The Bush administration’s plan to build a multibillion-dollar secure government intranet to protect critical federal systems from security problems associated with the Internet may be flawed, critics contend.
U.S. Rep. Sherwood L. Boehlert (R-N.Y.), chairman of the House Science Committee, acknowledged last week that Richard Clarke, chairman of the president’s Critical Infrastructure Protection Board, is highly qualified to advise the president on cybersecurity. But he questioned Clarke’s plan to disconnect the government from the Internet.
“I’m not sure that simply walling off government networks . . . from the Internet is the right policy or whether such a system will actually improve security,” said Boehlert.
According to an outline of the project released by the government, the key feature of the proposed intranet, which has been dubbed GovNet, “is that it must be able to perform functions with no risk of penetration or disruption from users on other networks, such as the Internet.” The government wants GovNet to be a private voice and data network based on Internet protocols but with no connectivity to commercial or public networks.
“Our first priority is to ensure that the federal government is securing its own systems,” said Paul Kurtz, director of critical infrastructure protection for the National Security Council.
Boehlert isn’t alone in his skepticism about the GovNet concept.
Vinton Cerf, senior vice president for Internet architecture and technology at WorldCom Inc., said that although he can sympathize with the government’s desire to guarantee the availability of network services during times of crisis, security through isolation “is likely to prove only partially effective.”
James Woolsey, who served as CIA director under the Clinton administration, said GovNet wouldn’t protect against the fundamental network security threats posed by insiders and highly skilled hackers. Rather than improving security, GovNet would create “something in which there is a huge premium for Iraqi intelligence or Osama bin Laden to find some American who is willing to help him and be a clever hacker,” Woolsey said at a security forum last month.
When Clarke first raised the subject of a series of virtual private networks (VPN) for both government and e-businesses at a conference on Internet security in May, the idea received a cool reception from industry leaders.
Ken Watson, director of critical infrastructure protection at Cisco Systems Inc., said, “I don’t think it’s viable on many levels.”
George Samenuk, CEO and president of Santa Clara, Calif.-based Network Associates Inc., also dissented. “A VPN defeats the purpose, because most of the attacks are internal,” he said.
Ironically, the U.S. Justice Department on Oct. 23 filed an indictment against a TRW Inc. employee who was arrested last year for using his authorized access to the intelligence community’s secure intranet, known as Intelink, to download classified information and sell it to China.