Is it time to revisit company policy on peer-to-peer file-sharing software? A spate of news last week suggests that P2P file sharing is not just Hollywood's headache.
Inadvertent file sharing -- when computer users mistakenly expose files they had not intended to share -- can pose major IT security, privacy and legal risks. The question is whether new laws or better scrutiny and the use of existing tools will solve this problem.
A congressional hearing last week on inadvertent file sharing over P2P networks showed just how risky it is. Classified or sensitive files recently found on file-sharing networks included: the Secret Service safe house location for the first lady, the Social Security numbers of every master sergeant in the Army, medical records of some 24,000 patients of a Texas hospital and the entire Outlook calendar of an individual who handles all the merger and acquisition activity at a well-known, publicly traded company, with attachments detailing every proposed deal.
A listing of every nuclear facility in the U.S. turned up on four sites in France. Last week also showed that illicit music downloading can have serious legal consequences: a Boston University graduate student was ordered to pay $675,000 in damages for illegally downloading songs and sharing them online..
Bill to ban P2P networks on government computers
Many companies tend to dismiss peer-to-peer file-sharing programs, which are used to share music and videos, as the recording industry's problem, not a security risk. But this is a mistake, said Robert Boback, CEO of Pittsburgh-based Tiversa Inc., a P2P network monitoring vendor, and a witness at last week's congressional hearing.
Boback testified that even at companies with sophisticated security programs, reams of sensitive corporate information are exposed on P2P networks due to user error, access control issues (teenagers downloading file-sharing software on a parent's company laptop), deception by global software developers and malicious code dissemination. The leaks happen despite safeguards by some P2P network developers to prevent inadvertent file sharing and despite security tools such as firewalls and encryption. Boback showed example after example of citizen tax returns, medical insurance information, FBI files and so on, easily found on peer-to-peer file-sharing networks.
At the congressional hearing, it was the popular P2P software company Lime Wire LLC and its CEO, Mark Gorton, on the hot seat, accused by committee members and expert witnesses of a continuing failure to prevent inadvertent file sharing. After the testimony, committee chair Edolphus Towns announced plans to file a bill to ban P2P software from all government and contractor computers and networks.
"As far as I am concerned, the days of self-regulation should be over for the file-sharing industry," Towns said.
But Towns is not the only one threatening legislation. And the file-sharing industry is not alone in being forced to get serious about data leakage. Efforts are under way on Capitol Hill to pass a tough national data privacy law, the Data Accountability and Trust Act, aimed at protecting personally identifiable information, including files inadvertently leaked or stolen on P2P networks.
P2P file sharing gets little attention from IT risk groups
At a time when companies are hypersensitive to the damage a data breach or stolen data can do, the security and privacy risks posed by P2P file sharing are not high on the IT security agenda for many companies, according to Jonathan Penn, a security analyst at Cambridge, Mass.-based Forrester Research Inc.
Forrester reports that while 73% of companies take some kind of stance on P2P, ranging from monitoring to filtering per incident, only 18% ban outright use of P2P.
One reason P2P file sharing gets so little attention from IT, Penn said, is that it is seen as a bandwidth issue, not an IT risk concern. Unless massive P2P usage is starving out legitimate traffic, "it can be simply addressed with bandwidth management tools," he said.
As for the legal liability issues related to sharing copyrighted material, most organizations are more focused on protecting their own data, Penn said, "not enforcing the copyright and usage terms of media conglomerates."
Organizations that do acknowledge that P2P tools can be used to send sensitive corporate data out of the network are addressing the problem with network-resident data loss prevention tools from vendors including Symantec Corp., McAfee Inc. and Vericept Corp. "In other words, concern over high-impact and high-probability business risks around P2P are part of specific data protection strategies, not a more general appropriate-use policy enforcement strategy," Penn said.
Gartner Inc. security analyst Mike McGuire, who covers media for the Stamford, Conn.-consultancy, said he's a bit puzzled by the threat of legislation banning P2P file sharing among government agencies and contractors, given long-standing prohibitions and policies governing P2P file sharing at government agencies. "Another law would seem to be almost specious," McGuire said. "This is a matter of enforcing policy on usage of P2P clients on government networks."
In his view, corporate policy is the first line of defense against risks associated with P2P file-sharing programs. "You have employees who have signed contracts to work at your company. You can't control their lives, but as far as the tools that you give them to do their jobs, you do have control," McGuire said. Employees found to be opening MP3 files on the company networks by virtue of P2P files can be fired, he said.
With P2P networks in the news again, CIOs should revisit their P2P policies, talk to employees and actually do the periodic audits of their networks. "It is absolutely worth that reminder, without getting into, 'Is this is copyright issue?' or right or wrong," he said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.