GOVNET In the Works

gtg010b writes: "According to USA Today, the U.S. government is considering a private network to be used for all government communications. This network would be "separate from the Internet to keep it safe from hackers or terrorists" according to Richard Clarke, the head of the president's "cyberspace security adviser." Whatever happened to government not being above the people?" Clarke is the guy who's been crying "cyber Pearl Harbor" for a few years; apparently if you cry wolf long enough you get promoted. His request (.doc format) is informative. I should point out that the U.S. military already has such a network (I'm not even going to ask why the Feds can't piggy-back on it), so GOVNET would be for critically-important government agencies like the Department of Agriculture to communicate.

Government WAN

[nevis]

Most large government agencies already have extensive WANs. The Judiciary (third branch) has a WAN called the DCN (District Court Network) that connects all 92 Districts. To my understanding many agencies falling under the dept of Justice also have their own WAN's.

Looks like a lot of the "GOVNET" is already in place.

Re:This is bad why?

[MikeyNg]

So, they want to set up an intranet for the government. Why is this a bad thing? Should all corporations be required to use the internet for any and all communications between employees/remote sites/customers?

This is not a bad thing. It's a redundant thing. If you read up on DARPA and the creation of the Internet, you'll see that all that's being proposed has already been proposed some forty years ago or something. So commercial entities have the majority of sites on the Internet now. Big deal. The Internet was initially created just to handle this sort of thing.

Yes, if they want to do videoconferencing, etc., they'd need to beef up the bandwidth. You'd need something like an Internet2 or something like that. Oops. That's already in the works, isn't it?

(As an aside, when's the last time anyone used a .mil address? They're still valid TLDs, right?)

Some already do it this way

Working for the military, I know that the US's classified network is shared w/ second parties (Britan, Australia, New Zealand, Canada) is physically separate from the internet. The only way we import stuff off the internet onto our network is copy it to a CD using an unclassified system, viral scan it and other measures, and place in a classified machine.

All 5 countries have access to it, but classified stuff still has to be encrypted for transmissions. And we dont use commercial stuff for that, each country uses their own stuff.

The interconnection of the 5 countries allows us to share data as we see necessary.

This separation from the internet keeps the classified network safe from things like Code Red or any other viruses and worms.

Seperation of GOVNET and the military network

[Hal_9000@!!!@]

I'm all in favor of the civilian government (even the all important USDA) and the military having separate networks. In the ideal world, this would
be fine. The civilian governmental agencies could use the same network without problems and without interference.

Needless to say, this is not an ideal world. Do you think Billy Bob the Forest Ranger and Gordon the Beef Inspector (to use USDA examples) are going to do his part to keep the same network secure that James the Spy or Steve the Strategic Planner use? As the ./ readership knows, you average pubic worker/ 9-5er doesn't know enough and hasn't been trained enough to do his/her part in network security (i.e. not writing password on sticky note posted on monitor with phrase "Network Password Don't forget!!!")

Moreover, the separation of civilian powers and military powers is an important American ideal. If some civilian agency (the GSA maybe?) is investigating the military, you usually don't want them seeing or interfering with your communications. That can't happen when your network admin takes military orders, and will knowingly break the law under orders. A civilian government employee, on the other hand, can legally refuse to break the law without retribution by the employer.

So, all in all, its probably a good idea to keep the networks separate.

Some suggestions and alternatives

[ShannonClark]

As is often the case this sounds like people who only know a bit about the technology and options making very expensive suggestions.

A few alternatives to consider:

The government expanding the network already in place for the "Internet 2" initiative (high bandwith application testing) which currently exists between a network of universities, is already in place, and already has the fiber allocated and lit.

The government buying (or leasing in some form) some of the thousands of miles of dark fiber strung recently in the massive network infrastructure buildout.

Then, a second more practical and imporant suggestion. The government's goals are to ensure secure communication, ensure access to critical government data (not so much websites but FBI photo files, salelite imagary, even census data), and ensure critical command infrastructures.

Look at how non-goverment agencies accomplish very similar tasks - Banks use a web of network providers (usually at least two, often three) providing basic network connectivity to data centers; they often layer this with dedicated encryption (so that any traffic across public switched networks is encrypted); sometimes there are networks with-in networks (VPN tunnels etc); and there is extensive (and expensive) redundancy of all systems (and usually key people).

This redundancy would be rather expensive and difficult for most government agencies - but it is likely required. This includes physical as well as technical redundancy (i.e. serious data centers have power from multiple power grids entering the building at multiple locations; similarly they have data leaving the data center in multiple ways.

Now the good news - the government could probably pick up seriously redundant data centers, servers, networking equipment, fiber (dark or lit but already in the ground) for a very reduced price with the recent consolidation and collapse of hosting providers and network equipment vendors.

Rather than using this to build an entirely seperate network - if the government took the appropriate steps to secure and protect the system if could overlay the existing Internet without much difficulty.

(I would recommend of course that the government look at using the appropriate equipment for this job - i.e. secure and reliable OS's runing on physically secured machines)

Hope someone reads this and expands on my suggestions.

- some disclusures - I do not currently work for the government - my company is a software and consulting firm that may in the future do business with the government.

You have never worked in corporate have you ?

[q-soe]

I read your post and think it offers some interesteing points but its clear that you havent worked in corporate IS which might change a few perceptions.
1. The second some low-level government flunkie at the Bureau of Railroad Employee Retirement signed onto AOL to check his e-mail, boom, there's a gateway. - Nope - i can lock it down so he cannot even get to the site and without local admin cannot install anything - we already do this with hotmail and yahoo etc due to people getting round our virus scanning and mail attachment restrictions by using hotmail - thus infecting us in this way - its simple proxy control and group policy application
2. VPN and PPTP are great concepts but shitty in practical terms - we use it here for remote clients and it is the bane of my existence with failed clients and forgotten passwords - its find with a limited number of remote sites but is cannot be used to replace infrastructure in larger (5+ people sites ) the only solution there is Frame/ATM
3. EOL sucked as it ws simply AOL attempting to give corporates a cheaper intranet option back before internet access was a standard thing

Drawing the TIN can analogy is a joke - the guy who wrote the article is an idiot in many ways but dont oversimplify the argument like that. The fact is with IDSL and Frame and ISDN running a routed network for communication and a good firewall and admin policy (and staff) you can have a secure environment (even on MS products) and totally private - the environment this guy is describing covers this and i suspect in most cases is already in place, as for offsite i think stronger mail encryption for them and PPTP would be sufficient for limited exchange.

This is one guy trying to make a name for himself and hes doing it by stating the obvious.

NASA already has its own dedicated network

[NotSurprised]

NASA Science Internet:

http://www.nsi.nasa.gov/

http://www-sisn.jpl.nasa.gov/ISSUE37/NSI.html

Re:This is bad why?

[MikeyNg]

Way back in the day there was a reason or two to visit a .mil site. Or to use a .mil address, like if you were archie'ing or something. I can't even remember the last time I typed in .mil. When you think about it, that's really weird, since it's one of the few valid TLDs. There's .com, .net, .edu, .mil, and .org. (Before the new .biz, etc.) Whatever. I think it's weird, OK? :)

why piggybacking wont work

[jeffy124]

'piggy backing' (as michael put it) wont work for many reasons. I'll explain one major reason:

A person's security clearance. There are multiple levels: Secret and Top Secret are the two most common for military and intelligence uses (there are other levels of classification, but I'm singling out these two for simplicity's sake). Hence, the mil and IC share TWO separated networks, a Secret and a Top Secret (both separate from each other and separate from teh Internet). People with a S clearance cannot access the TS network. But people who are TS cleared can access the S network if their job deems it necessary.

Now for to the rest of the government. Many agencies dont require a security clearance at all (ok, they do require criminal bkgd checks, but that's about it). Question to ask is do you really want uncleared people accessing a network made for classified data?

What I think is being proposed here is a third network that's an Unclassified standalone network (standalone meaning separated from the Internet). This will allow agencies like USDA or Agriculture and state/local gov'ts to be separate from the Internet so that they become more immune to attacks and viruses.

The only issue here is when these people need to access the internet for real. Currently in the military, that means a few internet workstations shared by 30-50 people and each person having a classified box at their cube. If the job deems it necessary, people can have both at their desk. The problem here is an increasing number of computers.

IIRC, DARPA (or one of their contracts) is developing something that can allow a machine access to multiple networks simultaneously, yet keep everything separate. Whenever that gets done, that'll save money on buying physical workstations.

(Note: S and TS are shorthand for Secret and Top Secret)

Re:F. Lee Ermey, "Well...No Sh!t..."

[kfg]

As has already been noted:

"The difference between the Russian press and the American press is that in Russia the papers only print the government's lies, whereas here in America we can't get the press to quote its lies accurately."

KFG

This is the smartest thing I've ever heard of

[marxmarv]

This is stupid. What bout PPTP/VPN? Why can't they just make a virtual network that runs over the Internet like every other business is doing?

Because every other business isn't doing that. Every other business is buying cheaper-than-Internet point-to-point bandwidth and getting service guarantees. The government at least recognizes that outsourcing isn't as good deal as the PHB's say it is. T-1's have dropped precipitously lately.

The infrastructure costs are minimal because you aren't running redundant wiring. It's just as secure, in fact, it's more secure because you are going to be extra paranoid about things like password schemes and encryption levels if it has to survive some public data transfer points.

What does bandwidth from a "real" Internet provider at $1/bandwidth and $1/short-haul pipe buy you over direct lines at $1.50/long-haul pipe? Not latency, not reliability, not price, and certainly not administrative flexibility. Your comment about intentionally introducing holes into a network to impose discipline on its engineering is, frankly, an insult to those of us left who aren't into fucking around and like to go home at 5pm.

To make an analogy, this guys is suggesting that every government office get a tin can and a string so that they can communicate securely because there's alwaye the potential for someone to tap the phone lines.

By your logic, the government shouldn't buy its own private PBX systems or use VoIP or lease trunk lines to other branch offices because, well, isn't the public switched telephone network already there? He's suggesting that they use existing technology to, among other things, build a government-wide internal phone system, which happens to be a sound money-saving idea. The government has just as much reason to do so as any other large corporation.

Not that making information sharing quite so easy will be good for civil liberties or anything.

-jhp

irresponsible

[martinflack]

I consider this an utterly irresponsible attitude for the government and I hope this is not implemented. To wash your hands of it and declare the Internet insecure and not fit for government transfers leaves millions of corporations - who in America provide the national infrastructure to a far greater extent than the government - who need security and reliability online out to dry.

We need a government who is going to say the opposite, that they will spearhead crypto & security research, put pressure on Microsoft and other weak security companies, and lead the way to making the Internet as secure, redundant, and failsafe as possible. *That* would be a service to the nation. Govnet is not.

Oh please...a network that's unhackable?

[Pollux]

That's like saying there's a wire that's not bendable.

Okay, let's figure this thing out. Government wants to separate themselves completely from the WWW. This means that they need to lay their own network of wires.

Let's figure out this deductively:

Step #1: Wireless: If they are dumb enough to use satellite communication for networking, all it would take is someone to go driving along in their van with a good enough receiver who knows where a receiver would be along the network, park their van close by, and tap into the mainframe with a large enough receiver. Honestly, there's no way you can completely guard an entire "wireless airspace." If they use hard cable...

Step #2: Cable: My assumption would be that they'd lay cable instead. Alright, no problem. Play the game by the network's rules (just like phreakers did back in the 70s and 80s)...find a line and tap into it. Again, all it would take is for someone to figure out that one of those cables is the GOVNET cable (or someone obtain a map of the GOVNET network...even if it's classified, I'm sure one would leak out eventually). Even if it's out in the middle of the Utah desert, all someone would need is a shack and an electric pole running nearby the cable and he could easily break into the data stream.

Of course, I'm sure that GOVNET would also be using some style of encryption (hopefully...I want to assume that they would hire technicians that are THAT ignorant, but they do pay $1000 for a toilet seat, so who knows what bozos they'll hire). But even so, the point is that once you have some way of tapping into the line itself, you could broadcast it however you like to the surrounding region with a wireless tranceiver (heck, go for 802.11b ... give us all a chance).

I probably don't have all my wireless networking tools correct, but the point I'm trying to make still stands out: any network can be physically broken into, since it cannot all be guarded throughout the US. And after it's physically compromised, it's just a matter of time before we see Bush on GOVNET VidConference Viewer v1.0!