Twittery Jitters

New social media sites raise age-old dangers of unauthorized software.

Shared approach provides IT tools when they're needed and cuts costs when they're not.

Dan Luxenberg, a program analyst at the Food and Drug Administration, is responsible for the popular FDArecalls Twitter stream. Since January, he has been posting an average of four tweets (short messages of no more than 140 characters) a day on what foods companies are recalling. The stream has attracted more than 7,000 followers who are interested in the latest news about possibly tainted peanuts, pistachios, curry spice and other foods.

To manage the steady flow of Twitter snippets, Luxenberg uses a free downloadable software application called TweetDeck, which allows him to read public comments and view how often citizens rebroadcast his tweets. "TweetDeck is a good tool to see what's really going on," he says. "It gives me real-time access to the tweets and re-tweets as they come in. . . . We're testing the water with various tools like TweetDeck, trying to find the best ones so we can manage social media sites on a day-to-day basis."

As more agencies are embracing social media sites like Twitter more federal technology managers like Luxenberg are downloading software to manage the flow of information. There's a catch, however. Office of Management and Budget regulations forbid federal workers from downloading software as part of an effort to secure desktop PCs.

Federal chief information officers say employees are requesting administrative privileges that allow them to download software applications directly from the Internet, most of which have not been tested for viruses or security holes that could allow hackers access to systems. At the same time, CIOs are being asked to reduce the chance that desktop systems can be attacked.

"It's a delicate balance," says Lori Davis, FDA's CIO. "Security concerns need to be paramount in my mind, but I can't completely stymie creativity, or I'll have our entire scientific workforce up in arms."

For now, FDA is allowing some of its 9,000 employees-the agency declined to say how many-to experiment with Twitter, wikis and other social media software. But it also is tightening controls over who can download software as part of a year-old effort to centralize IT operations across its six centers. "We are now taking an active look at those administrative privileges controlled by the various FDA centers," Davis says. "With administrative rights, I think we would err on the side of being restrictive."

Agencies are supposed to lock down desktop PCs and laptops in compliance with the Federal Desktop Core Configuration, an OMB mandate that requires them to standardize the settings on their PCs to help prevent hacking attacks. The core configuration rules went into effect in February 2008.

One provision in the configuration does not allow employees to download software applications unless they obtain a waiver that grants them administrative privileges. The rule applies to desktops and laptops connected directly to an agency's network, including computers operated by contractors. (The mandate does not apply to personal desktops that access government systems through virtual private networks.)

Most FDA employees don't mind the rules because they can use their cell phones rather than government-owned PCs to check personal Facebook, My-Space or Twitter accounts, Davis says.

So far, the configuration has been mostly successful, says Ray Bjorklund, senior vice president with FedSources Inc., a market research firm in McLean, Va. "But I've also heard that these desktop configurations can become very painful for power users, who really need to have the flexibility without having to constantly reconfigure their computers."

Federal employees downloading free software to their desktops has contractors responding with products and services to keep government networks safe. Cisco, for example, recommends agencies follow a layered approach that includes intrusion prevention systems, network access controls and Web security platforms. These products can help an agency enforce the Federal Desktop Core Configuration rules on software downloads, says David Graziano, Cisco's manager for federal security solutions. He gives an example of a federal worker using Facebook who tries to download an innocuous- looking plug-in that has hidden in it an application that will steal information from the employee's hard drive.

"As you log in to the network, the policy enforcement of the network access control will make sure your device has the right to download a plug-in," he says. Intrusion protection will catch the download in case the access control permits it into the system, and as a last line of defense, Web security will detect the bug if the employee clicks on a Web page that houses the malicious software and will prevent it from downloading, Graziano adds.

At FDA, the CIO's office must approve social media pilot projects and the download of related tools. Its Office of Policy recently asked permission to run MediaWiki, a free software package that supports Wikipedia, to improve collaboration on regulation development. The CIO office is running a pilot project with MediaWiki for 80 users. "We stood up a MediaWiki server, made sure it was secure and gave them the rights to use it," says FDA Deputy Chief Technology Officer Michael Coene. "Now we're getting into the issues of as you collaborate in this environment, when does it become a record? How do we handle retention?" He says the CIO office plans to pilot several social media applications during the next year, including URL blogs, social tagging and bookmarking and search tools.

FDA is testing social media tools without granting additional administrative privileges. One exception is all 12 people involved in the Web communications office are allowed to download software, says Sanjay Koyani, FDA's director of Web communications. "This is where the world is headed, and it's certainly where the new administration in government is headed," he says. "It's really impossible to plan a good strategy unless you're able to bring in some of [these tools] and use them. You have to get them in behind your firewall and test them out."

Carolyn Duffy Marsan is a high-tech business reporter based in Indianapolis.