Microsoft strategist skeptical of governmentwide intranet

Microsoft's chief security strategist is skeptical of the value of GovNet, a government-wide intranet for which the Bush administration is seeking $5 million in funding in fiscal 2003.

In an interview last week with reporters from National Journal's Technology Daily, Scott Charney, who is a former top cybercrime official in the Justice Department, questioned the need for a network closed to the public Internet when emergency, state and local authorities must communicate with federal agencies.

"The thought of, 'Let's tie fiber together and create a government-only network that keeps everyone out,' sounds like a great idea. But there is a problem," Charney said. "You can't be effective as a government if you cut everyone out."

Richard Clarke, director of the White House Office of Cybersecurity, proposed GovNet after the Sept. 11 terrorist attacks as a way to ensure that the government can communicate while being less vulnerable to attack. Though there has been no decision on building the intranet, Clarke's office has determined that the plan is feasible and asked Congress for money to further study its effectiveness.

Given that the Internet functioned more reliably than telecommunications on Sept. 11, Charney suggested that the government's focus should be on strengthening authentication tools, encryption and virtual private networks (VPNs) instead of creating an entirely new network.

"The response to the World Trade Center wasn't just government agencies," said Charney, who replaced Howard Schmidt when Schmidt left Microsoft earlier this year to become Clarke's No. 2 contact on critical infrastructure within the administration. "It was everyone--federal, state and local ... and you are talking about building GovNet for critical infrastructure protection and to respond to terrorism. I wonder how that works?

"You have a public Internet already, and you can secure it through VPNs, encryption and better authentication ... so what does GovNet get you?"

Charney said the government can play a role in cybersecurity by investing in long-term research and development on making the Internet more secure, as well as educating the public on the issue. As the largest purchaser of information technology in the country, the government also can drive increased security on the Internet, he said. That can be accomplished by deciding which products are best for security and interoperability that in turn can serve as models for the private sector.

Charney also addressed Microsoft's security efforts. He said the company's recent "trustworthy computing" initiative--in which company Chairman Bill Gates in February directed all programmers to comb software code for security bugs--was an effort to make computers as safe and reliable as plugging a lamp into an electrical socket. He also insisted that Microsoft has undergone a real cultural change in considering security as it produces new products.

"Computers have not been that simple," he said, referring to the "blue screen of death," or what happens when a Windows operating system malfunctions or encounters incompabilities. "If this technology is to achieve its potential, it must be not only reliable but resilient to attack."