Network News

X My Profile
View More Activity

Bill would ban P2P use on federal networks, PCs

The chairman of the House Oversight and Government Reform Committee introduced legislation on Tuesday to prohibit the use of peer-to-peer (P2P) file-sharing software across all federal government computers and networks.

The "Secure Federal File Sharing Act" would direct the White House's Office of Management and Budget to issue guidelines barring the use and/or installation of P2P software on federal systems, unless otherwise approved for a specific purpose. The bill also calls on OMB to develop a policy that would extend to networks and computers operated by agency contractors, as well as to personal computers of federal employees remotely accessing federal networks.

mygovdoc.JPG

"We can no longer ignore the threat to sensitive government information that insecure peer-to-peer networks pose," said Rep. Edolphus Towns, the Democrat from New York who chairs the House oversight panel, in a statement. "Voluntary self-regulations have failed so now is the time for Congress to act."

The bill comes in response to a series of high-profile and embarrassing P2P breaches that have compromised sensitive government and personal information. Most recently, a document containing the names of at least 30 lawmakers who have been investigated by a House ethics committee was inadvertently leaked to P2P networks.

Other recent P2P breaches include the disclosure of electronic schematics to the President's helicopter, "Marine One;" the financial information belonging to Supreme Court Justice Stephen Breyer, and the location of a U.S. Secret Service safe house for the First Family.

A bill passed by the House Energy & Commerce Committee in September, called the Informed P2P User Act, would require P2P software makers to provide "clear and conspicuous" notice about files being shared by the programs, and get the user's consent before sharing them. That bill also would crack down on P2P vendors that silently bundle adware or other software with their programs, or make the software difficult to remove.

The full text of the new bill, H.R. 4098, is available here.

By Brian Krebs  |  November 18, 2009; 12:50 PM ET
Categories:  U.S. Government  | Tags: p2p  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Experts: Smart grid poses privacy risks
Next: FDA targets rogue Internet pharmacies

Comments

re: HR4098

Boy, that will stop the P2P users. Make it illegal, like cell phone use while driving, texting while driving, DUI. All those worked?

As far as government computers, have the IT departments lock them down tight, but forbidding someone, who might access a government computer from home, from using P2P sharing? I don't think so.

We'll MAKE the software writers tell us what files they are transferring. That will work too. Do you think the writers of KAZAA would actually do that? There are millions of copies of a perfectly functional version of that program installed worldwide. What makes you think that someone will be willing replace their copy with one that will ask questions? Take a look at some of the file names for running programs from the Windows Task Manager. Can many people even guess what some of the functions may be? How would the average user even begin to know?

Maybe it's the skeptic in me, but this will NEVER work.

Posted by: blasher | November 18, 2009 3:51 PM | Report abuse

Why stop there? Ban RIAA and MPAA from using (read actively trying to subvert) P2P networks as well :-D

Posted by: Annorax | November 18, 2009 8:21 PM | Report abuse

I think previous commenters have missed the point. These are federal networks. File-sharing has no place in any work environment except software development or security.

It is about time people stop feeling sorry for the end user who puts this sort of software on a work computer. It is like handing a gun to crooks.

Most supervisors would have no trouble firing someone who left the office safe keys out where they could be stolen, but somehow equally irresponsible behavior with a computer is ok. Just because a business assigns you a car to do a job does it mean you get to take it to the race track or street drag.

It is about time for personnel policies to say if you install this sort of software you get fired.

It may have been a reasonable idea to allow employees to use computers for their own business when they were rare and expensive. Now when netbooks are $200, that day is over and done.

Posted by: eteonline | November 19, 2009 8:14 AM | Report abuse

This will be difficult to enforce. The P2P protocol is used in delivering all kinds of Web content that will be viewed as legit by many of the computer users on the network. For example, President Obama's Inauguration Address was delivered by CNN using a P2P protocol. Should every person that watched that at work should under this legislation be arrested? The authors of this legislation will have an impossible time knowing how to word the technical aspects of this. Congress should just make it illegal to load unapproved software and illegal to leak sensitive information.

Posted by: wwwmikeb | November 19, 2009 10:33 AM | Report abuse

How is that NOT established as a federal law already??? I work as an IT administrator for a hospital and would NEVER allow a computer with P2P software on the network. I give the employee an option: either remove the software and files downloaded from the software or buy another computer to work on.

Additionally, they sign a dual-use agreement stating that if there is P2P software found on a work computer they may be terminated just because it is there! P2P software is how 95% of all the malware, trojans, and hacks are infiltrating our computer systems.

I would hope that the government would be more sophisticated than myself in implementing IT policy.

Posted by: ze111ze | November 19, 2009 10:51 AM | Report abuse

I hope that doesn't include torrents which are more like traditional downloads but using some peer to peer technology (you can't accidentally share your own files with bittorrent). It's a ton faster (20 minutes vs 4-6 hours) to get Linux isos from the torrent links instead of using direct downloads.

Posted by: hesaid | November 19, 2009 11:39 AM | Report abuse

It's probably not an overarching law but it's already enforced in different agencies through different policies.

It's illegal where I work and the sniffers are watching. And yes... There will be no torrent on federal networks. And just because CNN used P2P to stream doesn't mean the federal govt does that.

This is just a law to solidy the myriad of laws already in place.

Posted by: ihatethisplace | November 19, 2009 11:53 AM | Report abuse

Hello? The INTERNET is a peer-to-peer system. That's the way it was designed, and that's the way it works. Unless this law was written by engineers, it's likely that it effectively criminalizes ALL Internet traffic, and puts us all at the mercy of prosecutorial discretion.

This legislation, bought and paid for by the RIAA/MPAA cartel, is just one step in the demonization and criminalization of any P2P systems they disapprove of. Rep. Edolphus Towns (D-RIAA/MPAA) has made a cottage industry of promoting such legislation.

Posted by: DupontJay | November 19, 2009 12:06 PM | Report abuse

I don't entirely get it... I mean users should be educated but isn't the real solution to let each angecies IT staff and security professional filter this stuff at the router. Users no matter how well educated are always going to be more exploitable than the IT professionals that are in the know. And how would this affect Contractors. The Helicopter schematics as I recall were stolen off a contractors computer. Nice article bk.

Posted by: dward__ | November 19, 2009 12:07 PM | Report abuse

These regulations are already mainstream within the government as part of the certification and accreditation requirements for any and all information systems on government networks.

So.... IMO this is just a half-hearted attempt to add yet another layer of bureaucracy on something that has already been well-established...

Have they thought about working on something we havent already addressed yet? Like getting Marxists out of Congress and the White House?

Posted by: ProveMeWrong | November 19, 2009 12:21 PM | Report abuse

P2P is already banned on government computers through NIST controls. This is just a knee jerk reaction to the ethics breach. If the reports about the breach were correct, the file was on the staffer's home PC. This ban would have no effect.

Congress is generally exempt from all of these rules. The weakness is with the way Congress does security.

Posted by: cashink2003 | November 19, 2009 12:21 PM | Report abuse

I manage a network of about 160 computers (small compared to the government). Users can not install software on company computers, let alone use P2P even if they brought in a laptop from home...
I block all P2P at my firewall (as well a proxy and avoidance sites).
Users do not need P2P in a work environment (IMHO). Just my 2 cents worth.

Posted by: n3ujj | November 19, 2009 12:30 PM | Report abuse

Well, when you get hired to do a job, most employers believe they hired an employee with SOME brains. Now, hopefully, for those employees who didn’t understand the problems that come with installing P2P software, maybe the law will put some bite behind it. If you want to share music or movies, I am fine with that; that’s up to you. That should be done on your own computer at home. However, someone should be held accountable for lost information and data. Hopefully, this law will clean up stupid mistakes. If you don’t know data loss could happen this way, why did you install P2P software? If a federal employee (or any one with access to my personal data) does this, immediately fire them! There is no place for an open network with P2P software, especially since the pitfalls are known entities. I don’t think the legislation is aimed at what people are doing in their own homes on their own time.

Posted by: ummhuh | November 19, 2009 12:40 PM | Report abuse

I work at USDA and we constantly share files via Netmeeting. We work with folks in KC everyday and really need to share data. Now we will be back to having to travel out there to actually be seeing the same thing in our meetings. It makes no sense at all. Another nightmare to make our jobs even more difficult.

Posted by: Sharon1949 | November 19, 2009 12:49 PM | Report abuse

To DupontJay and Sharon1949; there is a distinct difference between information sharing and P2P software. P2P software has been used since its creation to distribute content (music, movies, documents) that generally SHOULD be paid for! It also should be obtained from the distributor legitimately, not from some teenager in China who hacked the file...

The fool in this story was probably too LAZY to save his/her GOVT documents to a different folder than his P2P items where in! The fact is that the P2P software should never have been installed on a work computer (either at the office or at home.)

Having security measures in place is NOT infringing on anybodies freedom. It's to protect people from their own stupidity! If that means more work for you then be happy you're employed ;)

Posted by: ze111ze | November 19, 2009 1:13 PM | Report abuse

I work at USDA and we constantly share files via Netmeeting. We work with folks in KC everyday and really need to share data. Now we will be back to having to travel out there to actually be seeing the same thing in our meetings. It makes no sense at all. Another nightmare to make our jobs even more difficult.

Posted by: Sharon1949
=======================

Sharon, your ability to use remote tools to do your job on a government network will not change. You will not have to begin travelling to accommodate this legislation.

What you use, and the reasons for it are in no way related to P2P legislation. besides, there are plenty of collaboration tools to use that ARE approved already if they dont like NetMeeting...

Posted by: ProveMeWrong | November 19, 2009 2:05 PM | Report abuse

Sharon1949, how did you ever get employment with the Government that gives you computer access when you are clearly... dumber than a bag of hammers?

Posted by: biffgrifftheoneandonly | November 19, 2009 2:34 PM | Report abuse

DupontJay:
My first thought was very similar: Unless programmers wrote this law, it will probably outlaw Microsoft Windows, as well as any other OS that provides file sharing over the Internet or even over a LAN.

Lawmakers have a bad tendency to say, "You know what I meant," while other lawyers say, "I only know what you wrote."

Posted by: jjjdavidson | November 19, 2009 3:36 PM | Report abuse

While this makes smart policy, it will need to be implemented in several layers. This makes a strong case for web filtering service providers as one of the key layers.

My employer finally began using one and started by taking known security threat categories offline. This included P2P sites - this seems like a basic step to protect work files.

You can do this for free at home using OpenDNS.

As far as the USDA needing P2P to share files... Maybe they've eaten too many "downer" cows there and the wacky prions have made them mad.

Posted by: ohiomc | November 19, 2009 4:47 PM | Report abuse

The word "illegal" has been thrown around too lightly on several of these posts (e.g., "It's illegal where I work." No, it's not; it's just against policy.). Federal legislation is not needed to make P2P illegal (i.e., against the law), even on federal government computers. Private enterprises have no trouble enforcing bans of particular types of software on their machines, and violations for inappropriate data sharing are punishable by termination. (There are some special cases, such as HIPAA, which are legislated.) Why do we need another federal law which will rest in the United States Code in perpetuity to handle this problem, which is essentially a policy enforcement failure? Oh yeah -- the "lawmakers who have been investigated by a House ethics committee" were highly embarrassed by it.

Whenever Congress has tried to legislate technology, it has generally been a miserable failure. Look no further than the Digital Millennium Copyright Act or the
Telecommunications Act of 1996.

Posted by: 54Stratocaster | November 19, 2009 9:44 PM | Report abuse

I suspect the real purpose of a law banning P2P file sharing on US government networks has less to do with protecting the president's helicopter (What on earth was a schematic doing on a non-secured network in the first place?)than it does to keep government employees from stealing the property of record companies on government time using government resources. Bravo!

Posted by: MichaelOwen04 | November 20, 2009 11:08 PM | Report abuse

"It is about time people stop feeling sorry for the end user who puts this sort of software on a work computer."

Yes, yes, yes, yes, yes.

"Your" work computer is not YOUR computer to do with as you see fit. It belongs to your company/agency and they permit you to use it as part of your job. Nobody - nobody - has a right to do P2P on a work machine. That's what your home machine is for.

Posted by: jamshark70 | November 23, 2009 8:29 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company