This may have some bearing on the OIG situation. --Sue Worden (worden@uts.cc.utexas.edu) > ************************************************************************** > Date: Fri, 19 Feb 1999 07:22:21 -0800 (PST) > From: HPCwire <hpcwire@tgc.com> > Subject: 14829 PENTAGON REASSESSES WEB SITE SECURITY 02.19.99 > PENTAGON REASSESSES WEB SITE SECURITY 02.19.99 > FEATURES AND COMMENTARY HPCwire > =========================================================================== > Washington, DC -- As The Associated Press reported, The chairman of the > Joint Chiefs of Staff looked on as Pentagon's brightest techies clicked away > at their laptops and showed how would-be terrorists could find his son's > home address. > Army Gen. Henry Shelton then got a demonstration of how a skilled > adversary might combine publicly available biographies and contractor > information on military Web sites with a few well-placed phone calls to pin > down the dates of highly classified nuclear exercises. > The classified briefing, held in Shelton's Pentagon office, was then given > to other generals and admirals as well as senior civilians, generating a > momentum that has led the military to order a massive scrub of its massive > network of Internet sites. > Deputy Defense Secretary John Hamre said military Web sites offered > adversaries "a potent instrument to obtain, correlate and evaluate an > unprecedented volume of aggregated information" that could, when combined > with other sources of information, "endanger Department of Defense personnel > and their families." > Instituted Dec. 7, the policy change has set off a debate as some critics > argue the Pentagon went too far in restricting the information it makes > public on the Internet. > In response, defense and national security officials have become more open > to discussion, on condition of not being identified by name, the nature of > the risk their detailed review of military Web sites revealed. > "There was information that was potentially tactically useful to an > adversary, the kind of thing where if someone really wanted to do harm to > your personnel, it could facilitate them in undertaking an attack," said one > senior defense official working on Internet security issues. Another > national security official called the briefings "eye-openers" that startled > commanders. > The briefings stemmed from work done in 1997 and 1998 by Pentagon "red > teams," a term associated with a notional enemy force in war games. Team > members tried to learn how much mischief they could do by skillfully > scanning military Web sites, without any sophisticated hacking. They showed > Shelton, himself a former special operations specialist, how his own > biography posted on a military Web site combined with non-military databases > could quickly lead a terrorist to the home address of one of his sons living > in Florida. > The red teams found detailed maps and aerial photographs of military > installations that would help anyone planning a strike or a terrorist > action. These were the kinds of pictures, one senior official noted > ruefully, that the United States spent billions to get during the Cold War > through its spy satellite network. Now the United States was giving such > imagery away for free on the Internet. > Senior officers were particularly concerned when one of the red teams was > able to combine a variety of data and make highly accurate estimates about > the timing of nuclear weapons drills, exercises and readiness checks, > according to two senior national security officials familiar with the > briefings. > Biographies of individual commanders of units likely to be involved in > such operations combined with phone calls to those commanders' bases yielded > information about temporary duty assignments in Nevada at installations > involved in nuclear weapons handling. Military Web sites containing > contractor information, particularly formal requests for bids to supply > particular security equipment, helped further hone this detective work, > according to the officials. > Cleaning the military Web sites of potentially dangerous information has > proved a monumental task. Bill Leonard, a top Pentagon information security > official, said the military was unsure initially how many Web sites it had, > and even today can only provide an estimate. For a time, the Army completely > closed off access to its 1,000 Web sites. Now back on line, the Army's Web > sites have been substantially trimmed, as have those of the other services. > Entire Internet addresses have been put off limits, with the terse message > on the computer screen that information previously available has been > removed for security reasons. > However, some think the scrub of military Web sites has gone too far. > "This is a wartime information policy," said John Pike of the Federation > of American Scientists, a Washington-based research group that follows > military and intelligence matters. "All kinds of program information is > being withdrawn. Almost anything that discloses what an agency actually > does, beyond a brief mission statement, is going away." > The Federation is pursuing release of some of the deleted information > under the Freedom of Information Act. In its filing with the Pentagon's > security review office, the Federation said anything released as a result of > the complaint should come in electronic form so the Federation can post the > information on its Web site. > To date, the Pentagon cannot point to a specific incident where > information posted on a military Web site resulted in harm to U.S. national > security. > "The menacing scenarios have remained just that -- only scenarios," > according to George Smith, editor of The Crypt Newsletter, an online > publication dealing with computer security. > But the Pentagon says it has solid electronic evidence that foreign > countries, including some adversaries, are regular visitors to U.S. military > Web sites. > **************************************************************************