HR 1319 misses the mark
Republican Rep Mary Bono Back, widow of an entertainer-turned politician, recently proposed legistlation requiring certain notification practices in P2P software, presumably to help prevent future debacles such as the government contractor whom leaked the technical blueprints to the President’s helicopters.
Whenever politicians try to legistlate things they don’t understand, it rarely goes well and has deeply troubling undertones. HR 1319 IH appears to be a political response to the incident that redirects attention away from root cause and serves as a general reminder of why politician’s should be dreaming up whilly nilly tech legislation.
The first obvious errors in Miss Back’s bill is the ridiculously broad definition of P2P software, defined in the bill as “computer software that allows the computer on which such software is installed–
(A) to designate files available for transmission to another computer;
(B) to transmit files directly to another computer; and
(C) to request the transmission of files from another computer.”
While these are traits of P2P software, they aren’t defining traits and this remarkably obtuse definition affects sweeping genres of technologies including the browser your using to view this page, and this website itself. The rest of the bill is generally benign, notification that by installling file-sharing software you may end up – yes, sharing files. The real travesty of this misguided bill however isn’t the poor definitions, the ever-increasing authoritarian government presence in the commercial sector. The real problem I have with this bill, no matter how worded it may eventually become, is that completely misses the mark: the cause of the blueprint leaks had nothing to do with P2P software.
If the leaks did indeed occur because of misconfigured P2P software, this could only be the manifestation of a systemic lack of effective security controls and practices by the contractor who leaked the information, and likely inadequate government oversight of this clearly government funded contract. For information like this to have been leaked via P2P, multiple actions would have had to occur:
1. The user of the system would have had to have elevated privileges to install the P2P software in the first place.
It’s standard practice not to let users manage their own systems. Not only are self-administrated machines glaring security holes, they run support costs through the roof. I’m not aware of any large organization that lets users manage their own machines, and certainly no government or well managed contractor environment does.
2. There would have to be a lack of system inventory management, for the installed software to go undetected.
Many – if not all – mature IT environment I’m aware of uses technologies to inventory and manage the locally installed software. This allows them to do things such as apply patches and upgrades and ensure that only approved, supported software is in use.
3. The system (which is presumably a laptop) would have had to have been available on the public internet.
This would reflect a complete lack of basic data loss prevention practices, that dictate that you handle different types of data differently. For this type of data to be on a system that was able to have direct internet access would be a shame
4. Or … The system would have had to be on a network that was classified for this data, but with completely inadequate network segregation from the internet.
Even if this data were indeed sitting on a system appropriate for that information, and on a network appropriate for that system, *and* the user were able to install P2P software, the software would still have to have network access out of the approved network for the information to have leaked.
The bottom line is that there are multiple practices, controls, and technologies that would have prevented this leak, all of which are common place and in most cases mandated. Had this contractor been conscientiously attempting to protect the information, the incident would have never occured. Trying to address it by targeting the end-point software is a mistake that will only impact technological growth and misplace responsibility, while doing nothing to prevent future data losses.
If Miss Back is truly concerned that innocent downloaders are also sharing their entire drives without realizing it, this bill needs to move the notifications from installation to the actual usage areas. P2P user’s don’t need to be notified that their software shares files. They know that, that’s why they download and install the software. What they need is software that makes it more obvious when they’ve misconfigured it. If this bill really is a response to the data-leak (as presumed in the media) and Miss Back is truly concerned about government data loss she should push for stronger enforcement of the information security laws it already has, considerably stronger oversight of these defense contractors, and an increased culture of personal accountability.
As it stands now though, HR 1319 doesn’t address either. The full text of the bill is available at http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.1319:
Leave a Reply