White House objects to plan for .gov P2P security

WASHINGTON--The Bush administration on Thursday questioned a proposed law that would force federal agencies to develop specific plans for guarding government computers and networks against "risks" posed by peer-to-peer file sharing.

The Democratic-sponsored bill, called the Federal Agency Data Protection Act, contains a section asking federal agencies to report to Congress what "technological" (e.g., software and hardware) and "nontechnological" methods (such as employee polices and user training) they would employ to ensure peer-to-peer file-sharing programs do not harm the security of government systems.

The proposal, introduced late last year, is the latest manifestation of congressional Democrats' concern about the perils of so-called "inadvertent" file-sharing--that is, when inexperienced or uninformed peer-to-peer users set their applications to share folders containing sensitive files without realizing they're doing so.

At a hearing last summer, Rep. Henry Waxman, chairman of the House of Representatives Committee on Oversight and Government Reform, said such a practice can pose a national security threat and warned of plans for new legislation. He and others grilled the founder of Lime Wire, a popular P2P application, about how his service warns users about the files and folders they're poised to share. At the time, a Federal Trade Commission official told politicians that it has found any risks are largely rooted in how individuals use the technology.

The Bush administration appears to be backing up that view. Without naming the peer-to-peer file-sharing provision in particular, Karen Evans, the federal government's chief information officer, told a House information policy subcommittee that she objects to singling out a particular technology when issuing computer security requirements.

"While we recognize that technologies that are improperly implemented introduce increased risk, we recommend any potential changes to the statute be technology-neutral," Evans said at the sparsely attended hearing, which barely lasted an hour.

Federal agencies are already required to report on information security plans and risks annually under a law known as the Federal Information Security Management Act, or FISMA. Based on those plans, members of Congress have taken to issuing a yearly "report card" assessing agencies' status.

Without ever mentioning the Democrats' bill, Rep. Tom Davis (R-Va.), FISMA's original author, said he agreed that a "technology-neutral" approach, which refrains from being "overly prescriptive," is the best way to go.

Davis went on to urge passage of his own federal computer security bill, which passed the last Republican-controlled House but died in the Senate. It would require federal agencies to give "timely" notice to Americans if their sensitive personal information is compromised, as there's currently no legal requirement that they do so.

Some security experts warned the committee that piling on paperwork for federal agencies, as FISMA requires, isn't necessarily the most efficient way to improve security. Alan Paller, director of research for the Sans Institute, which does computer security training, said agencies need more guidance on what security-related steps to prioritize, rather than just a long list of items to complete.

"We want to avoid a 'check the box' mentality," added Tim Bennett, president of the Cyber Security Industry Alliance, a trade group that represents security technology vendors.

Still, Bennett said his group "strongly" supports the latest bill and its peer-to-peer network section.

"File-sharing can give users access to a wealth of information but it also has a number of security risks," he said. "You could download viruses or other malicious code without meaning to. Or you could mistakenly allow other people to copy files you don't mean to share."