacobs said any agency storing sensitive information should not allow employees to download P2P software and should scan its systems regularly to check for the file-sharing software. "P2P file sharing is a significant problem, and one that is not solved technically," he said. "It's solved through policy, policy enforcement and discipline."

The committee has investigated inadvertent file sharing on P2P networks before. At a hearing in July 2007, Lime Group's Gordon promised to modify the company's software to help prevent the sharing of confidential information. The committee reopened the investigation this month after determining LimeWire and other P2P providers had yet to take "adequate steps to address this critical problem."

Congress may not have the authority to compel the company to rewrite its software, said Bruce McConnell, former OMB information policy chief. "Government regulation of Internet service providers to control information exchanges by citizens can be difficult to achieve in a constitutional manner," he said. "It may be preferable to go after the people who illegally possess the content."