DOD puts commanders in charge of Web sites

The Defense Department last month released a new Web site policy designed to safeguard
sensitive information posted on the Internet by making commanders responsible for the
content of their organizations’ sites.


Commanders, not webmasters, will have final authority on establishing and maintaining
unclassified DOD Web sites with tight security controls and information that matches their
organizational missions, Defense officials said.


“We fundamentally look at this as a command responsibility,” said Bill
Leonard, security programs director in the Office of the Assistant Secretary of Defense
for Command, Control, Communications and Intelligence. “The first and foremost
directive to commanders is that they need to have a strategy for utilizing the Web.”


A multiservice task force, headed by Leonard, developed the new policy. The group was
formed in response to a Sept. 24 memo from deputy Defense secretary John Hamre that
ordered DOD agencies and the services to scrub their Web sites of information that might
compromise national security or put military personnel at risk.


“DOD is committed to maximizing the availability of timely and accurate Defense
information to the public as well as maintaining a framework for our use of Internet-based
technologies,” Hamre said in a Dec. 7 memo accompanying the new policy. “At the
same time, we must be continually mindful of our responsibility to protect our most
precious resource: our men and women who serve this nation and their families.”


But critics of the Defense Web policy say that DOD’s drive to sanitize and curtail
the information it provides the public in cyberspace is misguided, undermining the
positive aspects of the Internet.


“Hamre has set himself up to be the protector of information, which is at odds
with the objectives of the Defense Reform Initiative and good use of the Internet,”
said William Arkin, author of The U.S. Military Online: A Directory for Internet Access to
the Department of Defense.


DOD’s line-by-line approach to reviewing sensitive, unclassified information on
its Web sites is untenable, Arkin said. Defense maintains close to 3,000 Web sites with
about 1.5 million pages, excluding backup databases, he said.


“What Hamre is doing here is the equivalent of classifying information,” he
said. “If anyone follows this policy to the letter, it could lead to some absurd
results. Good commanders will have good Web sites and be able to see through the argument
that if it’s ectronic, it’s secret, and if it’s on paper, it’s
not.”


The goal of the new policy is not to start eliminating DOD Web sites, Leonard said.


“We would be pleased to see more,” he said. “We want Web technology to
become ubiquitous throughout the department for the rapid and effective dissemination of
information. But if the target audience for some DOD Web sites is strictly Defense
personnel, these sites will fall behind a curtain of security and access controls.”


Defense Web site regulations in the past applied to information that was classified,
sensitive or otherwise not cleared for public release. The new policy broadens the
restrictions to include information that could be a security risk if released over the
Internet.


Leonard said the policy, which had been informal and lacked details about technical
security and data sensitivity, is intended to fill those voids. Under the new policy,
Defense agencies may not post for-official-use-only information or information not cleared
for public release unless they use security and access controls.


At least 75 percent of the information posted on DOD Web sites is intended for internal
consumption, but some of it is probably better suited for DOD intranets or
password-protected sites, Leonard said.


Defense officials are concerned that with today’s powerful search engines and
advanced data-mining techniques, someone could string together pieces of sensitive and
even classified information gathered from DOD sites. So, in March, DOD will begin using
Reserve components to assess security for Defense Web sites.


Commanders will conduct a detailed scrub of their Web sites by March using the new
policy as a guideline, Leonard said. The Reserves will then review DOD sites to make sure
they conform to the policy, he said.


The Office of the Assistant Secretary of Defense for Public Affairs will continue to
operate and maintain DefenseLink as the primary gateway to DOD data on the Web, the policy
said. DOD sites must register with DefenseLink or their service component.


The public affairs office will set up a central Web site registration system that meets
the requirements for the Government Information Locator Service, an initiative mandated by
the Office of Management and Budget to inform the public where data can be found. Defense
agencies and the services will also create central registration systems that meet GILS
requirements and are integrated with DefenseLink.


The new policy is posted at http://www.defenselink.mil/admin/dod_web_policy_12071998.pdf.

inside gcn

  • artificial intelligence (vs148/Shutterstock.com)

    Government leans into machine learning

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above