Federal File Sharing Practices Need Some Work
MeriTalk and Axway released the “Why Encrypt? Federal File Transfer Report” in May following a survey of government representatives the month before. The report examined federal file transfer practices and identified opportunities for process improvement. Of those interviewed, 44 percent are program or project managers, 38 percent are IT supervisors, specialists or engineers, and the remainder of the survey participants are either IT managers or top IT management officials. Sixty-one percent of those surveyed work for civilian agencies, 38 percent work in defense and the final 4 percent serve at an intelligence agency. "The people who actually were surveyed—they're pretty knowledgeable," says Dr. Taher Elgamal, chief security officer, Axway. "The government has really, really good security people."
However, other individuals working within government organizations know much less about security. The report found that 80 percent of information security officials believe their agencies have adequate policies to guide secure file transfers, but only 58 percent say personnel are aware of the policies. Even fewer, 43 percent, report that employees consistently follow them. Elgamal says these findings demonstrate that enhancing security "truly is an awareness and implementation task."
The unsafe file-transfer practices federal personnel employ include using physical media (66 percent), using FTP (60 percent) and sending files through personal e-mail accounts (52 percent). Elgamal explains that using FTP is a problem because this technology existed prior to the Internet and is inherently unsecure.
Discrepancy exists between the concerns federal IT professionals say they have about the file-transfer risks and the actions they take to mitigate them. Seventy-one percent responded that they are concerned with the current security of file transfers in the federal government, yet only 42 percent said they have taken all steps possible to enable secure file transfer. Elgamal points out that the report sheds light on a disconnect between increased federal cybersecurity spending (which peaked at $7.9 billion in 2009) and the level of accountability from federal agencies.
Not surprisingly, agencies with top management support are likely to make secure file transfer a priority. At agencies where management understands the threats, 53 percent of employees follow secure file transfer policies; at agencies where employees perceive that top management does not comprehend the threats that number plummets to 12 percent.
To mitigate dangers, the report lists recommendations including that organizations should develop and enforce governmentwide standards and educate management and users. Elgamal explains that this education must involve identifying solutions that best fit various environments, increasing awareness among employees so that they understand the importance of changing their practices and sharing existing opportunities for improvement. "Policy is a good starting point ... but it doesn't actually solve the issue," Elgamal says. Steps agencies are taking now to improve the security of file transfers include investing in secure connection solutions, secure payload solutions and secure access as well as collaborating with others on best practices and developing home-grown solutions. However, the study found that 64 percent of agencies are not discussing file transfer practices at all.
Congress has made a move to help remedy some of the problems. The House of Representatives passed the Secure Federal File Sharing Act in March, which, if made law by approval of the Senate and president, would require additional guidance for peer-to-peer file sharing software to prohibit personal use by government employees and for other purposes.Elgamal emphasizes that only a small portion of the data the government transfers is classified; however, much of it is "sensitive" because it contains private information about citizens. To help protect this data, the government has multiple technology solution options. Several years ago, the financial industry realized that it had to enhance security to exchange personal information and took action to improve security, creating a market for this technology. "The good news for the government is that the tools to actually get the job done are available and mature," he says.