Justice lifts applet ban

In a continuing effort to give users access to information via the Web while
protecting government systems from cyberthreats, the Justice Department has set a new
applet use policy that has the approval of the National Security Agency.

Four months after instituting a departmentwide ban on applets because of security
concerns, Justice has lifted the moratorium on most of the script codes. The details of
the new policy were included in a memo from Stephen R. Colgate, assistant attorney general
for administration and Justice’s chief information officer.

The action is part of an effort to control applet security risks and retain the script
codes’ benefits, Colgate said.

The department is launching a campaign to educate users about the dangers associated
with applets. Information technology executives are also requiring a standardized browser
throughout the department.

The department had conducted its own analysis of the business requirements for applets,
and that resulted in the security recommendation, said Linda Burek, Justice’s dep-uty
CIO. At the same time, the department asked NSA to do an independent analysis.

“For the most part, they agree with our approach,” she said.

In a report released last week, NSA of-fered recommendations for tailoring browser
settings for additional protection. The recommendations will likely result in additional
guidance, Burek said.

“I think we’ll keep looking at it,” she said.

The department late last year decided to block script codes such as Java, JavaScript
and ActiveX from download via the Internet or e-mail messages [GCN, Jan. 11, Page 1].

The moratorium was part of an overall security campaign. But Justice officials said
users required applets to do their work.

“We had a lot of very valid business requirements to access Java and
JavaScript,” Burek said. “The world is changing out there. Our business needs
are changing as well as the technology. It’s just an ongoing issue.”

One of the most difficult aspects of IT security is finding the proper balance between
functionality and safety, Burek said. The new policy is the result of a re-examination of
that equation.

In the memo, Colgate outlined five steps the department will take to control risk:

“I consider ActiveX to be particularly dangerous,” Colgate said. “Do not
use ActiveX until the IRM Office provides more specific policy and guidance on how to
protect your systems.”

Burek acknowledged that there is no technical way to block only ActiveX scripts, so the
policy will be carried out by educating users. Script codes are security risks because
they may execute on a user’s computer without the user’s knowledge or
intervention, she said.

“It is theoretically possible for [applets] to be launched by unscrupulous
programmers in an attempt to gain access to the information on a computer, collect
information about the user and their Internet habits, or even deny users the use of the
computers by rendering them unavailable,” Colgate said.

Justice officials said there have been no such incidents at the department and that the
ban was proactive.

Former Justice deputy CIO Mark A. Boster recommended the applet ban after the
government-sponsored Computer Emergency Response Team posted an advisory about a security
gap that would let a hacker invade JavaScript to monitor a Web-browsing session remotely.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.