recommended reading

USDA unit bans browsers other than Internet Explorer

An Agriculture Department agency has begun enforcing a policy banning the use of Web browsers other than Microsoft's Internet Explorer, to the surprise of employees who rely on other browsers, such as Mozilla's Firefox, to help in developing Web sites for public use.

An operations manager at USDA's Cooperative State Research, Education and Extension Service on Friday e-mailed a memo to CSREES employees that stated, "In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed."

The Federal Desktop Core Configuration, a 2008 governmentwide policy administered by the Office of Management and Budget, requires that agencies standardize operating system and browser settings to prevent security breaches. OMB officials said the configuration does not require agencies to bar non-IE browsers.

Caleb Weaver, an Agriculture spokesman, said CSREES' browser restriction is not a departmentwide policy. USDA officials are still looking into why the office is implementing the policy, he added. CSREES supports research on the biological, physical and social sciences pertaining to agriculture throughout universities and other partner institutions.

USDA employees said they were told Firefox browsers had allowed security breaches within the division. Settings on Internet Explorer can be managed centrally to exert greater control over computers throughout an enterprise, whereas other browsers cannot be managed centrally, employees were told.

In addition to Firefox and Chrome, other popular non-Microsoft browsers include Apple's Safari. Central management tools for non-IE browsers are hard to find, since Mozilla, Apple and Google are consumer-focused companies rather than enterprise vendors, cybersecurity specialists said.

OMB officials do not have information about which agencies have opted to bar non-Microsoft browsers. Agencies manage their desktop infrastructure "within policies we establish, such as Federal Desktop Core Configuration," officials said.

Cybersecurity specialists said the ban could be a case of managers taking a sound policy to the extreme.

The core configuration "definitely does not say you have to use IE, so CSREES policy certainly makes no sense from that perspective. It does make sense to standardize on one browser if possible," said John Pescatore, a vice president and research fellow at Gartner Research who specializes in network security.

Standardizing makes it easier to fix program bugs because an information technology specialist needs to patch only one browser.

Most attacks exploit vulnerabilities in older IE browsers, so the best approach to improving security would have been either standardizing on Internet Explorer 8 or Firefox, Pescatore said.

"There have been a lot of day zero attacks against IE vulnerabilities this year and maybe CSREES was really trying to standardize on the latest, patched version of IE and went a bit too far without thinking through the consequences," said Pescatore. Day zero attacks are the result of malicious programs that exploit a security vulnerability on multiple computers all at once on a day that is typically publicized.

USDA employees, who were not authorized to speak on the record, said they were shocked by last week's announcement because of the timing and the disruption it could cause. Agriculture IT specialists, as part of their jobs, have to use alternative browsers to test public-facing USDA Web sites that citizens can access through Firefox, Chrome and other browsers.

The new policy will make it more difficult to support public Web users, employees said. Managers should have set up alternative testing networks or provided other tools before restricting browsers, the employees argued.

Administration officials more than a year ago required agencies to assimilate system settings as part of the federal desktop policy, but "the truth of the matter is that no one could get down" to a few configurations "because you end up breaking some [software] application," said Ed Meagher, former deputy CIO at the Interior Department and former CTO at the Veterans Affairs Department.

The Bush administration "put a lot of emphasis on it early and everyone agreed it was a necessary step to get down to some level of configurations that could be managed," he said. "It's very hard to do cybersecurity if thousands of configurations are acceptable."

But the policy emerged at the end of the Bush administration, when government officials were running out of steam and could not enforce it, he added.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.