October 11, 2001 12:25 PM PDT
Security pros cautious on government Net
Actions as simple as a government employee connecting a nonsecured computer to the network or loading data from a diskette could compromise the entire system, experts said.
"It still is a really good idea," said Bruce Schneier, president of network-protection company Counterpane Internet Security. "But you really have to physically separate the networks."
On Wednesday, Richard Clarke, the newly appointed presidential adviser for cyberspace security, and the General Services Administration called for industry leaders to help develop blueprints for a secure and separate government Internet.
Dubbed "Govnet," the proposed computer network would use Internet protocols but would be completely shut off from the public Internet. The network would be the third U.S. Internet, adding to the current public Net and the classified military network that is a completely separate system. University researchers also are developing an Internet 2 for academic use.
The Govnet proposal also requires that the network use encryption to protect all data and be immune to cyberattacks, worms and viruses.
Yet Schneier said such threats are hard to dodge.
"Even if you separate the networks, that doesn't mean you are immune to attacks," he said.
The LoveLetter virus proved that point last year when the Pentagon admitted that four of the computers on its classified network had been infected by the virus.
While the Pentagon said LoveLetter did not spread to other systems, somehow the program had been able to jump from the Internet to the military's classified network--a feat that is not supposed to be possible.
"You have to ask, with all these attacks, is (something like Govnet) really going to do the job?" said Steve Bellovin, network-security researcher for ATT Labs.
Bellovin questions whether the government, which by definition deals with the public on a regular basis, can really keep the networks separate and still make Govnet useful. Add to that the decisions of who gets access to the network, the headaches with dealing with many different government departments and all the equipment that would need to be administered, and you have a recipe for an insecure network.
"This is not necessarily the wrong thing to do," he said. "But when you have a system with that many firewalls and gateways, it is hard to guarantee security."
Instead, hardening smaller networks and connecting them over the Internet may deliver better security, he said.
"The general approach is a reasonable approach," Bellovin said. "It may be more like a speed bump rather than a barrier (to attack)."