Defense wipes sensitive data from its Web sites

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Gregory Slabodkin
 

Connecting state and local government leaders

By Gregory Slabodkin

|

What DOD agencies must ditch Plans or lessons learned that reveal military operations, exercises or vulnerabilities Information on troop movements Personal data such as Social Security numbers, birth dates, home addresses and home telephone numbers Any identifying information about a DOD employee's family members A scramble is under way at Defense Department offices worldwide to remove information posted on DOD Web sites that might compromise national security or put Defense personnel at risk.

What DOD
agencies must ditch


Plans or lessons learned that reveal military operations, exercises or
vulnerabilities


Information on troop movements


Personal data such as Social Security numbers, birth dates, home
addresses and home telephone numbers


Any identifying information about a DOD employee’s family members


A scramble is under way at Defense Department offices worldwide to remove information
posted on DOD Web sites that might compromise national security or put Defense personnel
at risk.


The work is at the behest of deputy Defense secretary John Hamre, who issued the Web
site clean-up order in a memo late last month [GCN, Sept. 28, Page 6]. He ordered
sensitive personnel and tactical information removed from Defense and military services
sites within 60 days.


“The World Wide Web provides the Defense Department with a powerful tool to convey
information quickly and efficiently on a broad range of topics,” Hamre said in a
Sept. 24 memo. “At the same time, the Internet may provide our adversaries with a
potent instrument to obtain … information regarding DOD capabilities, infrastructure,
personnel and operational procedures.”


Personal information on military personnel is available to the public on the Internet,
including the home addresses of military officials. Sites also often contain diagrams of
military installations, lessons learned from military operations and the goals of Defense
R&D efforts.


“Such information, especially when combined with information from other sources,
increases the vulnerability of DOD systems and may endanger DOD personnel and their
families,” Hamre said.


An unsuccessful attack last month against the Pentagon’s DefenseLink Web site by a
hacker group, in an act supporting the Zapatista rebels in Mexico, has reinforced the
department’s determination to safeguard its unclassified sites on the Internet, DOD
officials said.


The so-called Electronic Disturbance Theater used a hostile Java applet to launch a
denial of service attack against DefenseLink. The department launched an attack applet of
its own against the group’s Web site [GCN, Sept. 21, Page 1].


Efforts by DOD organizations to make sweeping use of the Web and Internet technologies
for the exchange of data created an unforeseen security risk, said Arthur Money, the
senior civilian official in the Office of the Assistant Secretary of Defense for Command,
Control, Communications and Intelligence.


“It’s not a declared competition, but clearly within the military there is a
drive to see who’s got the sexiest home page,” he said. “The problem is
we’re giving away too much information.”


Gen. Henry Shelton, chairman of the Joint Chiefs of Staff, saw the problem firsthand
when his own home was featured on a commercial Web site about historic homes. The site had
the floor plan, Money said at a recent Armed Forces Communications and Electronics
Association luncheon in Washington.


DOD, one of the world’s biggest users of the Internet, is particularly vulnerable
to information warfare, Money said. Connectivity to cyberspace increases DOD’s
exposure to adversaries such as radical groups and terrorist organizations, he said.


The department uses the Internet for many functions, including on line contracting and
contract administration, finance, electronic commerce and publishing, Hamre said. The new
Web security guidance is not intended to slow DOD Internet use, he said.


“Our actions to advance electronic commerce and develop a paper-free acquisition
system will continue at full speed,” Hamre said. “We will, however, be more
attentive to the security implications of this technology. Security and efficiency can be
achieved at the same time.”


Hamre ordered the creation of a task force to develop policies and procedures on Web
use. The group will consider topics associated with DOD’s use of Web sites, such as
public affairs, acquisition, technology, privacy, legal and security issues. The task
force, which will report to Money’s office, will issue a preliminary guidance by late
next month.


The services and Defense agencies must complete a security assessment of all Web sites
three months after the task force issues a final guidance, Hamre said. After that,
agencies must conduct annual assessments.


Hamre also ordered the development of a Web security training program by March.


“I believe that these steps will help us to better manage Web information services
to strike the appropriate balance between openness and sound security,” Hamre said.


For more information about the security review, visit DOD’s Web security home page
at http://websecurity.afis.osd.mil.


The inspiration for DOD’s Web site security review was a briefing entitled
“Information and Vulnerabilities” given to Hamre and Shelton by the Joint
Staff’s Information Assurance Division last year.


The briefing attempted to show how different types of sensitive information posted on
Web sites might be used by adversaries, said William Arkin, author of The U.S. Military
Online: A Directory for Internet Access to the Department of Defense.


He said there is a split within DOD’s community of webmasters between groups
primarily interested in information dissemination and groups interested in information
warfare.


“In cases where the DOD public affairs apparatus is in charge of the Web sites,
the attitudes about security and the Web are less panic-stricken,” said Arkin, an
independent defense analyst and consultant in South Pomfret, Vt.


“In cases where the webmasters are dominated by the information warfare types,
such as the Army home page,” he said, “they seem to have a more panicked view
due to a combination of not understanding the Internet and not having a full appreciation
of the benefits derived from use of the Internet.”


Nine out of the 10 cases that the Joint Staff briefing cited as possible scenarios for
exploiting sensitive information found on the Internet were taken from commercial, not
military, Web sites, Arkin said.


“I think Hamre and Shelton have been manipulated and taken to the cleaners
here,” he said.


During the briefing, Arkin said, officials from the Joint Staff showed how they took
the name of Shelton’s son from the general’s published biography, tracked him to
a university, found his apartment address and a map to locate it.


“If these guys want to communicate to the Bin Ladens of the world that
they’re so scared of them that they can’t put their kids names on their
biographies, then that will actually serve as an anti-deterrent role,” Arkin said.
   

NEXT STORY: Program aids agency's move to secure E-FOIA responses

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.