Shadow IT

America Online, eBay, Google, iTunes, MySpace, instant messaging, Yahoo, YouTube. What would life, or work, be like without these and other popular Internet-driven diversions?

Today's workers are tech savvy, and government employees are no exception. They want and use the latest applications. Whether their information technology administrators like it or not, federal workers are using the software to be more productive or, at times, to be entertained.

These un-approved applications don't come from agency IT shops, though; employees are downloading them directly off the Internet. The practice has become so widespread in all kinds of organizations that it now has its own descriptor: shadow IT.

The problem is that shadow IT poses security risks. The applications could have vulnerabilities that provide the holes hackers need to access employee computers and government networks and steal information or install malware. At a hearing this summer of the House Oversight and Government Reform Committee, security monitoring company Tiversa Inc. testified that it had found 200 government documents during a scan of the top three peer-to-peer software applications, which allow computer users with the same software to share files stored on their PCs or laptops.

Fear of security mishaps has caused some IT managers to ban unapproved technology by issuing strict policies or configuring firewalls to block applications. But how realistic is it to expect users to steer clear of the increasing array of cool technology tools? "Resistance is futile," says Alan Paller, director of research at the SANS Institute, a nonprofit cyber-security research organization in Bethesda, Md.

And fighting shadow IT could be counterproductive. Agencies that institute prohibitive policies will face substantial pushback, Paller predicts. Such policies could radically reduce the convenience of useful information sources and communications platforms, and could make employees less productive in the long run, he says.

Videoconferencing and wireless Internet access, which many agencies initially opposed, serve as examples of how departments could come to accept other new technologies, Paller says. When agencies blocked the use of Wi-Fi, managers sometimes couldn't reach workers, which ushered in the use of wireless technologies.

But the federal government has done little to keep up with the proliferation of applications. The latest policy governing employee use of government-issued PCs or laptops is now eight years old. According to a 1999 report from the interagency Chief Information Officers Council, workers are permitted limited use of office equipment -- including Internet services and e-mail -- for personal needs if it does not interfere with official business and involves minimal expense to the government.

Inappropriate uses are any that could cause congestion, delay or disruption of service to government systems. Creating, downloading, viewing, storing, copying or transmitting materials that are "illegal, inappropriate or offensive to fellow employees or the public" is prohibited as well.

To make sure employees follow proper procedures, some agencies, such as the General Services Administration, inform employees that their computer activities are continuously monitored. But a 16-year GSA veteran, who asked not to be named, says whether managers are "actively doing that is questionable."

The bottom line is "these workstations are not for personal use," he says. Still, this worker routinely checks his personal Yahoo.com e-mail account, which is "unavoidable because you're at work eight or nine hours a day," he says.

Personal applications downloaded from the Internet are widely used in government, including many congressional offices, where instant messaging is practically the primary means of communication. A former chief of staff on the Hill says IM was a necessity in his office. Sometimes he would find himself IMing facts and figures to his press secretary from across the room while his colleague conducted a telephone interview with a reporter.

The frenzy over downloaded software has only just begun, Paller warns. Applications being used without IT managers' blessings are "a tenth of what you'll see in two or three years," he says. The popularity of one of the largest virtual worlds, Second Life, and any number of next-generation Web wonders are going to fuel what he predicts will be an intensely interactive, "high-fidelity, high-bandwidth" culture -- if it hasn't already begun.

Instead of fighting it, Paller advises finding a secure way to allow the technologies. Agencies should embrace the concept of "comply and connect" rather than "scan and block," he says. Since 2005, the Air Force has not allowed any computer to be connected to the Air Force network unless it has a common configuration and all patches and updated security software have been installed, Paller says. In March, the Office of Management and Budget recognized the economic and security benefits of the initiative and issued a similar mandate for all agencies.

Marty Lindner, a senior staffer at Carnegie Mellon University's federally funded Software Engineering Institute, offers a common-sense solution. IT restrictions should be squared with the mission of the agency and the sensitivity of job functions, he says. "If I'm the operator of a nuclear power plant, I don't think anything should be allowed on that [computer] desktop that doesn't have to do with running that power plant," Linder says.

Agencies also should create a detailed policy about what can be loaded onto PCs and laptops. Most important, IT managers then must check individual PCs and laptops to "make sure people are following it," Lindner says. Setting an office policy can define "the things you should not do and the things you're allowed to do based on your business model," he says. "Just highlighting the stuff you cannot do is a bad way to write policy."

One way to let employees know what they can do is to create "white lists" of approved applications and popular Web destinations that employees can download and visit, says Shawn McCarthy, analyst at Government Insights, a Falls Church, Va., IT consulting firm. IT administrators sometimes are reluctant to embrace this approach because it's a big job, and they should not be setting business policies, he says. But the trick, McCarthy says, is to find "the right balance between individual productivity and the needs of the IT department."

Andrew Noyes is a senior writer for National Journal's Technology Daily.