New debate in Washington D.C. could change how people use work computers for their own e-mail and social media.

There was a ban on using work computers for anything personal, remembers an employee we’re calling T.B.

But when she went into to her manager’s office to ask a question about an assignment, she saw her boss planning a weekend getaway on a work laptop. 

“Just don’t do it a lot,” her boss said dismissively.

But this issue, once a matter of willpower, is now a matter of security. National security.

Even the head of the Department of Homeland Security is in trouble for allegedly using personal e-mail accounts on DHS computers in counter to U.S. security policy, and there is a bill underway that could prevent federal employees from using their own e-mail accounts at work.

The problem with e-mail

You’re not hurting anything by checking your e-mail at work, right?

Not true, say cybersecurity experts.

“E-mail is inherently insecure,” said Paul Golden with Archer Security Group.

“Over an over again in the last few years, we’ve seen advanced attacks start with malicious e-mails,” added Jim Feely with Archer Security.

Massive data breaches, hackers holding business systems for ransom, attackers siphoning out millions of dollars—all starting with an electronic message.

Surveys show that people are all-too-ready to click on links and attachments without checking to see if they are legitimate. And spearphishers are able to social engineer even skeptical e-mail users into entering their passwords and user IDs.

“Most personal e-mail services provide access over an encrypted connection,” said Feely. “In many cases, the encrypted connection can prevent corporate security tools from checking for and acting on malicious code and activity.”

Big guy in trouble

The head of the Department of Homeland Security is now under investigation after reports he used personal e-mail on government computers, according to FCW.

The House Committee on Oversight and Government Reform sent him a letter last week saying that federal policy bans personal e-mail use on work computers, and demanded that he provide information about how and why he allegedly violated policy.

Last year, a Bloomberg View article reported that DHS secretary Jeh Johnson and 28 of his senior staffers had been using their personal e-mail on work computers for more than a year.

“Top DHS officials were granted informal waivers, according to a top DHS official who said that he saw the practice as a national security risk,” the article said.

Johnson said the article made him change his behavior, reported NBC News.

“When I read the story I said, ‘You know whoops this is not a good practice so I should discontinue it’,” Johnson, according to NBC. “[It’s] probably not an appreciable [risk] but one that probably should be eliminated so I’m eliminating it.” 

Now, eight months later, he may have explain his “whoops” in great detail. 

“Nothing in the directive justifies permitting senior DHS officials to continue access to personal email accounts from DHS computers for a limited time, let alone permitting open-ended access through an ‘informal’ waiver process,” wrote the committee chairman, Rep. Jason Chaffetz (R-Utah) in the letter.

Risk

Though Johnson downplayed the dangers, there is an appreciable risk on a number of levels, some cybersecurity experts say.

“The security justification for banning personal email is that those personal accounts are not pre-screened for spam or malware the way that the government email is,” said Patrick Coyle with Chemical Facility Security News.

Agencies like DHS are targets for nation-state actors, said security analyst Ken Westin, according to NBC News, and people like Johnson have a higher risk of being targeted than the average government worker, because they are high up on the food chain.

“Executives are people that are in a position of power and have access to data,” Westin said in the article. “People that have access to sensitive information… that’s definitely something they should not be doing.”

There are other issues at play as well.

“The other reason for banning personal email in government offices is that there is a justified concern that those private e-mail systems will be used to bypass government records rules for official communications,” said Coyle. 

‘Whoops’ or not ‘whoops?’

Johnson said he used his government e-mail for official work, and his personal e-mail for personal matters, NBC reported.

Some say there could be more to the story.

“They have an exception process for allowing what he did, and I can think of more than one reason why the Secretary of Homeland Security wouldn’t want communication methods to be documented,” said Daniel Lance with Archer Security.

“You have to try showing misuse in these cases. Even if intelligence information was in transit on these private accounts, who are we to say that the oversight committee hasn’t stumbled upon an intelligence project at the higher levels of our national security?” he asked.

Enforcing the rules

Restricting the use of personal e-mail in a sensitive environment is a good security practice, said Feely. 

Companies need to protect their technology infrastructure, said Golden.

“Most organizations now have an ‘Appropriate Use Policy’ presented to employees upon their first day of employment,” Golden said. “They know the identified risks and the published policy. Violations of any policy should be met with responses including revocation of access, suspension of accounts, disciplinary actions, and possibly prosecution.”

Johnson may end up facing some sort of reprimand. But the case shows one of the underlying issues with personal e-mail bans.

“The problem that most employees have with security rules is that they frequently see management ignoring or bypassing those rules,” said Coyle. “The fact that the DHS secretary has publicly been outed ignoring the ‘no personal email accounts’ rule makes it harder for lower-level managers to enforce that standard.”

Right to check e-mail?

A bill is in the works to allow federal agencies to ban personal e-mail on government computers for security reasons, without having to run the issue through unions.

There is an ongoing dispute between government agencies and federal employee unions over the issue, with unions saying checking personal e-mail at work is a negotiated benefit, reported Nextgov.

“If agency directors are obstructed from taking immediate action to protect employees’ information without first going through collective bargaining, federal agencies are more vulnerable to attack,” Chaffetz, and the bill’s sponsor, Rep. Gary Palmer (R-Ala.), wrote in an op-ed in the Washington Times last month. “It is critical that Congress intervene and help make every effort to strengthen our cyberdefenses.”

Some say the bill goes too far, allowing agencies to “‘taken any action’ it determines is needed to reduce security weaknesses,” according to Nextgov.

“No matter what you believe about blocking employee access to e-mail, this bill goes so far beyond that it loses the point,” Rep. Elijah Cummings (D-Md.) said in a statement, Nextgov reported.

“When employees have a union contract, it is only to be expected that some of those upset employees are going to file a grievance,” said Coyle. “The fact that there appears to be an unofficial waiver process that allows some employees to continue to check their e-mail just makes it more likely that any grievance filed will be upheld.”

What now?

Banning personal e-mail at work could present a new risk, according to cybersecurity experts.

“Strong, effective enforcement of this rule is just going to end up with the employees checking their emails on their phones while using DHS WiFi access,” said Coyle.

Indeed, the secretary of DHS said he would now check his personal e-mail on his personal mobile device, according to NBC News.

“That will change the security vulnerability somewhat, but it will also make it harder for the government to monitor that use,” said Coyle. “ instead, we will have security issues arise from employees checking their social media accounts on their cell phones over government WiFi connections.”

Another option—companies could give employees “isolated” access to the Internet for personal e-mail, said Feely.

He said companies can create a separate WiFi network for workers, set up special kiosks for checking personal e-mail, or give them access to “virtual machines,” outside of sensitive networks.

“I think it’s in an organization’s best interest to separate all Internet-accessible e-mail, including their own, from critical systems,” Feely said.