Internet Inventor Criticizes White House Cybersecurity Plan

One of the Internet's "founding fathers" criticized the Bush administration's plan for insuring the safety of companies' computer networks, saying it requires too much from technology firms.

Vinton G. Cerf, senior vice president of Internet architecture and technology at WorldCom, Inc., and one of the co-inventors of the communications technologies used to run the Internet, told a group of technology executives Wednesday that he didn't think much of the White House's plan to require software vendors to force businesses to install "patches" — or software fixes — when they fail to do so on their own.

Last week, Cybersecurity czar Richard Clarke told technology executives that it was "not beyond the wit of this industry to force patches down" to users.

But Cerf said it's unlikely such a scheme would work. "Some people have suggested we push out patches a lot more. It's an attractive idea, but I don't know how we go about making it work," Cerf said.

Speaking at a computer-security conference organized by the Information Technology Association of America and Computer Sciences Corp., Cerf said it's nearly impossible to develop a patch that works for all the world's network configurations. Another problem that arises is that a vendor's poorly written patch could disrupt a company's operations if it is not extensively tested to be sure it is compatible with all the company's other software.

A better solution would be for software companies to make sure their products aren't vulnerable to exploitation from those who would use computers as a weapon.

"The people who build the software don't seem to be paying attention to how these things can be abused," Cerf said.

Some of the Internet's most-damaging attacks, including those from the virus-like Code Red and Nimda programs, exploited flaws in software from Microsoft that had been discovered weeks or months earlier. Although only computers where users did not install the patches were attacked, resulting congestion affected parts of the Internet more broadly.

Cerf was also skeptical of a White House-backed plan to build an ultra-secure, private computer network for government agencies and their key partners, called "Govnet" that Clarke proposed last year while serving as the national coordinator for security, infrastructure protection and counter-terrorism on the National Security Council.

Govnet would be physically separate from the Internet — with no way to exchange e-mails or files with outsiders — to maintain security and protect it from hackers, viruses and other online threats, but would also be limited in its functionality.

Cerf said he foresees terrible consequences from Govnet users illegally connecting laptops or other computers for their convenience, or from transferring information on floppy disks between Govnet and public computers.

Although some U.S. classified computer networks are physically separate from the Internet and other public networks, viruses and other malicious software is occasionally discovered on them.

Clarke announced eight weeks ago that the administration would begin working on Govnet.

The Associated Press contributed to this report.