(fwd) Pentagon Reassesses Web Site Security

Sue J. Worden (worden@uts.cc.utexas.edu)
Mon, 22 Feb 1999 08:11:17 -0600 (CST)

This may have some bearing on the OIG situation.

--Sue Worden (worden@uts.cc.utexas.edu)


> ************************************************************************** 
> Date: Fri, 19 Feb 1999 07:22:21 -0800 (PST)
> From: HPCwire <hpcwire@tgc.com>
> Subject: 14829 PENTAGON REASSESSES WEB SITE SECURITY   02.19.99

> PENTAGON REASSESSES WEB SITE SECURITY                              02.19.99
> FEATURES AND COMMENTARY                                             HPCwire
> ===========================================================================

>   Washington, DC -- As The Associated Press reported, The chairman of the
> Joint Chiefs of Staff looked on as Pentagon's brightest techies clicked away
> at their laptops and showed how would-be terrorists could find his son's
> home address.

>   Army Gen. Henry Shelton then got a demonstration of how a skilled
> adversary might combine publicly available biographies and contractor
> information on military Web sites with a few well-placed phone calls to pin
> down the dates of highly classified nuclear exercises.

>   The classified briefing, held in Shelton's Pentagon office, was then given
> to other generals and admirals as well as senior civilians, generating a
> momentum that has led the military to order a massive scrub of its massive
> network of Internet sites.

>   Deputy Defense Secretary John Hamre said military Web sites offered
> adversaries "a potent instrument to obtain, correlate and evaluate an
> unprecedented volume of aggregated information" that could, when combined
> with other sources of information, "endanger Department of Defense personnel
> and their families."

>   Instituted Dec. 7, the policy change has set off a debate as some critics
> argue the Pentagon went too far in restricting the information it makes
> public on the Internet.

>   In response, defense and national security officials have become more open
> to discussion, on condition of not being identified by name, the nature of
> the risk their detailed review of military Web sites revealed.

>   "There was information that was potentially tactically useful to an
> adversary, the kind of thing where if someone really wanted to do harm to
> your personnel, it could facilitate them in undertaking an attack," said one
> senior defense official working on Internet security issues. Another
> national security official called the briefings "eye-openers" that startled
> commanders.

>   The briefings stemmed from work done in 1997 and 1998 by Pentagon "red
> teams," a term associated with a notional enemy force in war games. Team
> members tried to learn how much mischief they could do by skillfully
> scanning military Web sites, without any sophisticated hacking. They showed
> Shelton, himself a former special operations specialist, how his own
> biography posted on a military Web site combined with non-military databases
> could quickly lead a terrorist to the home address of one of his sons living
> in Florida.

>   The red teams found detailed maps and aerial photographs of military
> installations that would help anyone planning a strike or a terrorist
> action. These were the kinds of pictures, one senior official noted
> ruefully, that the United States spent billions to get during the Cold War
> through its spy satellite network. Now the United States was giving such
> imagery away for free on the Internet.

>   Senior officers were particularly concerned when one of the red teams was
> able to combine a variety of data and make highly accurate estimates about
> the timing of nuclear weapons drills, exercises and readiness checks,
> according to two senior national security officials familiar with the
> briefings.

>   Biographies of individual commanders of units likely to be involved in
> such operations combined with phone calls to those commanders' bases yielded
> information about temporary duty assignments in Nevada at installations
> involved in nuclear weapons handling. Military Web sites containing
> contractor information, particularly formal requests for bids to supply
> particular security equipment, helped further hone this detective work,
> according to the officials.

>   Cleaning the military Web sites of potentially dangerous information has
> proved a monumental task. Bill Leonard, a top Pentagon information security
> official, said the military was unsure initially how many Web sites it had,
> and even today can only provide an estimate. For a time, the Army completely
> closed off access to its 1,000 Web sites. Now back on line, the Army's Web
> sites have been substantially trimmed, as have those of the other services.
> Entire Internet addresses have been put off limits, with the terse message
> on the computer screen that information previously available has been
> removed for security reasons.

>   However, some think the scrub of military Web sites has gone too far.

>   "This is a wartime information policy," said John Pike of the Federation
> of American Scientists, a Washington-based research group that follows
> military and intelligence matters. "All kinds of program information is
> being withdrawn. Almost anything that discloses what an agency actually
> does, beyond a brief mission statement, is going away."

>   The Federation is pursuing release of some of the deleted information
> under the Freedom of Information Act. In its filing with the Pentagon's
> security review office, the Federation said anything released as a result of
> the complaint should come in electronic form so the Federation can post the
> information on its Web site.

>   To date, the Pentagon cannot point to a specific incident where
> information posted on a military Web site resulted in harm to U.S. national
> security.

>   "The menacing scenarios have remained just that -- only scenarios,"
> according to George Smith, editor of The Crypt Newsletter, an online
> publication dealing with computer security.

>   But the Pentagon says it has solid electronic evidence that foreign
> countries, including some adversaries, are regular visitors to U.S. military
> Web sites.

> **************************************************************************