Recently, CNET, Slashdot and the usual suspects have been claiming that the “Bush administration” has vindicated their seemingly religious conviction that so-called “peer-to-peer” file-sharing programs just cannot pose risks distinguishable in kind or degree from other sorts of programs. Once again, they have missed the real story—or stories.

This latest claim of victory for file-sharing arises from two recent congressional hearings, one on inadvertent sharing of sensitive data, and one on H.R. 4791, a bill that would amend the Federal Information Security and Management Act (FISMA). FISMA requires agencies to develop plans for safeguarding governmental data, and H.R. 4791 would amend FISMA by, inter alia, requiring those plans to include information about how agencies are addressing the risks associated with file-sharing programs.

Here is an excerpt from CNET’s account of these two hearings:

[A] Federal Trade Commission official told politicians that it has found any risks are largely rooted in how individuals use [file-sharing programs]. The Bush administration appears to be backing up that view. Without naming the peer-to-peer file-sharing provision in particular, Karen Evans, the federal government's chief information officer, told a House information policy subcommittee that she objects to singling out a particular technology when issuing computer security requirements.

There are two interesting stories here about two different federal agencies, (OMB and the FTC), but haste to declare file-sharing vindicated has caused both to be overlooked. I will address the OMB story here, and the FTC story in a separate post.

As to OMB, the real story is a potential case of do-as-I-say, not-as-I-do. OMB's testimony can be read to criticize legislators for proposing to require agencies’ FISMA reports to describe separately their efforts to control risks arising from file-sharing programs. Problem is, OMB itself has long required agencies’ FISMA reports to describe separately their efforts to control risks arising from file-sharing programs.

For example, M-04-26, a 2004 memorandum authored by Karen Evans of OMB, prescribed “detail[ed] specific actions agencies must take to ensure the appropriate use of certain technologies used for file sharing across networks.” It stated, “A type of a “type of file sharing known as Peer-to-Peer (P2P) refers to any software or system allowing individual users to the Internet to connect to each other and trade files.…. [T]he vast majority of files traded on P2P networks are copyrighted music files and pornography. Data also suggests P2P is a common avenue for the spread of computer viruses within IT systems.” It thus directed agencies to 1) ban unlawful file sharing in their personal-use policies; 2) train employees on improper uses of file-sharing programs; and 3) implement security controls to prevent and detect improper file sharing. In a related directive, M-04-25, OMB directed agencies to include in their annual FISMA reports information on their efforts to address the risks associated with file-sharing programs.

To be clear, I do not think that OMB erred by concluding that certain file-sharing programs pose risks so different in kind and degree that they should be addressed separately under FISMA or for purposes of data-security in general. Other agencies have reached similar conclusions. In 2005, the Department of Homeland Security (DHS) issued an Information Bulletin to all federal, state, and local agencies involved in domestic security. It warned specificially about the security risks arising from file-sharing programs. It stated, “Multiple organizations have ongoing investigations into disclosure of sensitive or classified material due to P2P.” It concluded, “These applications represent a vulnerability that cannot be afforded without a strong justification.” In 2007, USPTO also reported that some file-sharing programs constitute a tripartite threat to the security of corporate and governmental data. SANS also cites DHS and lists “File Sharing Applications” among its most recent list of the “top 20” security threats.

Nevertheless, while OMB’s actions seem both defensible and consistent with those of other executive agencies, a problem has now arisen: OMB’s recent testimony does seem to be chiding legislators for proposing that FISMA should treat file-sharing programs the way that OMB has treated them under FISMA since 2004. Two explanations for this situation suggest themselves.

First, this may be a simple case of really bad staffing: Some file-sharing zealot on OMB’s IT staff may have inserted the “technological neutrality” chiding into the boss’s testimony without bothering to confirm whether it could be reconciled with the past acts of the boss and OMB.

Alternatively, OMB’s testimony may have been intended to make a different and more subtle point: OMB may have intended to argue that the FISMA statute need not be amended in order to ensure that agencies’ FISMA reports will specify their efforts to control the piracy and security risks associated with certain file-sharing programs because OMB already requires agencies' FISMA reports to do so. But if so, then OMB’s testimony—like its actions—merely confirms that the “Administration” has long concluded that the risks arising from piracy-prone file-sharing programs are distinguishable in kind and degree from those of other sorts of Internet-based technologies or programs.

As for the FTC, the real story far worse. More about that tomorrow.