Justice lifts applet ban

In a continuing effort to give users access to information via the Web while
protecting government systems from cyberthreats, the Justice Department has set a new
applet use policy that has the approval of the National Security Agency.

Four months after instituting a departmentwide ban on applets because of security
concerns, Justice has lifted the moratorium on most of the script codes. The details of
the new policy were included in a memo from Stephen R. Colgate, assistant attorney general
for administration and Justice’s chief information officer.

The action is part of an effort to control applet security risks and retain the script
codes’ benefits, Colgate said.

The department is launching a campaign to educate users about the dangers associated
with applets. Information technology executives are also requiring a standardized browser
throughout the department.

The department had conducted its own analysis of the business requirements for applets,
and that resulted in the security recommendation, said Linda Burek, Justice’s dep-uty
CIO. At the same time, the department asked NSA to do an independent analysis.

“For the most part, they agree with our approach,” she said.

In a report released last week, NSA of-fered recommendations for tailoring browser
settings for additional protection. The recommendations will likely result in additional
guidance, Burek said.

“I think we’ll keep looking at it,” she said.

The department late last year decided to block script codes such as Java, JavaScript
and ActiveX from download via the Internet or e-mail messages [GCN, Jan. 11, Page 1].

The moratorium was part of an overall security campaign. But Justice officials said
users required applets to do their work.

“We had a lot of very valid business requirements to access Java and
JavaScript,” Burek said. “The world is changing out there. Our business needs
are changing as well as the technology. It’s just an ongoing issue.”

One of the most difficult aspects of IT security is finding the proper balance between
functionality and safety, Burek said. The new policy is the result of a re-examination of
that equation.

In the memo, Colgate outlined five steps the department will take to control risk:

“I consider ActiveX to be particularly dangerous,” Colgate said. “Do not
use ActiveX until the IRM Office provides more specific policy and guidance on how to
protect your systems.”

Burek acknowledged that there is no technical way to block only ActiveX scripts, so the
policy will be carried out by educating users. Script codes are security risks because
they may execute on a user’s computer without the user’s knowledge or
intervention, she said.

“It is theoretically possible for [applets] to be launched by unscrupulous
programmers in an attempt to gain access to the information on a computer, collect
information about the user and their Internet habits, or even deny users the use of the
computers by rendering them unavailable,” Colgate said.

Justice officials said there have been no such incidents at the department and that the
ban was proactive.

Former Justice deputy CIO Mark A. Boster recommended the applet ban after the
government-sponsored Computer Emergency Response Team posted an advisory about a security
gap that would let a hacker invade JavaScript to monitor a Web-browsing session remotely.


  • senior center (vuqarali/Shutterstock.com)

    Bmore Responsive: Home-grown emergency response coordination 

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/Shutterstock.com)

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected