Bill would make P2P software a no-no for fed systems

Government employees and contractors would generally be prohibited from installing or using open-network popular peer-to-peer (P2P) file-sharing software on all federal computers, systems and networks under a bill in the House.

The measure, introduced Nov. 17 by Rep. Edolphus Towns (D-N.Y.), chairman of the Oversight and Government Reform Committee, would require the Office of Management and Budget (OMB) to come up with guidance for the P2P ban within 90 days of the bill’s enactment. OMB would also have to develop guidance for the use of the software by employees or contractors on home computers used to telework.

Commercial P2P programs let users easily share videos, music and other data but have also been used to extract sensitive information from users' computers without the victims' knowledge. The “open network” P2P programs on which the bill focuses are software to which access is granted freely, without limitation or restriction, and that has little or no security.

The problem hit home on Capitol Hill recently when a confidential document that listed ongoing investigations of lawmakers’ activities made its way from the secretive House Ethics Committee into newspaper headlines. The document was inadvertently disclosed by a committee staffer who used P2P software while working from home.

Even before the recent breach, some lawmakers had considered P2P networks as a potential problem. They worried that personal bank records and tax forms, attorney-client memos, sensitive corporate documents, government emergency response plans, and military operation orders are available on the networks.

Another bill designed to protect the public from the risks to security and privacy associated with computer-to-computer file-sharing programs was introduced in the House during March.

“The file-sharing software industry has shown it is unwilling or unable to ensure user safety,” Towns said in his prepared closing statement for a July hearing. “It’s time to put a referee on the field.”

Under the measure, OMB would have to require agencies to have policies consistent with its guidance for P2P software, ensure proper training, and put in place the proper security to restrict the prohibited software. Agencies would also have to require the contractors comply with OMB's guidance on P2P networks.

In addition, OMB would develop a procedure through which agencies could make requests to use P2P software programs that are:

• Necessary for the day-to-day business operations of the agency,
• Instrumental for a project that directly supports the agency’s overall mission.
• Necessary for use between federal, state, or municipal government agencies to do official business.
• Required during a law enforcement investigation.

OMB would also have to submit to Congress an annual report to justify any approved exceptions to the P2P ban and a list of agencies that use the programs.