Congress: P2P networks harm national security

WASHINGTON--Politicians charged on Tuesday that peer-to-peer networks can pose a "national security threat" because they enable federal employees to share sensitive or classified documents accidentally from their computers.

At a hearing on the topic, Government Reform Committee Chairman Henry Waxman (D-Calif.) said, without offering details, that he is considering new laws aimed at addressing the problem. He said he was troubled by the possibility that foreign governments, terrorists or organized crime could gain access to documents that reveal national secrets.

Also at the hearing, Mark Gorton, the chairman of Lime Wire, which makes the peer-to-peer software LimeWire, was assailed for allegedly harming national security through offering his product.

The documents at risk of exposure supposedly include classified government military orders, confidential corporate-accounting documents, localized terrorist threat assessments, as well as personal information such as federal workers' credit card numbers, bank statements, tax returns and medical records, according to recent studies by the U.S. House of Representatives Committee on Oversight and Government Reform, the U.S. Patent and Trademark Office, and private researchers.

Evidence that sensitive information is accessible through peer-to-peer networks illustrates "the importance of strengthening the laws and rules protecting personal information held by federal agencies" and other organizations, said Rep. Tom Davis (R-Va.), the committee's ranking member, who has sponsored a bill that would impose new requirements on government agencies that discover security breaches. "We need to do this quickly."

The politicians present Tuesday generally said they believe that there are benefits to peer-to-peer technology but that it will imperil national security, intrude on personal privacy and violate copyright law, if not properly restricted. Both Waxman and Rep. Paul Hodes (D-N.H.) dubbed P2P networks ongoing national security threats.

Congressional gripes about P2P networks are hardly new, and in the past, they have reinforced concerns raised by the Motion Picture Association of America and the Recording Industry Association of America. Four years ago, the same committee held a pair of hearings that condemned pornography sharing on P2P networks and also explored leaks of sensitive information. And throughout 2004, Congress considered multiple proposals that would have restricted--or effectively banned--many popular file-swapping networks. Waxman noted that he was not seeking to ban peer-to-peer networks this time around but rather to "achieve a balance that protects sensitive government, personal and corporate information and copyright laws."

To be sure, the kind of information leaks that alarmed politicians at Tuesday's hearing are most likely already against the law or federal policy. It is illegal for government employees to leak certain types of classified documents without approval, either electronically or through traditional paper means.

Mary Koelbel Engle, the associate director for advertising practices in the Federal Trade Commission's Bureau of Consumer Protection, said her agency has found in its studies of peer-to-peer network use that risks to sensitive information "stem largely from how individuals use the technology rather than being inherent in the technology itself."

Feds scramble to meet data breach deadline
By Anne Broache, CNET News.com
Published on ZDNet News: July 19, 2007, 4:00 AM PT

A correction was made to this story. Read below for details.
WASHINGTON—With only two months left before government agencies must figure out how to deal with data breaches and data theft, federal bureaucrats are scrambling to meet the looming deadline.

The deadline was created by a White House directive (PDF) published this spring that gave all federal agencies until September 22 to figure out the wisest way, using their “best judgment,” to come up with a plan to secure Americans’ personal data and to alert them if it falls into the wrong hands.

Finishing everything by that date is “definitely a challenge,” Mischel Kwon, chief IT security technologist for the U.S. Department of Justice, said Wednesday.

The White House’s order appears to have been prompted by a rash of computer security foibles at federal agencies in recent years, including the high-profile theft last year of a laptop and hard drive containing data on 26.5 million past and present military personnel.

Although Congress has been weighing legislation that would prescribe new requirements for government agencies and businesses that suspect or discover security intrusions, one supporter of a new such law said Wednesday that it might be better to wait and see if everyone does a good job of meeting the September 22 deadline.

“I don’t like being overly prescriptive,” Rep. Tom Davis (R-Va.) told an audience of about 250 representatives from various federal and state government agencies attending a briefing organized by the Homeland Defense Journal. “If we allow them to do their job and give them appropriate training, they can do a better job than we can in Congress.”

While it’s not clear how effective a set of written policies will be if they’re not always followed and not part of the culture of an existing agency, the White House memo does recommend techniques such as encryption, limiting remote access and access logging. At the very least, the memo says, egregious disregard of privacy safeguards would result in an employee’s “prompt removal of authority to access information.”

The chief privacy officers for the U.S. Department of Homeland Security and the Federal Trade Commission said they were in the process of taking steps to comply with the White House order. Homeland Security’s Hugo Teufel said he sent a memo on Tuesday to top officials within the department outlining what its plans would be, although he did not describe them at Wednesday’s session.

The FTC’s chief privacy officer, Marc Groman, said his agency had prepared a 12-page compliance plan last month. He showed the audience a slide with the document’s table of contents, which covered topics including notifying third parties, notifying individuals and identity theft risk analysis. The FTC has also set up a Breach Notification Response Team composed of high-level officials from throughout the agency who would be charged with meeting “immediately” to do an initial evaluation of a breach report and to decide what to do next.

But some officials speaking at the briefing session cautioned against relying too heavily on abstract policies alone.

“From a security point of view, the biggest challenge with this directive is actually doing security,” said the Justice Department’s Kwon. “I don’t think security is addressing bullets in a memo; I think it’s evaluation and risk assessment, and sometimes it’s more and sometimes it’s less than the bullets on the page.”

A common thread among the presentations was that of building flexibility into the written policies—and to work hard at making sure employees and contractors at every level actually know about and understand what to do.

“Whenever you have humans or carbon-based forms, they make mistakes, so you have to train, train, train,” Homeland Security’s Teufel said.

The FTC’s Groman urged the audience to do more than merely draft policy statements. In March, the trade agency held a weeklong privacy summit for its employees, devoting one mandatory “clean-up day” to forcing everyone, clad in jeans and T-shirts—if they wished—to take inventory of all of the sensitive or personally identifiable information they had in their possession (including in their cubicles or on their computers).

The agency plans to stage a similar event later this year focused on protecting agency data. It has already started drafting posters bearing questions like, “You left your FTC BlackBerry on the Metro—What do you do?” The unsurprising answer at the bottom: “Tell your manager.”

Others on the panel encouraged federal agencies to think rationally about their plans for protecting data in the first place. Many agencies, for instance, are tempted to adopt a blanket practice of hard drive encryption on their machines. But that isn’t necessarily the wisest option because it’s only effective if a computer isn’t already booted up, warned the Justice Department’s Kwon and Tim Grance, manager of systems and network security for the National Institute of Standards and Technology (NIST). They said it’s important to tailor different levels of protection to the type of data being shielded.

Besides, any form of encryption “doesn’t do a lot of good if you’re not going to use keys properly,” Grance said. “It’s not going to do you a lot of good if you use your e-mail password for the encryption key...That’s high on my list of dumb things to do.”

Correction:This story misidentified the publication that hosted a briefing on data breach prevention, mitigation and notification. It is the Homeland Defense Journal.

Ooops, here is the rest of the story, page 2 as Paul Harvey would say:

Congress: P2P networks harm national security
By Anne Broache, CNET News.com

(continued from previous page)
(the top article)

Some politicians nonetheless lashed out at the sole representative from a peer-to-peer software company at Tuesday’s hearing: Lime Wire’s Gorton, who is also CEO of parent company Lime Group.

The most scathing criticism came from Rep. Jim Cooper (D-Tenn.), who launched into a lengthy monologue in which he deemed Gorton “one of the most naive chairmen and CEOs I’ve ever run across,” and accused his company of making the “skeleton keys” that grant access to material harmful to U.S. national security.

“I’d feel more than a shade of guilt at this point, having made the laptop a dangerous weapon against the security of the United States,” Cooper said. “Mr. Gorton, you seem to lack imagination about how your product can be deliberately misused by evildoers against this country.” (Cooper also, at one point, claimed that Gorton’s own home computer was probably leaking sensitive documents.)

Rep. Darrell Issa (R-Calif.) warned Gorton that Lime Wire’s practices may open the company up to serious legal liability.

“Would it surprise you if you have a string of lawsuits for inherent defect in your product if people like Charlie Mueller of Missouri finds out he’s lost his IRS filings and feels he’s been damaged?” Issa asked.

Gorton repeatedly defended his company’s practices and said he wasn’t aware of the extent to which national security information was being accessed through his network.

Lime Wire strives to make its product easier to understand and is working on a new version even more tailored to the “neophyte” user, Gorton said. The software incorporates a number of warnings intended to stave off inadvertent file sharing, he added. For instance, pop-up messages appear when users attempt to share folders, such as the all-encompassing “My Documents” folder and the root directory, which are considered likely to contain sensitive information.

“A lot of the information that gets out there now is because people accidentally share directories that they wouldn’t mean to share clearly,” Gorton said. “Those warnings are not enough, at least in a handful of cases.”

That assertion drew sharp disagreement from Thomas Sydnor, an attorney-advisor in the Patent Office’s copyright group. He said peer-to-peer users are being tricked into sharing files they don’t intend to make public and claimed that LimeWire’s warnings to that effect don’t always appear as they should.

In research for a report released in March, the Patent Office found it “stunning to see features that are incredibly easy to misuse,” Sydnor said. “You can go to an interface in these programs that looks like you’re doing nothing except choosing a place to store files, and you end up sharing recursively all the folders on your computer. It’s very easy to make a catastrophic mistake.”

Earlier this year, the Department of Transportation experienced an incident in which an employee’s daughter installed LimeWire on the home computer that her mother occasionally uses for telework—and misconfigured it in such a way that documents from the department and the National Archives were open to others using the network—including a Fox News reporter. Forensic analysis determined that some of those documents were already publicly accessible and that none of the DOT documents contained sensitive personally identifiable information about anyone other than the employee herself.

The agency’s chief information officer, Daniel Mintz, told the committee that his agency already has sufficient authority to combat “inadvertent” file sharing and that it already is required to take such activity into account in its annual information security reports to Congress.

The key to preventing additional incidents like that one, Mintz told the politicians, is for his agency to step up oversight and “to make sure we’re really pushing the policy,” which requires written authorization for installation of P2P programs on government machines. That also means beefing up training for its employees and making sure that they’re aware of what the limits are, he added.

General Wesley Clark, who now serves on the board of a small company called Tiversa that makes applications designed to monitor peer-to-peer file-sharing activity, called for “some pretty hard-nosed policies by business and government contractors that prevent people from doing government work on computers that have anything to do with the peer-to-peer networks.”

“Even when people...are sophisticated with computers, they can still make a mistake, and all that material can be gone in an instant,” the former Democratic presidential candidate told the committee.

CNET News.com’s Declan McCullagh contributed to this report.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.