Proposed federal P2P ban might extend to personal computers

The latest development in the wake of the unauthorized release of information about a House ethics investigation is newly proposed legislation in the form of what would be called the Secure Federal File Sharing Act (H.R. 4098) that would ban the use of peer-to-peer file sharing software in the federal government. As noted in many articles about this draft legislation, the bill would not only prohibit government employees and contractors from installing or using P2P technology on federally owned computers or those operated on its behalf, it would also set policies constraining the use of file sharing software on non-government computers where home-based remote access or teleworking to federal computers is occurring. This of course is not the first example of government extending policy into employee’s homes, but it demonstrates quite clearly the importance government agencies are placing on preventing data loss or disclosure.

Despite the reactive nature of H.R. 4098, there are already federal guidelines in place on the issue of securing computers and other electronic devices used for teleworking or remote access. NIST has two Special Publications on this topic: SP800-114, published in 2007, specifically addresses security of devices used for remote access, and SP800-46, recently revised and updated in June 2009, somewhat more broadly addresses telework security issues. Both of these documents mention peer-to-peer technology as a potential security risk. SP800-114 is probably the most relevant to the new House bill, as it includes specific sections on securing home network environments. What the special publications don’t do that the legislation would is establish formal policies (as opposed to recommended practices) related to the use of file sharing software. The challenge with establishing and enforcing security policies for non-government locations like employees’ homes is both in making employees aware of what they need to do (and not do) to avoid becoming a vulnerability and in giving them the tools and skills to be able to implement appropriate procedures and controls in their own computing environments.