agencies must ditch
Plans or lessons learned that reveal military operations, exercises or
Information on troop movements
Personal data such as Social Security numbers, birth dates, home
addresses and home telephone numbers
Any identifying information about a DOD employees family members
A scramble is under way at Defense Department offices worldwide to remove information
posted on DOD Web sites that might compromise national security or put Defense personnel
The work is at the behest of deputy Defense secretary John Hamre, who issued the Web
site clean-up order in a memo late last month [GCN, Sept. 28, Page 6]. He ordered
sensitive personnel and tactical information removed from Defense and military services
sites within 60 days.
The World Wide Web provides the Defense Department with a powerful tool to convey
information quickly and efficiently on a broad range of topics, Hamre said in a
Sept. 24 memo. At the same time, the Internet may provide our adversaries with a
potent instrument to obtain
information regarding DOD capabilities, infrastructure,
personnel and operational procedures.
Personal information on military personnel is available to the public on the Internet,
including the home addresses of military officials. Sites also often contain diagrams of
military installations, lessons learned from military operations and the goals of Defense
Such information, especially when combined with information from other sources,
increases the vulnerability of DOD systems and may endanger DOD personnel and their
families, Hamre said.
An unsuccessful attack last month against the Pentagons DefenseLink Web site by a
hacker group, in an act supporting the Zapatista rebels in Mexico, has reinforced the
departments determination to safeguard its unclassified sites on the Internet, DOD
The so-called Electronic Disturbance Theater used a hostile Java applet to launch a
denial of service attack against DefenseLink. The department launched an attack applet of
its own against the groups Web site [GCN, Sept. 21, Page 1].
Efforts by DOD organizations to make sweeping use of the Web and Internet technologies
for the exchange of data created an unforeseen security risk, said Arthur Money, the
senior civilian official in the Office of the Assistant Secretary of Defense for Command,
Control, Communications and Intelligence.
Its not a declared competition, but clearly within the military there is a
drive to see whos got the sexiest home page, he said. The problem is
were giving away too much information.
Gen. Henry Shelton, chairman of the Joint Chiefs of Staff, saw the problem firsthand
when his own home was featured on a commercial Web site about historic homes. The site had
the floor plan, Money said at a recent Armed Forces Communications and Electronics
Association luncheon in Washington.
DOD, one of the worlds biggest users of the Internet, is particularly vulnerable
to information warfare, Money said. Connectivity to cyberspace increases DODs
exposure to adversaries such as radical groups and terrorist organizations, he said.
The department uses the Internet for many functions, including on line contracting and
contract administration, finance, electronic commerce and publishing, Hamre said. The new
Web security guidance is not intended to slow DOD Internet use, he said.
Our actions to advance electronic commerce and develop a paper-free acquisition
system will continue at full speed, Hamre said. We will, however, be more
attentive to the security implications of this technology. Security and efficiency can be
achieved at the same time.
Hamre ordered the creation of a task force to develop policies and procedures on Web
use. The group will consider topics associated with DODs use of Web sites, such as
public affairs, acquisition, technology, privacy, legal and security issues. The task
force, which will report to Moneys office, will issue a preliminary guidance by late
The services and Defense agencies must complete a security assessment of all Web sites
three months after the task force issues a final guidance, Hamre said. After that,
agencies must conduct annual assessments.
Hamre also ordered the development of a Web security training program by March.
I believe that these steps will help us to better manage Web information services
to strike the appropriate balance between openness and sound security, Hamre said.
For more information about the security review, visit DODs Web security home page
The inspiration for DODs Web site security review was a briefing entitled
Information and Vulnerabilities given to Hamre and Shelton by the Joint
Staffs Information Assurance Division last year.
The briefing attempted to show how different types of sensitive information posted on
Web sites might be used by adversaries, said William Arkin, author of The U.S. Military
Online: A Directory for Internet Access to the Department of Defense.
He said there is a split within DODs community of webmasters between groups
primarily interested in information dissemination and groups interested in information
In cases where the DOD public affairs apparatus is in charge of the Web sites,
the attitudes about security and the Web are less panic-stricken, said Arkin, an
independent defense analyst and consultant in South Pomfret, Vt.
In cases where the webmasters are dominated by the information warfare types,
such as the Army home page, he said, they seem to have a more panicked view
due to a combination of not understanding the Internet and not having a full appreciation
of the benefits derived from use of the Internet.
Nine out of the 10 cases that the Joint Staff briefing cited as possible scenarios for
exploiting sensitive information found on the Internet were taken from commercial, not
military, Web sites, Arkin said.
I think Hamre and Shelton have been manipulated and taken to the cleaners
here, he said.
During the briefing, Arkin said, officials from the Joint Staff showed how they took
the name of Sheltons son from the generals published biography, tracked him to
a university, found his apartment address and a map to locate it.
If these guys want to communicate to the Bin Ladens of the world that
theyre so scared of them that they cant put their kids names on their
biographies, then that will actually serve as an anti-deterrent role, Arkin said.