recommended reading

USDA unit bans browsers other than Internet Explorer

An Agriculture Department agency has begun enforcing a policy banning the use of Web browsers other than Microsoft's Internet Explorer, to the surprise of employees who rely on other browsers, such as Mozilla's Firefox, to help in developing Web sites for public use.

An operations manager at USDA's Cooperative State Research, Education and Extension Service on Friday e-mailed a memo to CSREES employees that stated, "In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed."

The Federal Desktop Core Configuration, a 2008 governmentwide policy administered by the Office of Management and Budget, requires that agencies standardize operating system and browser settings to prevent security breaches. OMB officials said the configuration does not require agencies to bar non-IE browsers.

Caleb Weaver, an Agriculture spokesman, said CSREES' browser restriction is not a departmentwide policy. USDA officials are still looking into why the office is implementing the policy, he added. CSREES supports research on the biological, physical and social sciences pertaining to agriculture throughout universities and other partner institutions.

USDA employees said they were told Firefox browsers had allowed security breaches within the division. Settings on Internet Explorer can be managed centrally to exert greater control over computers throughout an enterprise, whereas other browsers cannot be managed centrally, employees were told.

In addition to Firefox and Chrome, other popular non-Microsoft browsers include Apple's Safari. Central management tools for non-IE browsers are hard to find, since Mozilla, Apple and Google are consumer-focused companies rather than enterprise vendors, cybersecurity specialists said.

OMB officials do not have information about which agencies have opted to bar non-Microsoft browsers. Agencies manage their desktop infrastructure "within policies we establish, such as Federal Desktop Core Configuration," officials said.

Cybersecurity specialists said the ban could be a case of managers taking a sound policy to the extreme.

The core configuration "definitely does not say you have to use IE, so CSREES policy certainly makes no sense from that perspective. It does make sense to standardize on one browser if possible," said John Pescatore, a vice president and research fellow at Gartner Research who specializes in network security.

Standardizing makes it easier to fix program bugs because an information technology specialist needs to patch only one browser.

Most attacks exploit vulnerabilities in older IE browsers, so the best approach to improving security would have been either standardizing on Internet Explorer 8 or Firefox, Pescatore said.

"There have been a lot of day zero attacks against IE vulnerabilities this year and maybe CSREES was really trying to standardize on the latest, patched version of IE and went a bit too far without thinking through the consequences," said Pescatore. Day zero attacks are the result of malicious programs that exploit a security vulnerability on multiple computers all at once on a day that is typically publicized.

USDA employees, who were not authorized to speak on the record, said they were shocked by last week's announcement because of the timing and the disruption it could cause. Agriculture IT specialists, as part of their jobs, have to use alternative browsers to test public-facing USDA Web sites that citizens can access through Firefox, Chrome and other browsers.

The new policy will make it more difficult to support public Web users, employees said. Managers should have set up alternative testing networks or provided other tools before restricting browsers, the employees argued.

Administration officials more than a year ago required agencies to assimilate system settings as part of the federal desktop policy, but "the truth of the matter is that no one could get down" to a few configurations "because you end up breaking some [software] application," said Ed Meagher, former deputy CIO at the Interior Department and former CTO at the Veterans Affairs Department.

The Bush administration "put a lot of emphasis on it early and everyone agreed it was a necessary step to get down to some level of configurations that could be managed," he said. "It's very hard to do cybersecurity if thousands of configurations are acceptable."

But the policy emerged at the end of the Bush administration, when government officials were running out of steam and could not enforce it, he added.

Threatwatch Alert

Stolen laptop

3.7M Hong Kong Voters' Personal Data Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.