“How collective bargaining undermines cybersecurity”

After the Immigration and Customs Enforcement Agency (ICE) noticed a rash of malware infections, it told employees to stop accessing personal webmail accounts from their government computers. Oh, no, said the American Federation of Government Employees (AFGE), which grieved the change as having been made without prior bargaining with the union. An arbitrator agreed, ruling that “federal law did not give federal agencies ‘sole and exclusive discretion’ to manage its information technology systems.” ICE appealed, but the Federal Labor Relations Authority (FLRA) “also sided with the union.” [Washington Times]

P.S. Reports of problems at the U.S. Embassy in London suggests that controls on employee use of at-work computers to send and receive private email might need some tightening up at the State Department too.


  • Heh. next there’ll be a grievance over unsafe working conditions. “accessed banking site at work, keylogger stole my password, employer failed to properly secure information infrastructure…”

  • Stupid. I used to routinely block all outbound mail protocols, and flag them in seclog. Same as for anonymizing proxies.

    Not your system, big shot.

  • The Washington Times article is very misleading.

    Basically, for certain things, the law mandates that the management offer the union the chance to negotiate how to implement changes in the workplace. In other things, there is no duty to negotiate.

    The grievance is over impact and implementation of the edict, not the edict itself. Argue amongst yourselves what Congress intended. But if, as the FLRA found, Congress did not intend to exempt this from bargaining, blame Congress, not the unions.

    There certainly is a relatively easy fix. Or there would be if Congress could ever agree on something.

    This is the penultimate paragraph of the majority FLRA opinion: http://src.bna.com/c0Z

    Finally, we note that the Arbitrator did not direct the Agency to restore employees’ access to webmail, or to bargain over the substance of the change; he directed bargaining over only the impact and implementation of that change. Thus, nothing in the award or our decision requires the Agency to bargain over proposals that actually conflict with law or government-wide regulation, including FISMA. Rather, we hold only that the Agency has not demonstrated that the cited provisions of FISMA foreclose bargaining altogether.

    • “Basically, for certain things, the law mandates that the management offer the union the chance to negotiate how to implement changes in the workplace.”

      Security of government systems/facilities should absolutely not be one of those things.

      • MattS,

        You make a good point and that is the issue that should be debated. Unfortunately, the Washington Times article misses the point completely.

  • The State Department might need to more closely regulate the use of private email by employees and officers? I cannot believe it.

  • Labor negotiations aside, just how dumb are the people working for ICE and State and probably the rest of the government. I use free email from a well-known name, and I have never once gotten any kind of virus on my home computer. No virus, no spyware, no nothing, just by not opening emails from people I don’t know. Our country is sliding away because people are too damn dumb to care what they do and who they hurt when doing it. I really do have to wonder who ties their shoes for them every morning.

  • The government lost to NLRB because real cybersecurity requires FLOSS OS invulnerable to consumer malware.

  • […] "How collective bargaining undermines cybersecurity" (overlawyered.com) […]