recommended reading

House panel's file sharing investigation may be misguided

A letter written by the panel cites an episode where blueprints and the avionics package for Marine One were found on a file server in Iran.Pablo Martinez Monsivais/AP

A House committee pushing the Justice Department and Federal Trade Commission to prosecute those who use file-sharing services to download sensitive information would do better to convince agencies to stop employees from downloading the popular applications in the first place, security professionals said.

In an April 20 letter to Attorney General Eric Holder, the House Committee on Oversight and Government Reform expressed concern about "the significant risk posed to American citizens and entities from the accessibility of sensitive private and government information on peer-to-peer file-sharing networks."

The committee also sent letters requesting updates about efforts to curtail risks associated with the technology to Jon Leibowitz, chairman of FTC, and Mark Gorton, chairman of the Lime Group, which owns the most widely used P2P file sharing application, LimeWire. A committee investigation revealed that LimeWire software permitted access to files containing confidential information belonging to government agencies and the public.

The software, known as P2P, allows computer users to exchange files, most commonly songs and video clips, directly from other computer users who have downloaded the file-sharing software. But the P2P applications, if not configured properly, also open other files on a computer users' hard drive, which could have documents that contain sensitive and private information.

The committee cited an episode where blueprints and the avionics package for the president's helicopter were found on a file server in Iran, and tracked the loss of the information back to a defense contractor in Bethesda, Md.

But the committee should shift much of the blame from file-sharing companies to agencies, said former government information technology managers. "The onus of responsibility and blame doesn't land totally on them," said Alan Balutis, director of the business solutions group at Cisco Systems and a former chief information officer at the Commerce Department. "I would take action against the [employees] who allowed this to happen, and use this as the basis for training or retraining on what one is supposed to be doing and not doing" to protect sensitive information.

Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002, said even those who downloaded the sensitive information may not be culpable. "This is not like a hack. No one is intruding into your network to get the information," he said. "You're providing an avenue in for files to be leached out to P2P sites, and legitimately accessed. Where are the grounds for prosecution? There aren't any."

"Anyone who would reach out to these sites from their office computer, who would expose sensitive and/or classified material, is breaking any number of existing rules and protocols," Balutis said.

He added that new regulations are not the answer; instead federal agencies and private organizations must strictly enforce existing policies, guidelines and standards with employees and partners.

Jacobs said any agency storing sensitive information should not allow employees to download P2P software and should scan its systems regularly to check for the file-sharing software. "P2P file sharing is a significant problem, and one that is not solved technically," he said. "It's solved through policy, policy enforcement and discipline."

The committee has investigated inadvertent file sharing on P2P networks before. At a hearing in July 2007, Lime Group's Gordon promised to modify the company's software to help prevent the sharing of confidential information. The committee reopened the investigation this month after determining LimeWire and other P2P providers had yet to take "adequate steps to address this critical problem."

Congress may not have the authority to compel the company to rewrite its software, said Bruce McConnell, former OMB information policy chief. "Government regulation of Internet service providers to control information exchanges by citizens can be difficult to achieve in a constitutional manner," he said. "It may be preferable to go after the people who illegally possess the content."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.