Employees at many U.S. government agencies are using insecure methods, including personal e-mail accounts, to transfer large files, often in violation of agency policy, according to a survey released recently.
Fifty-two percent of the respondents to the survey, of 200 federal IT and information security professionals, said employees at their agencies used personal e-mail to transfer files within their agencies or to other agencies. About two-thirds of those responding to the survey said employees used physical media, including USB drives and DVDs, to transfer files, and 60 percent of employees use FTP (File Transfer Protocol), according to the survey, completed by MeriTalk, a government IT social-networking site, and Axway, an IT security vendor.
Forty percent of those surveyed said employees at their agencies use virtual private networks to transfer files and 34 percent said employees use Web-hosted file transfer services.
Sending unencrypted data over FTP or personal e-mail, or putting it on physical media is a major problem for data security, the survey authors said. In March, the U.S. House of Representatives passed the Secure Federal File Sharing Act, which in many cases would prohibit government employees from using peer-to-peer file-sharing software, including FTP. The bill, sponsored by Representative Edolphus Towns, a New York Democrat, is awaiting action in the Senate.
Some commercial sectors, such as financial services, have stopped using FTP to transfer files because of security concerns, said Taher Elgamal, CSO at Axway and inventor of the Elgamal Cryptosystem. But many U.S. government agencies seem to be lagging behind the commercial sector in file transfer security, he said.
"What surprises me is [the results] don't surprise me at all," Elgamal said.
Easy-to-use tools for encrypting files have been around for a long time, he added. But it appears that many federal agencies aren't pushing their employees to use those tools or aren't providing those tools, he said. Employee training also needs to be a priority, he said.
It's "not fair" to require employees to encrypt files when they don't have easy tools to do so, Elgamal said.
"The vast majority of people are actually good people," Elgamal said. "What they want to do is get the job done. An employee, if you tell them to do something, is just going to get it done. If you don't provide them the right tools, they're still going to get it done."
The survey, conducted in April, also found that 71 percent of respondents are concerned with the security of file transfers in the U.S. government, but 54 percent said they do not monitor FTP use.
Only 58 percent of respondents said employees at their agencies were aware of secure file transfer policies, even though 80 percent said their agencies have adequate file transfer policies in place. Sixty-six percent of respondents said their agencies' file transfer security has improved in the past year.
While the survey shows some problems in the U.S. government, some agencies work hard to secure file transfers, said Robert Odenheimer, director of network architecture and engineering at the U.S. Internal Revenue Service.
The IRS logs all employee access to taxpayer data, and the agency's WAN is encrypted, Odenheimer said. File transfers within the agency and outside of the agency are encrypted as well, including information stored on physical media, he said. "We go way overboard in ensuring that our data is secure, and that no one views taxpayer information unless it's a necessary part of their job," he said.
All IRS employees receive training once a year on secure handling of personal data, he added. Employees are warned of major consequences if they access personal data that they aren't authorized to see, or if they mishandle personal information, he said.
The tax system in the U.S. is largely voluntary, he said. "In the IRS, there is a big belief, that has a lot of credence, that if people feel their data is not secure, the voluntary compliance would decrease," he said. "That would be a huge problem for the entire government."
The IRS could help other agencies secure their file transfers, but it doesn't get many requests, said Odenheimer, who has been with the agency for two-and-a-half years after a decade in the health care industry. "We certainly have a lot of knowledge that we'd be willing to share with other federal agencies," he said.