GovNet Proposal Sparks Plenty of Ideas, Debate

The General Services Administration is gearing up to evaluate comments from 167 companies on the creation of GovNet, a new, secure intranet for federal agencies.Advanced by the president's cybersecurity adviser Richard Clarke as a way to ensure secure federal communications, GovNet poses a difficult challenge on a number of fronts. First is the sheer volume of comments the GSA must review before making its recommendations by the end of January. The administration also will have to find funding for GovNet, which at least one analyst said could cost $1 billion or more. Finally, some are questioning whether creating a separate, government-only network is the best way to ensure that agencies have totally secure networks, especially in times of national disaster. "I'm not convinced the best use of government funds is to build yet another infrastructure," said Amit Yoran, president and chief executive officer of Riptech Inc., an around-the-clock network security monitoring firm in Alexandria, Va.Yoran said the ideas generated by the GovNet request for information are useful, but the federal government should also look at taking some of the responses and incorporating the suggestions into better security for existing systems.Rep. Tom Davis, R-Va., chairman of the House Government Reform subcommittee on technology and procurement policy, is asking similar questions. On Nov. 29, Davis requested that the General Accounting Office review the government's plans for GovNet, even though there is no commitment to implement the intranet. Davis said his subcommittee is interested in identifying GovNet's key risks and costs."Davis wants some reassurance as to the process and underlying goals [of GovNet], given the large scope and high cost of this project," said David Marin, the congressman's spokesman.Since he took over in October as the president's cybersecurity adviser, Clarke has been sounding warnings about the federal government's vulnerability to cyberattack, especially "denial of service" attacks that could disrupt existing networks."Virtual private networks are secure from an encryption attack but aren't secure from these denial attacks," an administration official said, explaining why the government needs a standalone network. "If the router is brought down, it could impact the ability to communicate."At Clarke's request, the GSA released a request for information Oct. 10 soliciting ideas from industry for creating GovNet as a standalone network, with "no interconnections or gateways to the Internet or other public or private networks." This new, government-dedicated intranet would provide commercial-grade voice communications capabilities with the potential to add video communications.Although GSA is handling the contract vehicle for GovNet, Clarke is "the key to the whole thing. ... He's in charge," said a government official familiar with the procedure.GSA has assembled a team of representatives from 16 major federal agencies to evaluate the industry comments for GovNet. The Software Engineering Institute of Carnegie Mellon University is conducting a second, independent evaluation of the responses. Many companies submitted more than one alternative, so there are hundreds of scenarios to evaluate.An administration official said the assessment committee does not have hard-and-fast criteria for evaluating the proposals but is approaching them with an open mind."We might end up creating a next-step proposal that's based on a bit from a lot of different proposals," the official said.Many aspects of GovNet remain undefined, including cost. Ray Bjorklund, vice president of Federal Sources Inc., the McLean, Va., market research and consulting company, estimated it could be $1 billion or more.In addition to not setting a cost estimate for such a project, the RFI did not specify how many federal agencies would participate or how many users there might be. And while the RFI did say GovNet would initially provide intranet connectivity just within the continental United States, it did not specify the number of offices to be connected.Nevertheless, companies that responded to the GovNet RFI are excited about the project's potential, though several said they believe the government's goal of 100 percent security is not truly attainable and will be modified.Government officials said "both privately and publicly that their No. 1 criterion was security," said Mike Ligas, regional vice president for business development in the government systems division of Sprint Corp., Westwood, Kan. "Our solutions were along a spectrum that balanced different pieces of security, scalability, functionality and cost," he said. "Each of our proposals had a different mix: You can make something incredibly secure, but not usable and [wildly expensive]."Don Scott, senior vice president with Electronic Data Systems Corp., Plano, Texas, said GovNet is not technologically difficult, but the RFI's requirement that the network stop "at the door" ? not carry the capability all the way to individual desktops ? still leaves security concerns."Security always was and always will be a management issue," said James Duffy, managing director of International Information Systems Security Certifications Consortium Inc., a nonprofit organization based in Framingham, Mass., which certifies individuals in information security. "The security of such a network [as GovNet] would really be 90 percent dependent on the people using it."Other companies that told they responded to the RFI include: AT&T Corp., New York; Northrop Grumman Corp., Los Angeles; Symantec Corp., Cupertino, Calif.; and WorldCom Inc., Clinton, Miss.