GovernmentExecutive.com

America Online, eBay, Google, iTunes, MySpace, instant messaging, Yahoo, YouTube. What would life, or work, be like without these and other popular Internet-driven diversions?

Today's workers are tech savvy, and government employees are no exception. They want and use the latest applications. Whether their information technology administrators like it or not, federal workers are using the software to be more productive or, at times, to be entertained.

These un-approved applications don't come from agency IT shops, though; employees are downloading them directly off the Internet. The practice has become so widespread in all kinds of organizations that it now has its own descriptor: shadow IT.

The problem is that shadow IT poses security risks. The applications could have vulnerabilities that provide the holes hackers need to access employee computers and government networks and steal information or install malware. At a hearing this summer of the House Oversight and Government Reform Committee, security monitoring company Tiversa Inc. testified that it had found 200 government documents during a scan of the top three peer-to-peer software applications, which allow computer users with the same software to share files stored on their PCs or laptops.

Fear of security mishaps has caused some IT managers to ban unapproved technology by issuing strict policies or configuring firewalls to block applications. But how realistic is it to expect users to steer clear of the increasing array of cool technology tools? "Resistance is futile," says Alan Paller, director of research at the SANS Institute, a nonprofit cyber-security research organization in Bethesda, Md.

And fighting shadow IT could be counterproductive. Agencies that institute prohibitive policies will face substantial pushback, Paller predicts. Such policies could radically reduce the convenience of useful information sources and communications platforms, and could make employees less productive in the long run, he says.

Videoconferencing and wireless Internet access, which many agencies initially opposed, serve as examples of how departments could come to accept other new technologies, Paller says. When agencies blocked the use of Wi-Fi, managers sometimes couldn't reach workers, which ushered in the use of wireless technologies.

But the federal government has done little to keep up with the proliferation of applications. The latest policy governing employee use of government-issued PCs or laptops is now eight years old. According to a 1999 report from the interagency Chief Information Officers Council, workers are permitted limited use of office equipment -- including Internet services and e-mail -- for personal needs if it does not interfere with official business and involves minimal expense to the government.

Inappropriate uses are any that could cause congestion, delay or disruption of service to government systems. Creating, downloading, viewing, storing, copying or transmitting materials that are "illegal, inappropriate or offensive to fellow employees or the public" is prohibited as well.

To make sure employees follow proper procedures, some agencies, such as the General Services Administration, inform employees that their computer activities are continuously monitored. But a 16-year GSA veteran, who asked not to be named, says whether managers are "actively doing that is questionable."

The bottom line is "these workstations are not for personal use," he says. Still, this worker routinely checks his personal Yahoo.com e-mail account, which is "unavoidable because you're at work eight or nine hours a day," he says.

Personal applications downloaded from the Internet are widely used in government, including many congressional offices, where instant messaging is practically the primary means of communication. A former chief of staff on the Hill says IM was a necessity in his office. Sometimes he would find himself IMing facts and figures to his press secretary from across the room while his colleague conducted a telephone interview with a reporter.

The frenzy over downloaded software has only just begun, Paller warns. Applications being used without IT managers' blessings are "a tenth of what you'll see in two or three years," he says. The popularity of one of the largest virtual worlds, Second Life, and any number of next-generation Web wonders are going to fuel what he predicts will be an intensely interactive, "high-fidelity, high-bandwidth" culture -- if it hasn't already begun.

Instead of fighting it, Paller advises finding a secure way to allow the technologies. Agencies should embrace the concept of "comply and connect" rather than "scan and block," he says. Since 2005, the Air Force has not allowed any computer to be connected to the Air Force network unless it has a common configuration and all patches and updated security software have been installed, Paller says. In March, the Office of Management and Budget recognized the economic and security benefits of the initiative and issued a similar mandate for all agencies.

Marty Lindner, a senior staffer at Carnegie Mellon University's federally funded Software Engineering Institute, offers a common-sense solution. IT restrictions should be squared with the mission of the agency and the sensitivity of job functions, he says. "If I'm the operator of a nuclear power plant, I don't think anything should be allowed on that [computer] desktop that doesn't have to do with running that power plant," Linder says.

Agencies also should create a detailed policy about what can be loaded onto PCs and laptops. Most important, IT managers then must check individual PCs and laptops to "make sure people are following it," Lindner says. Setting an office policy can define "the things you should not do and the things you're allowed to do based on your business model," he says. "Just highlighting the stuff you cannot do is a bad way to write policy."

One way to let employees know what they can do is to create "white lists" of approved applications and popular Web destinations that employees can download and visit, says Shawn McCarthy, analyst at Government Insights, a Falls Church, Va., IT consulting firm. IT administrators sometimes are reluctant to embrace this approach because it's a big job, and they should not be setting business policies, he says. But the trick, McCarthy says, is to find "the right balance between individual productivity and the needs of the IT department."

Andrew Noyes is a senior writer for National Journal's Technology Daily.

COMMENTS

• IT managers should look carefully at the applications employees are using as freeware and determine whether there is business value to adopting them as standard or providing alternate means to accomplish the same ends. Services such as Google docs, newsgroups, online file storage, desktop search applications and bookmarking services can add real value to a business by collecting useful information from freely available sources and helping staff to communicate and collaborate. While anything illegal or unsavory should absolutely be prohibited, the free market and free thinking of the internet often provides useful applications and services cheaper, faster and of better quality than in house IT departments can match. Andrew Posted October 10, 2007 1:29 PM
• Why am I not surprised? Give any employee access to the Internet and watch what happens. Most people may fool around, usually on their lunch break, some won't do anything not authorized by management, others will spend all day "surfing" if they can. Sounds like the IT techs have to put down their computer magazines and set up a simple program which would checks all terminals each day. Then management could counsel the offending employee/s. What are the chances of this happening soon? We'll see. US Customs Senior Inspector Posted October 10, 2007 1:24 PM
• I agree with Don. The people operating my Air Force LAN are quite successful at locking out ANY changes or software downloads to my computer. Yahoo or Google email? Not allowed nor accessable. Does "bad stuff" still creep in? Only by exception. Is it frustrating to me, a "high tech" guy? Yes, but I agree it HAS to be this way. Notice that it hasn't stopped me from keeping up with GovExec! Rick Posted October 10, 2007 12:47 PM