Telework and teenagers don't mix
Federal officials say training and auditing are necessary to prevent IT security breaches
As lawmakers work on legislation to bolster federal telework programs, they are grappling with how to manage security threats from employees who use their home computers for government work.
Congress and the Office of Management and Budget are most worried about employees working on home computers with file-sharing software that could expose sensitive government data to millions of people.
Agencies prohibit the use of file-sharing software on government computers and on computers that employees use for official business when they are out of the office. However, employees working on home computers that they share with members of their family might not be aware of all of the programs that others have downloaded.
Teenagers are the biggest users of file-sharing software, such as LimeWire, which lets millions of users exchange music, videos and information ' including sensitive data. Even experienced information technology officials risk accidentally divulging data via peer-to-peer (P2P) file-sharing networks, experts say.
P2P networks automatically search hard drives for files that are available for sharing. If a federal teleworker saves a Microsoft Word document in the same location as files that a son or daughter is sharing on a P2P network, potentially millions of people could gain access to that file.
That's what happened earlier this year when a Transportation Department employee accidentally shared 66 government files while working on a home computer on which her teenage daughter had downloaded LimeWire. Similar situations might explain why data such as Pentagon IT blueprints and information about security clearances are easily obtained on P2P networks.
'The American people would be outraged if they understood what is inadvertently shared by government agencies on P2P networks,' said retired Gen. Wesley Clark, an adviser to Tiversa, an information security company. Clark spoke at a July 24 hearing of the House Oversight and Government Reform Committee.
At that hearing, Daniel Mintz, DOT's chief information officer, said the department has taken several steps to prevent breaches involving P2P networks. Agencies' focus must be on training and oversight, he said.
The way to prevent another incident is through training and auditing to ensure that employees follow DOT's policies, Mintz said. As an additional measure, he said, the department plans to give teleworkers laptop PCs that administrators can easily encrypt and monitor.
The threats associated with P2P networks are potentially widespread, said Stephen O'Keeffe, executive director of the Telework Exchange. More than half of federal employees in a survey published by that organization said they work from home at night or on weekends, O'Keeffe said. More than 50 percent said they used their own computers to do government work.
The culprit is not telework but inadequate training, O'Keeffe said. 'It's a cultural shift associated with the emergence in the workplace of the YouTube generation. If you are opening a backdoor to the system using LimeWire or Kazaa or whatever, you are putting the system and the network at risk. That's a training issue.'
On the day that Mintz and Clark testified about the dangers of P2P networks, OMB asked federal CIOs to review the controls they have in place to manage file-sharing software.
Telework proponents in Congress are focused on security as telework legislation moves ahead. Dan Scandling, aide to Rep. Frank Wolf (R-Va.), who is among the most vocal congressional proponents of telework, said adequate training would provide protection against threats from P2P networks.
Sen. Daniel Akaka (D-Hawaii) said agency telework policies must address the protection of sensitive information. Akaka, who supports the Senate's Telework
Enhancement Act, said agencies must give teleworkers proper security training. That bill is making its way through the Senate.
Ben Bain is a reporter for Federal Computer Week.