In the fine print of the Bush administration's recently released cybersecurity strategy is the stark admission that three critical components of the Internet's infrastructure are highly vulnerable to a variety of attacks.

The three troublesome components underpin all Internet communications. They are: IP; DNS, which matches lengthy, numeric IP addresses to simple names for Web and e-mail traffic; and Border Gateway Protocol (BGP), which controls interdomain routing between carriers.

All three lack a means of authenticating communications. Although the Internet engineering community has spent more than a decade trying to retrofit these protocols with encryption and digital signatures, the security fixes aren't widely used by ISPs or their corporate customers because of the high cost and management overhead involved.

"We've been trying to push security into these protocols for years, but we've gotten no involvement from the operational side of ISPs or enterprises," says Russ Mundy, manager of network security research at Network Associates Laboratories. Now that the security offerings for these protocols are done or close to being done, the ISPs and other potential customers claim the offerings aren't practical or affordable, he says.

The problem is that the fixes - known as IP Security, DNS Security and Secure BGP - are too complex and too expensive for ISPs and companies to deploy. The protocols require hardware and software upgrades to handle the assignment, management and processing of keys, signatures and certificates, as well as additional operator support.

Given today's economic climate, ISPs and domain name registries aren't willing to spend millions of dollars on upgrades when their corporate customers aren't demanding additional security measures. Because none of the Internet's infrastructure players has deployed the secure versions of these protocols, there's no market pressure to upgrade.

It's the classic chicken-and-egg dilemma, and the Bush administration's cybersecurity strategy offers only the possibility of additional federal research dollars in the fiscal 2004 budget. Even with stronger government support, experts say it will take two to five years to deploy these fixes across enough of the Internet infrastructure to eliminate much of the threat.