In government, there’s always a long way between rhetoric and reality. And, in the case of inter-departmental communications at least, somewhere in between there’s FedLink.
Conceived in grand style as part of John Howard’s Investing for Growth plan back in December 1997 — when e-government was new and everybody wanted to be seen to be getting online — FedLink was originally envisioned as a secure intranet running over a proprietary IP-based telecommunications network that would allow government departments to communicate with each other using open standards.
What began with a bang, however, quickly bogged down as technical, administrative and political realities set in. FedLink’s history since then has been one of repeatedly reduced expectations and snail’s-pace progress as departmental CIOs try to balance their inherent scepticism with the idea that FedLink could actually be important to their long-term communications strategies.
In the majority of cases, the conclusion those CIOs have reached has been that FedLink is still far from mission critical. Despite widespread publicity of FedLink’s aims and its offerings, as of mid-April only 16 agencies had been hooked up, and two more were about to go online. A further dozen agencies were beginning the process of connecting to FedLink, which requires that they comply with minimum security standards set by the Department of Defence, which is chairing the FedLink steering committee.
That’s a total of around 30 prospective customers for FedLink — and that’s a far cry from the 120 potential users that were once breathlessly discussed as likely endpoints. More telling still is the fact that of 16 users currently online, 13 were already using the network back in 1999 during what the government was terming FedLink’s “pilot phase”. That means just three more agencies have come online with FedLink in the past three years — a dismal take-up rate by any standard. Even those organisations that are coming online, are taking their time. The Office of the Commonwealth Ombudsman, for example, has been upgrading its firewall to meet minimum FedLink security standards and at the time of writing is about to go online with FedLink. For its part, the Australian Electoral Commission will join FedLink later this year, once CSC — the company to which the AEC and other Cluster 3 agencies outsource their IT — has met FedLink connectivity requirements.
Slow to Connect
While FedLink has proven technically viable — its virtual private network (VPN)-based infrastructure is being successfully managed by Canberra service provider 90East and is working as designed — the lack of enthusiasm amongst Commonwealth agencies has severely hampered its overall usefulness. The value of FedLink, after all, was based on its ability to lower the cost — and improve the incidence of — whole-of-government information management by providing standardised interfaces between departments and agencies.
By definition, then, its value increases exponentially according to the number of connected organisations. But with just 16 agencies online, that value is still far from what was originally envisioned. Concerns over the security of Internet-based VPNs, a preponderance of competing solutions from commercial carriers, and a determination by many CIOs that FedLink just isn’t necessary have all damaged its long-term appeal.
Few Commonwealth departments have been willing to share their thoughts about FedLink. Those contacted by CIO Government all referred enquiries about FedLink to the National Office for the Information Economy, which added FedLink to its portfolio after the consolidation of NOIE and the previously separate Office of Government Online (previously known as the Office of Government Information Technology (OGIT), which oversaw the early stages of the FedLink project).
Yet even NOIE is being careful in discussing FedLink, declining to provide a list of exactly what departments have even been connected. The only forum for airing perspectives on the network’s success has been public inquiries such as the hearings held on 1 April by the Senate Joint Committee of Public Accounts and Audit, which is overseeing an ongoing inquiry into the management and integrity of electronic information within the Commonwealth government.
During the hearings, John Grant, chief general manager of NOIE’s Government Services and Information Environment Group, expressed NOIE’s disappointment with FedLink’s progress. “The rollout of FedLink has been a little bit slower than we might have expected, because agencies have to get their internal processes in place,” he testified. “The technology is there but the processes are not. It is not an easy thing to do and it is not an inexpensive thing to do. That is what agencies learnt as they went through the process of reviewing their progress.”
High costs should, in theory, never have been an issue for FedLink users: the system, after all, was designed and marketed as a way for agencies to reduce their communications costs by leveraging the Internet.
It’s not clear, however, just how much of a cost burden FedLink actually imposes on participating agencies. During his Senate testimony, Peter LeRoy, general manager of the Information and Knowledge Services group within the Attorney-General’s Department, said the department had undergone the process of getting certified for FedLink and found the cost minimal: “I forget the exact figure of the cost to us, but it was negligible,” he said.
This seemingly contradicts Grant’s assertion that cost and complexity are hindering adoption of FedLink. Rather, it appears that other, far more endemic issues — apathy, scepticism and political mechanisms — are at play.
Playing Technical Catch-Up
Whatever the reasons, the lack of take-up so far should not detract from the elegance of the FedLink solution. Conceived in a time when most discussions about the Internet still included questions about its security, the idea that government departments could potentially utilise the Internet for communicating important information was revolutionary for its time.
Making that happen required a number of attempts, due largely in part to the fact that fast-evolving VPN technology provided a moving target that proved hard to hit for technological developers. In 1997 and 1998, VPN solutions were largely proprietary and IPSec (Secure IP), the standard upon which FedLink and other VPN technologies are based, was still working its way through standards committees.
The lack of consistent VPN standards meant that FedLink, in its initial conception, would struggle to be as open as it was intended. Overcoming this problem proved to be a considerable task — so much so that it was the better part of two years before the government was able to finish its early trial and actually award a contract to supply FedLink technology. In July 2001, that contract was awarded to 90East, which was tasked with the challenge of delivering a managed VPN infrastructure to interconnect FedLink users.
90East’s solution delivers on that task by using Cisco Systems switches to create a network of intermeshed VPNs, each created and managed using IPSec. VeriSign Australia backs the encryption of IPSec with the ability to authenticate connected routers — introducing a level of nonrepudiation that’s critical for the carriage of potentially sensitive data. The meshed VPN reflects a marked departure from the common practice of deploying VPNs in a point-to-point manner, where a central hub manages connections to myriad spokes. That approach is typical in companies where VPNs are used for remote access by teleworkers. FedLink’s meshed design eliminates reliance on this central distribution point, providing more direct connections and a more reliable infrastructure overall.
“We have people staffing our facilities 24x7 to ensure that the mesh is maintained,” says David Youll, CEO of 90East, who says the network’s design has delivered good performance even though it’s based on the unpredictable Internet at large. “Tunnels are created and dropped through an automatic process, and every time we initiate a session we use a fresh set of keys. It’s transparent to users, and performance has proven to be fine. On the Internet, there are potential quality of service issues, but we haven’t seen those yet.”
Although it proved technically viable, many agencies were invariably waiting to commit to FedLink until its security and usefulness could be proven. Perhaps to increase its appeal to hesitant customers, NOIE pushed FedLink into assessment by the Defence Signals Directorate (DSD), which assessed the underlying technology against the European Common Criteria security standards and certified it as compliant this past January.
DSD certification was seen as a big boost for FedLink’s viability, but in reality its appeal may well prove to be limited. That’s because departments must also meet minimum security criteria in order to participate in FedLink — and that costs money. More to the point, departments will struggle to justify investing in the processes necessary to ensure FedLink compliance when the steady pace of progress now means they can get similar VPN services from a variety of other sources.
Indeed, throughout the development cycle of FedLink, VPN technology has become so commoditised that implementing unbreakable VPNs is now possible by installing any of a large number of VPN appliances. More relevant for government departments, Telstra, Optus and a host of other telecommunications providers offer managed VPN services at high enough volumes that they can eliminate some of the appeal of FedLink.
Even ICON (Intra-government Communications Network), the long-running government network that runs fibre across Canberra’s government precinct, has proved to be stepping on FedLink’s toes, with many agencies choosing to connect using ICON rather than bothering to buy into FedLink’s vision.
FedLink “has been successful in those agencies where it’s been deployed”, says Steve Alford, the general manager of governance and policy with NOIE. “Agencies are quite happy with the product. But the marketplace for solutions is broader than it was back when FedLink was conceptualised, and the requirement is not that they use FedLink but that they use [any approved] product that can give equal or better performance.”
While the lack of a mandate to adopt FedLink has allowed many Commonwealth agencies to take their time in getting connected, its performance has been an issue for others. CSIRO, for example, has been one of the loudest critics of FedLink’s technology. In its submission to the Senate inquiry, CSIRO noted that the fact FedLink is based on the public Internet limits its speed — and, therefore, its utility in high-performance niche applications.
“Unfortunately, because of the wide-area bandwidth requirements (currently up to 10[Gbps]), CSIRO is not able to use these services,” the submission noted. “CSIRO has a greater need for encryption with its national and international collaborators and it can be restrictive and difficult for CSIRO’s customers to understand the need to use products endorsed on the Defence Signals Directorate Evaluated Product List.”
In other words, already security-aware CSIRO will continue choosing solutions based on its own needs and not those dictated by anybody else. This is hardly an indictment of CSIRO — it’s hard to argue that over-reaching technology initiatives should compromise individual agencies’ ability to deliver — but rather an indication of the challenges that FedLink continues to face. Without the support of major government bodies, any initiative of the scope and ambition of FedLink will struggle to succeed.
As individual Commonwealth agencies continue to assess FedLink’s suitability, it’s likely that more will trickle onto the network over time. But the sluggish response so far, even in the wake of the network’s DSD certification, suggest that FedLink will struggle to become anything like the whole-of-government intranet it was originally envisioned to become.
Geoff Johnson, vice president and research director with Gartner Pacific, knew it was coming when the FedLink pilot program stretched out to two years. “When they say the network is on trial, it’s a euphemism for saying there’s been a lot of negative reaction from other agencies,” he says. “In government nobody loves a central agency; they’re all treated with a healthy amount of disdain because business units want to operate autonomously.”
And that, it’s clear, will be the biggest challenge for FedLink as it moves forward. And it will move forward: the persistence of NOIE, and the recognition that FedLink’s underlying value proposition is sound, may help the project escape the budget axe in the near future. But its current incarnation is just a shell of what it was once hoped to become.
In many ways, FedLink has been a victim of its own simplicity: the fact it was built around commoditised Internet connectivity and VPNs that are now simple to install or purchase, has exposed the project to competition in a market that’s virtually exploded in the time since FedLink was conceived. Alford, for one, believes FedLink “is still a leading edge product, very capable in its niche”, offering competitive pricing that will help it fend off the assault from alternative VPN providers.
Even Gartner’s Johnson agrees FedLink is likely to persist in some form. “I think it’s an understanding about behaviour that will determine the future of [FedLink],” he says. “For something as fundamental as networks that deliver critical services, you’d imagine there would be a role for it. The only question is which agencies will end up doing their own things.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.