U.S. Rep. Edolphus Towns (D-N.Y.) this week introduced H.R. 4098, “The Secure Federal File Sharing Act,” which would require the Office of Management and Budget to issue guidance to prohibit the personal use of peer-to-peer file-sharing software by government employees.
Towns, who sits on the House Oversight Committee, might have been motivated to prevent another Congressional data breach. As Senior News Writer Linda Tucci reported last month, P2P file sharing exposed secret Congressional investigations at the House Ethics committee. As Tucci observed:
The source who tipped off the reporters is not connected to the congressional investigations … Which makes this security breach all the more scary. The incident should add a big jolt to the Committee on Oversight and Government Reform hearings under way on inadvertent file sharing over P2P file sharing networks.
Tucci was right on the money here. The Secure Federal File Sharing Act was referred to the House Committee on Oversight and Government Reform. Should it be enacted, the director of the Office of Management and Budget, “after consultation with the Federal Chief Information Officers Council,” will have to issue guidance within 90 days, intended to:
- “prohibit the download, installation, or use by Government employees and contractors of open-network peer-to-peer file sharing software on all Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf, unless such software is approved in accordance with procedures under subsection (b);” and
- ”address the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf.”
The introduction of the Secure Federal File Sharing Act comes at a time of heightened concerns about cybersecurity threats. As Tucci also reported in August, a congressional hearing on inadvertent P2P file sharing showed how much risk is involved:
Classified or sensitive files recently found on P2P file sharing networks included: the Secret Service safe house location for the first lady, the Social Security numbers of every master sergeant in the Army, medical records of some 24,000 patients of a Texas hospital and the entire Outlook calendar of an individual who handles all the merger and acquisition activity at a well-known, publicly traded company, with attachments detailing every proposed deal.
A listing of every nuclear facility in the U.S. turned up on four sites in France. Last week also showed that illicit music downloading can have serious legal consequences: a Boston University graduate student was ordered to pay $675,000 in damages for illegally downloading songs and sharing them online.
Tucci was also right about the cautionary tale involved here: CIOs and compliance officers should all revisit their policies on the use of P2P file sharing software. As she reported in August, research from Forrester shows that “73% of companies take some kind of stance on P2P, but only 18% ban it outright. Companies tend to view P2P file sharing as more of a bandwidth issue than a security risk.”
Given the steady leakage of personally identifiable information, proprietary data or other sensitive content into these networks over the past few years, security concerns may mean peer-to-peer file sharing days have come to an end both on and off of federal IT infrastructure.