GovNet's fate hangs on policy

Industry leaders have weighed in with ideas on how to build GovNet, an Internet-like private network for critical federal systems, and federal security experts will start evaluating those ideas next week. But in the end, policy — not technology — will decide whether GovNet is actually built, experts say.

Late last month, the General Services Administration received 167 responses from vendors — including Sprint, AT&T and Computer Sciences Corp. — to a request for information. Beginning this week, 16 federal security experts will meet to evaluate the proposals; they will submit a report to the White House in February 2002. In the meantime, Carnegie Mellon University's Software Engineering Institute will perform an independent evaluation.

Based on those evaluations, government officials will decide whether or not to go forward with GovNet. Although the need for tighter security on certain federal systems is clear, GovNet's future is not, said Richard Clarke, President Bush's cyberspace security adviser, speaking last week at the Business Software Alliance's Global Tech Summit in Washington, D.C.

"It's not a program yet," he said. "It may never be, but I hope it is."

GovNet would likely host air traffic control and other systems the country cannot afford to leave vulnerable to the sort of disruptions and attacks now common on the public Internet. The idea for such a network surfaced in the security community last year. Following the Sept. 11 terrorist attacks, Clarke quickly issued a request for information from private industry on possible technical solutions.

As part of the evaluation process, Clarke and GSA officials will undertake the normal process of defining and refining technical requirements. The most complex part of that analysis will be reconciling the many security policy requirements across the 16 or more agencies that may be involved in GovNet, said Tony Cira, vice president of defense programs at AT&T.

"The technical problem of building a security network is hard, but it's not that hard," he said. The concept of GovNet is not universally welcomed. John Stenbit, chief information officer at the Defense Department, has questioned the usefulness of a separate network. Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee's Subcommittee on Technology and Procurement Policy, has requested a General Accounting Office review of the GovNet concept to ensure that its backers have a good business plan and realistic goals.

Forrester Research Inc. released a report in October saying that GovNet sounds great in theory, "but it simply won't work. A massive, completely partitioned government network is a pipe dream."

Given the number of responses to Clarke's request, however, it is clear that plenty of companies think they can provide the type of service he seeks, said Warren Suss, president of Warren H. Suss Associates, a consulting firm.

Many companies' proposals included several technical alternatives. One of those company-specific solutions may be the answer, or the government may end up using an integrator to bring together the individual products and services to develop a solution, Clarke said at the conference.

"It might be a bundling of existing departmental intranets, [and then it] may be truly cost-effective to have a private line for them," he said.

For their submissions, network service providers Sprint and AT&T offered a range of solutions that varied in price, level of security and scalability.

"It's really dependent on how much of the public infrastructure one would want to use," said Tony D'Agata, vice president and general manager of Sprint's Government Systems Division.

Sprint's main suggestion to the evaluation team is to use existing contracts to put a solution in place quickly and expand it later, D'Agata said.

It may be possible to start small, supporting a couple of critical agencies' systems with capabilities that companies are already providing for civilian networks, AT&T's Cira said.

The government could use DOD's Secret IP Router Network as a model for GovNet, Cira said. But "a lot of the [civilian] agencies have never dealt with classified information, so it's not that they can't [use it]. They'll just have to go through a learning process," he said.

Government officials must consider using the existing infrastructure because Congress is not likely to support funding a second network at each agency, said David Bittenbender, CSC's vice president for network services.

"In order to accomplish what [Clarke] wants to accomplish, it can be done, but it's going to require the integration of many services and infrastructures," he said.

Beyond all of these policy decisions, one of the issues Clarke must face — and decide on before issuing a request for proposals — is "whether GovNet will be able to command the real new dollars to address the problem," Suss said. "If GovNet succeeds, it will be because they can make a compelling business case to the administration for new dollars."

***

The GovNet vision

Private companies had until the end of last month to respond to a request for information for GovNet, a secure intranet for critical federal systems.

They had to incorporate the following scenarios into their responses:

* GovNet will be a private IP network shared by government agencies and other authorized users only, with no interconnections or gateways to the Internet or other public or private networks.

* GovNet will provide commercial-grade voice communications capabilities within the network among specified users. Adding video communications is a secondary requirement. Both capabilities must have no outside communications or gateways.

* GovNet will be immune from disruptions that affect the public Internet — in particular, malicious or intentionally disruptive activities (e.g., denial-of-service attacks) and malicious code (e.g., computer viruses).

* GovNet will provide the highest levels of reliability and availability, and traffic will be secure enough (i.e., encrypted using techniques approved by the National Security Agency) to carry classified information.

* GovNet will provide initial operational capabilities within six months after contract award. Within 12 months, voice and video capabilities will be available on GovNet.