Defense wipes sensitive data from its Web sites

What DOD
agencies must ditch


Plans or lessons learned that reveal military operations, exercises or
vulnerabilities


Information on troop movements


Personal data such as Social Security numbers, birth dates, home
addresses and home telephone numbers


Any identifying information about a DOD employee’s family members


A scramble is under way at Defense Department offices worldwide to remove information
posted on DOD Web sites that might compromise national security or put Defense personnel
at risk.


The work is at the behest of deputy Defense secretary John Hamre, who issued the Web
site clean-up order in a memo late last month [GCN, Sept. 28, Page 6]. He ordered
sensitive personnel and tactical information removed from Defense and military services
sites within 60 days.


“The World Wide Web provides the Defense Department with a powerful tool to convey
information quickly and efficiently on a broad range of topics,” Hamre said in a
Sept. 24 memo. “At the same time, the Internet may provide our adversaries with a
potent instrument to obtain … information regarding DOD capabilities, infrastructure,
personnel and operational procedures.”


Personal information on military personnel is available to the public on the Internet,
including the home addresses of military officials. Sites also often contain diagrams of
military installations, lessons learned from military operations and the goals of Defense
R&D efforts.


“Such information, especially when combined with information from other sources,
increases the vulnerability of DOD systems and may endanger DOD personnel and their
families,” Hamre said.


An unsuccessful attack last month against the Pentagon’s DefenseLink Web site by a
hacker group, in an act supporting the Zapatista rebels in Mexico, has reinforced the
department’s determination to safeguard its unclassified sites on the Internet, DOD
officials said.


The so-called Electronic Disturbance Theater used a hostile Java applet to launch a
denial of service attack against DefenseLink. The department launched an attack applet of
its own against the group’s Web site [GCN, Sept. 21, Page 1].


Efforts by DOD organizations to make sweeping use of the Web and Internet technologies
for the exchange of data created an unforeseen security risk, said Arthur Money, the
senior civilian official in the Office of the Assistant Secretary of Defense for Command,
Control, Communications and Intelligence.


“It’s not a declared competition, but clearly within the military there is a
drive to see who’s got the sexiest home page,” he said. “The problem is
we’re giving away too much information.”


Gen. Henry Shelton, chairman of the Joint Chiefs of Staff, saw the problem firsthand
when his own home was featured on a commercial Web site about historic homes. The site had
the floor plan, Money said at a recent Armed Forces Communications and Electronics
Association luncheon in Washington.


DOD, one of the world’s biggest users of the Internet, is particularly vulnerable
to information warfare, Money said. Connectivity to cyberspace increases DOD’s
exposure to adversaries such as radical groups and terrorist organizations, he said.


The department uses the Internet for many functions, including on line contracting and
contract administration, finance, electronic commerce and publishing, Hamre said. The new
Web security guidance is not intended to slow DOD Internet use, he said.


“Our actions to advance electronic commerce and develop a paper-free acquisition
system will continue at full speed,” Hamre said. “We will, however, be more
attentive to the security implications of this technology. Security and efficiency can be
achieved at the same time.”


Hamre ordered the creation of a task force to develop policies and procedures on Web
use. The group will consider topics associated with DOD’s use of Web sites, such as
public affairs, acquisition, technology, privacy, legal and security issues. The task
force, which will report to Money’s office, will issue a preliminary guidance by late
next month.


The services and Defense agencies must complete a security assessment of all Web sites
three months after the task force issues a final guidance, Hamre said. After that,
agencies must conduct annual assessments.


Hamre also ordered the development of a Web security training program by March.


“I believe that these steps will help us to better manage Web information services
to strike the appropriate balance between openness and sound security,” Hamre said.


For more information about the security review, visit DOD’s Web security home page
at http://websecurity.afis.osd.mil.


The inspiration for DOD’s Web site security review was a briefing entitled
“Information and Vulnerabilities” given to Hamre and Shelton by the Joint
Staff’s Information Assurance Division last year.


The briefing attempted to show how different types of sensitive information posted on
Web sites might be used by adversaries, said William Arkin, author of The U.S. Military
Online: A Directory for Internet Access to the Department of Defense.


He said there is a split within DOD’s community of webmasters between groups
primarily interested in information dissemination and groups interested in information
warfare.


“In cases where the DOD public affairs apparatus is in charge of the Web sites,
the attitudes about security and the Web are less panic-stricken,” said Arkin, an
independent defense analyst and consultant in South Pomfret, Vt.


“In cases where the webmasters are dominated by the information warfare types,
such as the Army home page,” he said, “they seem to have a more panicked view
due to a combination of not understanding the Internet and not having a full appreciation
of the benefits derived from use of the Internet.”


Nine out of the 10 cases that the Joint Staff briefing cited as possible scenarios for
exploiting sensitive information found on the Internet were taken from commercial, not
military, Web sites, Arkin said.


“I think Hamre and Shelton have been manipulated and taken to the cleaners
here,” he said.


During the briefing, Arkin said, officials from the Joint Staff showed how they took
the name of Shelton’s son from the general’s published biography, tracked him to
a university, found his apartment address and a map to locate it.


“If these guys want to communicate to the Bin Ladens of the world that
they’re so scared of them that they can’t put their kids names on their
biographies, then that will actually serve as an anti-deterrent role,” Arkin said.
   

inside gcn

  • high performance computing (Gorodenkoff/Shutterstock.com)

    Does AI require high-end infrastructure?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above