[Infowarrior] - White House objects to plan for .gov P2P security

[Richard Forno]

White House objects to plan for .gov P2P security
Posted by Anne Broache | 5 comments
http://www.news.com/8301-10784_3-9872366-7.html

WASHINGTON--The Bush administration on Thursday questioned a proposed law
that would force federal agencies to develop specific plans for guarding
government computers and networks against "risks" posed by peer-to-peer file
sharing.

The Democratic-sponsored bill, called the Federal Agency Data Protection
Act, contains a section asking federal agencies to report to Congress what
"technological" (e.g., software and hardware) and "nontechnological" methods
(such as employee polices and user training) they would employ to ensure
peer-to-peer file-sharing programs do not harm the security of government
systems.

The proposal, introduced late last year, is the latest manifestation of
congressional Democrats' concern about the perils of so-called "inadvertent"
file-sharing--that is, when inexperienced or uninformed peer-to-peer users
set their applications to share folders containing sensitive files without
realizing they're doing so.

At a hearing last summer, Rep. Henry Waxman, chairman of the House of
Representatives Committee on Oversight and Government Reform, said such a
practice can pose a national security threat and warned of plans for new
legislation. He and others grilled the founder of Lime Wire, a popular P2P
application, about how his service warns users about the files and folders
they're poised to share. At the time, a Federal Trade Commission official
told politicians that it has found any risks are largely rooted in how
individuals use the technology.

The Bush administration appears to be backing up that view. Without naming
the peer-to-peer file-sharing provision in particular, Karen Evans, the
federal government's chief information officer, told a House information
policy subcommittee that she objects to singling out a particular technology
when issuing computer security requirements.

"While we recognize that technologies that are improperly implemented
introduce increased risk, we recommend any potential changes to the statute
be technology-neutral," Evans said at the sparsely attended hearing, which
barely lasted an hour.

Federal agencies are already required to report on information security
plans and risks annually under a law known as the Federal Information
Security Management Act, or FISMA. Based on those plans, members of Congress
have taken to issuing a yearly "report card" assessing agencies' status.

Without ever mentioning the Democrats' bill, Rep. Tom Davis (R-Va.), FISMA's
original author, said he agreed that a "technology-neutral" approach, which
refrains from being "overly prescriptive," is the best way to go.

Davis went on to urge passage of his own federal computer security bill,
which passed the last Republican-controlled House but died in the Senate. It
would require federal agencies to give "timely" notice to Americans if their
sensitive personal information is compromised, as there's currently no legal
requirement that they do so.

Some security experts warned the committee that piling on paperwork for
federal agencies, as FISMA requires, isn't necessarily the most efficient
way to improve security. Alan Paller, director of research for the Sans
Institute, which does computer security training, said agencies need more
guidance on what security-related steps to prioritize, rather than just a
long list of items to complete.

"We want to avoid a 'check the box' mentality," added Tim Bennett, president
of the Cyber Security Industry Alliance, a trade group that represents
security technology vendors.

Still, Bennett said his group "strongly" supports the latest bill and its
peer-to-peer network section.

"File-sharing can give users access to a wealth of information but it also
has a number of security risks," he said. "You could download viruses or
other malicious code without meaning to. Or you could mistakenly allow other
people to copy files you don't mean to share."
Topics:
Media, Politics,