Feds' other e-mail
The White House isn't the only government office whose employees use outside e-mail, messaging
- By John Rendleman
- Apr 27, 2007
The headaches associated with the use of third-party e-mail and messaging services by government workers will continue to bedevil computer systems administrators for the foreseeable future, experts say, despite the growing number of policy and technical restrictions designed to prevent the use of those systems.
The problem will persist because some workers will always find a way to access third-party e-mail and messaging services, whether they're trying to circumvent official rules governing computer usage or merely using technology to perform their jobs in the best way they know how, experts say.
The controversy about White House aides using Republican National Committee e-mail servers for Bush administration official business 'is a pretty good indicator of what other government agencies are experiencing,' said Dave Campbell, senior product marketing manager at information technology security vendor Symantec.
Within the government, 'using personal e-mail accounts is almost a matter of routine, and it always will be,' said one former chief information officer of a Cabinet-level federal agency, who asked not to be identified. In fact, trying to prevent workers from using third-party systems can be counterproductive, the ex-CIO said. 'It's like saying you can only type a letter using the office typewriter.'
For practical reasons, administrators should let common sense and ethics guide how workers use external e-mail and messaging systems rather than banning them altogether, the ex-CIO said. It's best, however, if agencies spell out what constitutes acceptable and ethical use of government computer equipment, he said.
Workers who occasionally use non-government equipment or services for official duties should be told, for example, to copy themselves on their messages using an official government e-mail address to meet government record-keeping rules, the former CIO said.
In addition, use of a third-party service provider won't protect a dishonest worker who's trying to hide his or her identity or circumvent government record-keeping rules. In cases where use of a third-party system falls into the categories of fraud, waste or abuse, 'law enforcement can and has shown that it's discoverable under subpoena,' the former CIO said.Unwelcome risk
In addition, workers should realize that using third-party systems in a covert manner creates a presumption of wrongdoing that's impossible to erase. 'It doesn't look good, and it will reflect badly on the user forever,' he said.
Computer security experts, however, recommend that government IT managers enforce policies governing the use of third-party systems using the best means available because of the security risks and record-keeping difficulties caused by the use of unauthorized e-mail and instant messaging services.
'Any time you allow your users to use third-party e-mail services, you're exposing yourself to risk,' said David Marcus, security research and communications manager at the McAfee Avert Labs unit of McAfee. 'You can limit some of the risk, but I don't know how successful you can be at eliminating it long term. It's a constant struggle,' he said.
The most effective solution for most agencies will involve a combination of several different technologies deployed on users' desktop machines and at the network or gateway level, Marcus said. 'Ultimately, you have to pick the things that you want to manage,' and that will vary depending on a given agency's needs and priorities, he said.
Components of an effective solution include antivirus protection, firewalls, intrusion-detection technologies, content and IP address filters, vulnerability assessment software, and event logging and notification tools that let administrators respond to specific policy violations or security threats, Marcus said.
The majority of government agencies restrict the use of commercial e-mail and messaging services, according to an informal Web poll conducted by GCN. More than three-quarters, or 77.3 percent, of survey respondents said their agencies have policies governing such services, while only 10.9 percent said they had no such policies.
Nevertheless, a slight majority of respondents, or 53.1 percent, said they use third-party e-mail accounts at work, versus 48.8 percent who reported never using third-party e-mail. Of those who use third-party systems at work, only about a quarter of respondents, or 25.6 percent, said they use third-party e-mail to perform their official duties. Almost three-quarters, or 74.4 percent, reported never using third-party e-mail services for work-related communications. A much smaller group, or only 10 percent of respondents, said they use commercial instant messaging services at work.
Of special interest to IT administrators, a small but noteworthy group of respondents ' 12.6 percent of the total ' said they feel they have to use third-party commercial services because the services they need or want aren't supported in-house.
Specific reasons included not being able to access official e-mail systems while working from home or on travel, system downtime because of outages or unscheduled repairs, size limits placed on e-mail attachments or stored messages, accommodations needed for handicapped users and system interoperability issues.
'I had to turn to Google Mail to do parts of my job,' one respondent wrote. 'Our agency imposed punitive storage limits on us when they consolidated our mail server,' the respondent said. 'They provided no transition help ' old appointments and mail were not transferred ' and they plan to do this again when they move us to Microsoft Exchange in a few months. They also made it very hard to do telecommuting work on the new servers,' the frustrated user wrote.
Other respondents to the anonymous survey said they resort to third-party systems for possibly more subversive reasons, including those who use the services despite outright bans on their use.