The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


A controlled access Internet?


By Scott Bradner


George Tenet worries about the Internet. He seems to think that its basic nature and current use presents an ongoing threat that the government may have to fix.  In his view the threat is such that use of the Internet, or at least the use of some networks, may have to be restricted.  To paraphrase a Vietnam-era quote, George seems to want to destroy the Net in order to save it.


On December 1st Ex CIA Director George Tenet spoke on the topic of Democracy and Terrorism at FCW Events' Homeland Security and Information Assurance Conference. (  Press reports of the speech varied, maybe because most reporters were excluded from his speech.   The headlines ranged from a positive "Tenet touts info sharing" in Federal Computer Week ( to the threatening "Tenet suggests limiting the Internet to approved users" in Internet pamphleteer Dave Farber's Important People list (  The main thrust of his talk seems to have been that the most important thing that can be done in the fight against terrorism is to properly share data between the federal government and state and local officials and "to the lowest levels of our society to let then take action."


But to share data this way requires a trustworthy network and Tenet does not think that the Internet qualifies as a trustworthy network.  He is both right and wrong. 


Part of the trustworthiness Tenet is worried about is that of the Internet infrastructure itself.  That could be better, and it is (slowly) getting better. 


Tenet wishes there were a useful public key infrastructure (PKI) but, as he points out, setting up a national or international PKI is "a daunting task" and one that I do not think will be done anytime soon.  And, maybe that is for the best considering the two-edged sword nature of a PKI in that it makes anonymity very hard.  You may not desire anonymity for a terrorist but you might find it quite important if you needed to contact an AIDS support center or if you were a whistleblower or undercover police officer.  I expect that an application-specific PKI just for the information exchange function is a lot more likely to be deployable and would have less negative side effects.


Tenet would like industry to lead the way by "establishing and enforcing" security standards and by delivering products with a higher level of built in security.    That would help, it would help a lot, but it is nowhere near enough.  The people who put data onto the Internet need to get some clue about security.  California is currently in the process of notifying 1.4 million people that their private data may have been compromised because data that had no business being anywhere near the Internet was on an Internet connect machine.


Tenet said that if the Internet could not be made secure then maybe the government would have to build separate networks for things like information distribution.  There are many reasons why this is an expensive and generally pointless exercise, some of which I talked about more than 3 years ago.  (


Tenet's comment that access to the Internet might need to be limited to people who can show they take security seriously led to the scare headline in Farber's posting.  An attention grabbing headline but as likely to happen as limiting access to the phone network to those who promise to not talk about anti-US activities. And, sadly, about as likely to happen as people not putting data that should not be public in a public place such as on the Internet.


disclaimer: Harvard gets its share of attention grabbing headlines, mostly good, but I did not talk to anyone at the University about this particular one so the above is my own ramble.