US government's intranet plans under fire

The Bush administration's plan to build a multibillion-dollar secure government intranet to protect critical federal systems from...

The Bush administration's plan to build a multibillion-dollar secure government intranet to protect critical federal systems from security problems associated with the Internet may be flawed, according to critics.

The key feature of the proposed intranet, which has been codenamed GovNet, is "that it must be able to perform functions with no risk of penetration or disruption from users on other networks, such as the Internet", said the US government in an outline of the project.

The government wants GovNet to be a private voice and data network based on Internet protocols, but with no connectivity to commercial or public networks.

"Our first priority is to ensure that the federal government is securing its own systems," said Paul Kurtz, director of critical infrastructure protection for the National Security Council.

However, Sherwood Boehlert, chairman of the House Science Committee, said: "I'm not sure that simply walling off government networks from the Internet is the right policy or whether such a system will actually improve security."

Vinton Cerf, WorldCom's senior vice-president for Internet architecture and technology, said that although he sympathised with the government's desire to guarantee the availability of network services during times of crisis, security through isolation was "likely to prove only partially effective".

James Woolsey, who served as director of the CIA under the Clinton administration, said GovNet would not protect against the fundamental network security threats posed by insiders and highly skilled hackers.

Rather than improving security, GovNet would create "something in which there is a huge premium for Iraqi intelligence or Osama bin Laden to find some American who is willing to help him and be a clever hacker", Woolsey said at a security forum last month.

When Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, first raised the subject of a series of virtual private networks (VPN) for both government and e-businesses at a conference on Internet security in May, the idea received a cool reception from industry leaders.

Ken Watson, director of critical infrastructure protection at Cisco Systems, said: "I don't think [the concept is] viable on many levels."

George Samenuk, chief executive and president of Network Associates, added: "A VPN defeats the purpose, because most of the attacks are internal."

Ironically, the US Department of Justice filed an indictment on 23 October against an employee of global technology and services company TRW, who was arrested last year for using his authorised access to the intelligence community's secure intranet - known as Intelink - to download classified information and sell it to China.

"The problem is that not everyone in the government is guaranteed to be on our side," said Woolsey.

Read more on Antivirus, firewall and IDS products