Exclusive: Cash for Slackers, Part III

Last of a Three-Part Series

It would be reasonable to think that immediately stopping terrorists and foreign spies from breaking into government computers would be an urgent concern for all federal workers at places like the Dept. of Homeland Security and U.S. Customs and Immigration Enforcement.

Think again.

The American Federation of Government Employees (AFGE) union last year fought for a grievance alleging that Homeland Security blocked government workers’ access to web-based email on their work computers “without first satisfying its bargaining obligations to the union,” the case file says. Federal workers can visit their webmail accounts on their own personal mobile devices,  though officials say policies are somewhat unclear about such use at work.

Web-based emails are often prone to being loaded with computer viruses and malware, cyber security experts have told FOX Business. The CIA, Dept. of Defense, the FBI, the Nuclear Security Agency, Homeland Security, as well as the White House number among the federal entities hit by cyber hackers. Officials and cyber pros believe terrorists or nation states are trying to break in, noting the easiest way is via Internet-based emails like Hotmail or Gmail freighted with phishing malware.

In fact, the federal government is under daily attack by cyber thieves and cyber spies, government officials warn. Just last week, cyber thieves believed to be from Russia broke into the IRS via an online service for taxpayers and stole personal tax information for 104,000 individuals in order to get fraudulent tax refunds, now estimated at $50 million.

Due to concern over the rise in cyber-attacks, the Dept. of Homeland Security and U.S. Customs and Immigration Enforcement have blocked personal webmail accounts on government computers. But the federal union has demanded collective bargaining on the policy change.

The decision for the union grievance dated July 14 says that Homeland Security noted it has “sole and exclusive discretion" to “determine its network-access policies, in other words, the right to determine those policies without bargaining at all with the union,” citing the Federal Information Security Management Act of 2002 (FISMA). The agency added that the “arbitrator’s direction to bargain [with the union] over such matters is contrary to law.”

The case file notes: “Following months of discussion among agency managers about whether to block webmail access on the agency’s network, the agency notified the union that it had decided to terminate employees’ webmail access, effective one week after the notice. When the agency instituted the webmail block without bargaining, the union filed a grievance.”

Homeland Security cited “Congress’s concern with terrorists, transnational criminals, and foreign intelligence services using tools such as computer viruses, Trojan horses, worms, logic bombs, and eavesdropping sniffers” to “destroy, intercept,” even shut down federal government computers. Homeland Security officials also noted the “urgency of webmail security threats required that it act without bargaining first.”

The threat is so serious that, since the law was enacted in 2002, two Administrations, six Congresses, and several federal courts have reaffirmed the federal cyber security mandate, without union interference, notes Patrick Pizzella, one of three officials at the Federal Labor Relations Authority adjudicating fights between federal agencies and their union workers. Pizzella served for seven and a half years as the chief information officer at the U.S. Department of Labor under President George W. Bush.

But the arbitrator on the case ruled Homeland Security “improperly blocked” union workers’ “webmail” on government computers, adding it “violated its bargaining obligations” with the federal worker union “in instituting the webmail block.”

The security agencies, though, were not directed by the arbitrator to restore workers’ access to email. “Instead, he directed the agency to bargain over the impact and implementation of the change in webmail access,” the case file notes. The security agencies now block webmail accounts at work. For example, “effective Sept. 8, 2011, ICE employees were no longer able to access personal webmail accounts on any DHS (Homeland Security) network,” says Gillian M. Christensen, spokeswoman for Immigration and Customs Enforcement. Union officials want their federal bosses to negotiate with them in collective bargaining over policy updates in order to help workers deal with changes their employers make in the workplace.

According to the case file, the way Congress wrote the FISMA law, “Congress signaled that collective bargaining is wholly compatible with management’s right to determine internal‑security practices.”

The concern here is that malware often pops up in company networks months after the fact, disrupting tens of millions of consumers—for example, the cyber breaches at places like Target (NYSE:TGT), Anthem/Blue-Cross Blue Shield, JPMorgan Chase (NYSE:JPM), and Home Depot (NYSE:HD).

It takes victim organizations on average 205 days to discover that their digital networks had been compromised, the cyber-attack research firm FireEye (NASDAQ:FEYE) says. Meanwhile, a quarter million new malware files are put into circulation over the Internet every day, cyber pros at PandaLabs estimate.

AFGE’s attempt to stop email blocks undermined “a key component of the Federal Information Security Management Act,” FLRA official Pizzella wrote in his dissent.

Pizzella also added a scary back story here: “In this case, the agency has a mere thirty-six employees to monitor an IT [information-technology] system that is used by 30,000 employees deployed around the globe.During the four years that cover this grievance, the agency experienced daily malware attacks (not unlike those inflicted on other federal agencies as noted above).

"Despite repeated warnings from senior agency officials and ongoing training efforts, a significant ‘uptick in mail infections and privacy spills’ occurred in February 2011. The agency determined that the ‘uptick’ resulted primarily from employees accessing personal webmail accounts on their work computers.As a consequence, the agency notified all employees that they would ‘no longer be able to access personal webmail accounts on any [agency] network.’"

Pizzella noted: “The arbitrator effectively determined, and my colleagues agree, that the agency may not take any action to reduce security risks to its IT systems, without first providing the Union an opportunity to bargain.”

Meanwhile, in a case that wraps teleworking and cyber threats together, the U.S. Postal Service late last year suspended its teleworking program for workers after a major cyber security breach was discovered that compromised the personal information of as many as 800,000 current and former Post Office employees. The hack was believed to emanate from China.

Post office workers were working from home, logging onto a virtual private network to do their jobs. But the network “was identified as vulnerable” to cyber hacks, and was made “unavailable” as the Post Office works “to make modifications to this type of remote access” to its networks, according to a document distributed to employees.

But the Post Office’s biggest union wasn’t having any of that. It slapped the Postal Service with charges, alleging it mishandled the teleworking program and delayed disclosing information about the hack. “We have already filed charges with the National Labor Relations Board protesting the Postal Service’s failure to bargain over the impact of the security breach,” Mark Dimondstein, president of the American Postal Workers Union, said in a letter to union members. The Post Office defended the delay as necessary because it would have put its “remediation actions in jeopardy.”