recommended reading

USDA unit bans browsers other than Internet Explorer

An Agriculture Department agency has begun enforcing a policy banning the use of Web browsers other than Microsoft's Internet Explorer, to the surprise of employees who rely on other browsers, such as Mozilla's Firefox, to help in developing Web sites for public use.

An operations manager at USDA's Cooperative State Research, Education and Extension Service on Friday e-mailed a memo to CSREES employees that stated, "In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed."

The Federal Desktop Core Configuration, a 2008 governmentwide policy administered by the Office of Management and Budget, requires that agencies standardize operating system and browser settings to prevent security breaches. OMB officials said the configuration does not require agencies to bar non-IE browsers.

Caleb Weaver, an Agriculture spokesman, said CSREES' browser restriction is not a departmentwide policy. USDA officials are still looking into why the office is implementing the policy, he added. CSREES supports research on the biological, physical and social sciences pertaining to agriculture throughout universities and other partner institutions.

USDA employees said they were told Firefox browsers had allowed security breaches within the division. Settings on Internet Explorer can be managed centrally to exert greater control over computers throughout an enterprise, whereas other browsers cannot be managed centrally, employees were told.

In addition to Firefox and Chrome, other popular non-Microsoft browsers include Apple's Safari. Central management tools for non-IE browsers are hard to find, since Mozilla, Apple and Google are consumer-focused companies rather than enterprise vendors, cybersecurity specialists said.

OMB officials do not have information about which agencies have opted to bar non-Microsoft browsers. Agencies manage their desktop infrastructure "within policies we establish, such as Federal Desktop Core Configuration," officials said.

Cybersecurity specialists said the ban could be a case of managers taking a sound policy to the extreme.

The core configuration "definitely does not say you have to use IE, so CSREES policy certainly makes no sense from that perspective. It does make sense to standardize on one browser if possible," said John Pescatore, a vice president and research fellow at Gartner Research who specializes in network security.

Standardizing makes it easier to fix program bugs because an information technology specialist needs to patch only one browser.

Most attacks exploit vulnerabilities in older IE browsers, so the best approach to improving security would have been either standardizing on Internet Explorer 8 or Firefox, Pescatore said.

"There have been a lot of day zero attacks against IE vulnerabilities this year and maybe CSREES was really trying to standardize on the latest, patched version of IE and went a bit too far without thinking through the consequences," said Pescatore. Day zero attacks are the result of malicious programs that exploit a security vulnerability on multiple computers all at once on a day that is typically publicized.

USDA employees, who were not authorized to speak on the record, said they were shocked by last week's announcement because of the timing and the disruption it could cause. Agriculture IT specialists, as part of their jobs, have to use alternative browsers to test public-facing USDA Web sites that citizens can access through Firefox, Chrome and other browsers.

The new policy will make it more difficult to support public Web users, employees said. Managers should have set up alternative testing networks or provided other tools before restricting browsers, the employees argued.

Administration officials more than a year ago required agencies to assimilate system settings as part of the federal desktop policy, but "the truth of the matter is that no one could get down" to a few configurations "because you end up breaking some [software] application," said Ed Meagher, former deputy CIO at the Interior Department and former CTO at the Veterans Affairs Department.

The Bush administration "put a lot of emphasis on it early and everyone agreed it was a necessary step to get down to some level of configurations that could be managed," he said. "It's very hard to do cybersecurity if thousands of configurations are acceptable."

But the policy emerged at the end of the Bush administration, when government officials were running out of steam and could not enforce it, he added.

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.