Is a unified .gov network the way to go?
The Commission on Enhancing National Cybersecurity made 53 recommendations last year, but some experts are questioning the call to create a unified .gov network.
In December, President Barack Obama's Commission on Enhancing National Cybersecurity delivered a final report that included 53 action items. While many were fairly non-controversial and have broad support, one recommendation to unify civilian agencies under a single network has raised some eyebrows.
"The idea of one civilian network is that it would allow for almost like a contained way of ensuring email security, encryption, etc. across all agencies," an official affiliated with the cyber commission told FCW.
"It creates a baseline level of security as well as a level of efficiency and looking at the disparate capabilities and resources of the multiple agencies, that the idea being that this would ensure security and efficiency," said the official.
The official said the recommendation of creating a centralized .gov network is intended to be phased in over time, with agencies gradually joining the network and evaluating its effectiveness and security.
One individual who has wrestled with a similar question is Department of Defense CIO Terry Halvorsen. He's been working to reduce the number of DOD networks, but he doesn't believe the goal for DOD or the civilian agencies should be a single, unified network.
"Do I think we could do with less networks across the civilian spectrum just like we are going to continue to reduce some networks in the DOD? Yes," said Halvorsen at a recent media roundtable at the Pentagon. However, he said, "I don't know what that number is for the federal agencies."
Halvorsen said that to answer that question, agencies must first assess what their core missions are.
He said if an agency's mission looks like a commercial or business enterprise, "then you probably can use a more common network structure."
Halvorsen suggested NASA as an example of an agency that doesn't fit the commercial mold. "My guess is that that would be an agency that might need its own network."
Halvorsen said DOD and the civilian agencies alike should be focusing what having fewer networks really accomplishes.
"Could you have functional networks?" he posed. "Could you say that within the government…even at DOD, maybe everybody ought to be on the same HR network? Those things are common, at least somewhat common and maybe that's a place to go look. Could you be on the same financial networks and then deviate when it came to your mission networks?"
"I don't know the answer to that yet, these are questions we will continue to work through at DOD and I know that also the federal, other federal agencies are working through those same type of questions," he said.
The official affiliated with the cyber commission conceded that not all agencies and functions should necessarily be brought into the common network. "That's why it's a phased-in approach to evaluate the security of it and what should get put on it," the official said.FCW recently interviewed two professional hackers who spoke on background because they were not authorized by their organizations to speak with the media. While they acknowledged there could be some cost savings and efficiency gains by moving to a common civilian network, they advised against such a move. From a hacker perspective, they said, a unified system that contains even more data simply becomes a bigger target.
They argued that it is still safer to have distributed and disconnected systems so that when they are breached -- and they will be because no system is hack-proof -- there is less to exfiltrate and less potential impact to agencies and individuals.
The commission weighed those security and centralization concerns when making the recommendation, according to the official contacted by FCW. The current federated system means agencies are not upheld to a common baseline of security; as a result, there are extensive vulnerabilities that could be eliminated by moving to a unified system.
"The security risks to not doing it were outweighed by the intent of creating a stronger, secure network through procuring current effective technology that evolves the way a MasterCard would, or an IBM would or a Fortune 100 conglomerate," said the official.
The official stated the question now is whether the new administration will accept the recommendation and agree with moving to one network, or simply focus on reducing the overall number.
Either way, action is essential, said the official: "Saying 'well we should keep everything as is' is an excuse for complacency on security."