recommended reading

House panel's file sharing investigation may be misguided

A letter written by the panel cites an episode where blueprints and the avionics package for Marine One were found on a file server in Iran.Pablo Martinez Monsivais/AP

A House committee pushing the Justice Department and Federal Trade Commission to prosecute those who use file-sharing services to download sensitive information would do better to convince agencies to stop employees from downloading the popular applications in the first place, security professionals said.

In an April 20 letter to Attorney General Eric Holder, the House Committee on Oversight and Government Reform expressed concern about "the significant risk posed to American citizens and entities from the accessibility of sensitive private and government information on peer-to-peer file-sharing networks."

The committee also sent letters requesting updates about efforts to curtail risks associated with the technology to Jon Leibowitz, chairman of FTC, and Mark Gorton, chairman of the Lime Group, which owns the most widely used P2P file sharing application, LimeWire. A committee investigation revealed that LimeWire software permitted access to files containing confidential information belonging to government agencies and the public.

The software, known as P2P, allows computer users to exchange files, most commonly songs and video clips, directly from other computer users who have downloaded the file-sharing software. But the P2P applications, if not configured properly, also open other files on a computer users' hard drive, which could have documents that contain sensitive and private information.

The committee cited an episode where blueprints and the avionics package for the president's helicopter were found on a file server in Iran, and tracked the loss of the information back to a defense contractor in Bethesda, Md.

But the committee should shift much of the blame from file-sharing companies to agencies, said former government information technology managers. "The onus of responsibility and blame doesn't land totally on them," said Alan Balutis, director of the business solutions group at Cisco Systems and a former chief information officer at the Commerce Department. "I would take action against the [employees] who allowed this to happen, and use this as the basis for training or retraining on what one is supposed to be doing and not doing" to protect sensitive information.

Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002, said even those who downloaded the sensitive information may not be culpable. "This is not like a hack. No one is intruding into your network to get the information," he said. "You're providing an avenue in for files to be leached out to P2P sites, and legitimately accessed. Where are the grounds for prosecution? There aren't any."

"Anyone who would reach out to these sites from their office computer, who would expose sensitive and/or classified material, is breaking any number of existing rules and protocols," Balutis said.

He added that new regulations are not the answer; instead federal agencies and private organizations must strictly enforce existing policies, guidelines and standards with employees and partners.

Jacobs said any agency storing sensitive information should not allow employees to download P2P software and should scan its systems regularly to check for the file-sharing software. "P2P file sharing is a significant problem, and one that is not solved technically," he said. "It's solved through policy, policy enforcement and discipline."

The committee has investigated inadvertent file sharing on P2P networks before. At a hearing in July 2007, Lime Group's Gordon promised to modify the company's software to help prevent the sharing of confidential information. The committee reopened the investigation this month after determining LimeWire and other P2P providers had yet to take "adequate steps to address this critical problem."

Congress may not have the authority to compel the company to rewrite its software, said Bruce McConnell, former OMB information policy chief. "Government regulation of Internet service providers to control information exchanges by citizens can be difficult to achieve in a constitutional manner," he said. "It may be preferable to go after the people who illegally possess the content."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.