Banning file-sharing software won't keep data safe from hackers

Stricter rules won't deter government employees from using file-sharing services that can provide access to sensitive documents, such as the inadvertent release of an internal congressional report about House members' possible ethical violations, security professionals said.

House Speaker Nancy Pelosi, D-Calif., and Minority Leader John Boehner, R-Ohio, announced on Friday plans for the chief administrative officer's information security department to perform "an immediate and comprehensive assessment of the policies and procedures for handling sensitive data," in response to a data breach that disclosed documents detailing the status of investigations into lawmakers' activities on subjects such as influence peddling and defense lobbying, according to the Washington Post.

The report's release was due to peer-to-peer (P2P) software, which allows computer users to exchange files, most commonly songs and video clips, directly from other computer users who have downloaded the file-sharing software. But the software gives users access to other files stored on the computer if the user does not configure the file-sharing software properly.

The House prohibits using peer-to-peer applications on computers, but Pelosi and Boehner said in the statement that they "are working diligently to provide the highest level of data security for the House in order to ensure that the operations of House offices are secure from unauthorized access."

But developing a tighter security policy will do little to reduce the risk that other files will be inadvertently released to the public, said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team.

"[A ban] does not ensure that P2P is not being used in blatant violation of policy, or that there are not existing compromised computers that have remotely deployed P2P," he said. "Policy compliance in the absence of a dynamic audit is impossible, [and any] assumption that only insiders can violate policies" is false because so many electronic devices have been compromised.

Kellermann said tests that determine how well computer systems can withstand break-in attempts are essential to thwarting these types of breaches. He also suggested using the Consensus Audit Guidelines, which instruct agencies to first fix vulnerabilities in federal networks that hackers are known to exploit most frequently, to understand how vulnerable government organizations are to cyber infiltration and how frequently users violate security policies.

The House is aware of the risks associated with file-sharing software. In an April 20 letter to Attorney General Eric Holder, the Oversight and Government Reform Committee expressed concern about "the significant risk posed to American citizens and entities from the accessibility of sensitive private and government information on peer-to-peer file-sharing networks," and pushed the Justice Department and Federal Trade Commission to prosecute those who use file-sharing services to download sensitive information.

During one of several hearings on the topic in July, committee chairman Edolphus Towns, D-N.Y., announced plans to introduce a bill banning the software from all government and contractor computers. He has yet to introduce the bill.

The hearings were held in the wake of an episode in which blueprints and the avionics package for the president's helicopter were found on a file server in Iran. The source of the information was traced back to a defense contractor in Bethesda, Md.

"Open file sharing does not fit a business or government environment," said Alan Paller, director of research at the SANS Institute, a cybersecurity research and education organization. Congress and federal agencies should identify and eliminate file-sharing software from network computers, he added.

Long before P2P software became popular for sharing music and videos, people used the application for convenience, adjusting permission settings on network directories to allow them to access files in certain directories from their own computers, according to Paller.

"They nearly always forgot they had done that and lots of pain ensued when confidential information leaked thanks to that convenience," he said. "It was a very bad idea then, practiced only by people who were incapable of setting up more rigorously controlled sharing between specific people for specific projects, [and] it's an even worse idea now, when malicious outsiders are actively looking for those holes."

Dale Meyerrose, vice president for cyber and information assurance at Harris Corp., cautioned against an all-out ban of the file-sharing software, recommending instead that agencies develop stronger security controls to prevent the services from being misused.

"You can't legislate out stupidity or poor common sense," said Meyerrose, who served as chief information officer for the Office of the Director of National Intelligence during the Bush administration. "Unless you remove all people from the process, [breaches] will happen. But it's an ostrich approach of sticking your head in the sand to say, 'We need to ban use completely.' People are looking for technology to solve problems, and there are all kinds of ways to do this securely."

Meyerrose suggested provisions that will prevent employees from downloading sensitive data and monitoring employee behavior on the network to ensure only authorized users to access classified information. He also suggested prosecuting those who violate policies.

"You have to figure out how to make it protectable, securable and check-worthy," Meyerrose said. "Too often the IT folks say, 'No, not on my watch,' because they don't want to do the harder job of finding a way to make it work."