An Agriculture Department agency has begun enforcing a policy banning the use of Web browsers other than Microsoft's Internet Explorer, to the surprise of employees who rely on other browsers, such as Mozilla's Firefox, to help in developing Web sites for public use.
An operations manager at USDA's Cooperative State Research, Education and Extension Service on Friday e-mailed a memo to CSREES employees that stated, "In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed."
The Federal Desktop Core Configuration, a 2008 governmentwide policy administered by the Office of Management and Budget, requires that agencies standardize operating system and browser settings to prevent security breaches. OMB officials said the configuration does not require agencies to bar non-IE browsers.
Caleb Weaver, an Agriculture spokesman, said CSREES' browser restriction is not a departmentwide policy. USDA officials are still looking into why the office is implementing the policy, he added. CSREES supports research on the biological, physical and social sciences pertaining to agriculture throughout universities and other partner institutions.
USDA employees said they were told Firefox browsers had allowed security breaches within the division. Settings on Internet Explorer can be managed centrally to exert greater control over computers throughout an enterprise, whereas other browsers cannot be managed centrally, employees were told.
In addition to Firefox and Chrome, other popular non-Microsoft browsers include Apple's Safari. Central management tools for non-IE browsers are hard to find, since Mozilla, Apple and Google are consumer-focused companies rather than enterprise vendors, cybersecurity specialists said.
OMB officials do not have information about which agencies have opted to bar non-Microsoft browsers. Agencies manage their desktop infrastructure "within policies we establish, such as Federal Desktop Core Configuration," officials said.
Cybersecurity specialists said the ban could be a case of managers taking a sound policy to the extreme.
The core configuration "definitely does not say you have to use IE, so CSREES policy certainly makes no sense from that perspective. It does make sense to standardize on one browser if possible," said John Pescatore, a vice president and research fellow at Gartner Research who specializes in network security.
Standardizing makes it easier to fix program bugs because an information technology specialist needs to patch only one browser.
Most attacks exploit vulnerabilities in older IE browsers, so the best approach to improving security would have been either standardizing on Internet Explorer 8 or Firefox, Pescatore said.
"There have been a lot of day zero attacks against IE vulnerabilities this year and maybe CSREES was really trying to standardize on the latest, patched version of IE and went a bit too far without thinking through the consequences," said Pescatore. Day zero attacks are the result of malicious programs that exploit a security vulnerability on multiple computers all at once on a day that is typically publicized.
USDA employees, who were not authorized to speak on the record, said they were shocked by last week's announcement because of the timing and the disruption it could cause. Agriculture IT specialists, as part of their jobs, have to use alternative browsers to test public-facing USDA Web sites that citizens can access through Firefox, Chrome and other browsers.
The new policy will make it more difficult to support public Web users, employees said. Managers should have set up alternative testing networks or provided other tools before restricting browsers, the employees argued.
Administration officials more than a year ago required agencies to assimilate system settings as part of the federal desktop policy, but "the truth of the matter is that no one could get down" to a few configurations "because you end up breaking some [software] application," said Ed Meagher, former deputy CIO at the Interior Department and former CTO at the Veterans Affairs Department.
The Bush administration "put a lot of emphasis on it early and everyone agreed it was a necessary step to get down to some level of configurations that could be managed," he said. "It's very hard to do cybersecurity if thousands of configurations are acceptable."
But the policy emerged at the end of the Bush administration, when government officials were running out of steam and could not enforce it, he added.