The Bush administration's plan to build a multibillion-dollar
secure government intranet to protect critical federal systems from
security problems associated with the Internet may be flawed,
according to critics.
The key feature of the proposed intranet, which has been codenamed
GovNet, is "that it must be able to perform functions with no risk
of penetration or disruption from users on other networks, such as
the Internet", said the US government in an outline of the project.
The government wants GovNet to be a private voice and data network
based on Internet protocols, but with no connectivity to commercial
or public networks.
"Our first priority is to ensure that the federal government is
securing its own systems," said Paul Kurtz, director of critical
infrastructure protection for the National Security Council.
However, Sherwood Boehlert, chairman of the House Science
Committee, said: "I'm not sure that simply walling off government
networks from the Internet is the right policy or whether such a
system will actually improve security."
Vinton Cerf, WorldCom's senior vice-president for Internet
architecture and technology, said that although he sympathised with
the government's desire to guarantee the availability of network
services during times of crisis, security through isolation was
"likely to prove only partially effective".
James Woolsey, who served as director of the CIA under the Clinton
administration, said GovNet would not protect against the
fundamental network security threats posed by insiders and highly
skilled hackers.
Rather than improving security, GovNet would create "something in
which there is a huge premium for Iraqi intelligence or Osama bin
Laden to find some American who is willing to help him and be a
clever hacker", Woolsey said at a security forum last month.
When Richard Clarke, chairman of the president's Critical
Infrastructure Protection Board, first raised the subject of a
series of virtual private networks (VPN) for both government and
e-businesses at a conference on Internet security in May, the idea
received a cool reception from industry leaders.
Ken Watson, director of critical infrastructure protection at Cisco
Systems, said: "I don't think [the concept is] viable on many
levels."
George Samenuk, chief executive and president of Network
Associates, added: "A VPN defeats the purpose, because most of the
attacks are internal."
Ironically, the US Department of Justice filed an indictment on 23
October against an employee of global technology and services
company TRW, who was arrested last year for using his authorised
access to the intelligence community's secure intranet - known as
Intelink - to download classified information and sell it to
China.
"The problem is that not everyone in the government is guaranteed
to be on our side," said Woolsey.