10 December 1998. Thanks to Dan Dupont, editor, Inside the Pentagon.

Following are two more stories from Inside the Pentagon, one from today and the other from Oct. 1 (as background) on DOD's new Web site policies. Also, I wrote a piece on the subject for Scientific American you can find, if interested, at http://www.sciam.com/1999/0199issue/0199cyber.html.

The actual new DOD web policy is available at http://www.defenselink.mil/admin/about.html#WebPolicies.

Dan Dupont

Inside the Pentagon, Dec. 10, 1998

Even SARs may be 'inappropriate' for Internet


A new policy for administering Defense Department Web sites, aimed at reducing the military's security and privacy risks, may result in the removal of a vast amount of information on weapons costs and performance from the government's Internet sites.

The Pentagon's Nov. 25 "Web Site Administration Policies and Procedures," seeks to establish more uniformity in the kinds of information available to various interested parties, ranging from the greatest access for a small "DOD core" to increasingly restricted access for DOD affiliates, service member families, potential contractors, the American public and ultimately the "worldwide audience."

Interestingly, a diagram in the document depicting the various levels of Web access that should be made available shows the news media relegated to the outer shell along with the U.S. and worldwide audience, apparently blocked from all but the most public information. This depiction is at odds with the actual access typically available to the media as a primary conduit of information on government activities to the public.

The draft policy was obtained by Inside the Pentagon as it awaited Deputy Defense Secretary John Hamre's approval. At press time, the final policy, approved by Hamre on Dec. 7, was discovered on the Pentagon's "DefenseLink" Web site, although no public announcement of its release had been made. The new guidance is located at: http://www.defenselink.mil/admin/about.html#WebPolicies.

Among the kinds of information the policy would seek to bar from Web dissemination are items designated "for official use only," such as "analysis and recommendations concerning lessons learned which would reveal sensitive military operations, exercises or vulnerabilities," or private information about DOD civilian or military personnel, including Social Security numbers, dates of birth, home addresses or phone numbers.

But the policy goes on to list other kinds of information routinely disseminated by the Pentagon, including Selected Acquisition Reports, that "may be inappropriate for posting to publicly accessible DOD Web sites." These SAR cost reports are released quarterly to Congress as well as the news media and are used to track baseline costs and price changes for major weapons programs.

The guidelines leave it to the heads of the military services and defense agencies to determine what should be posted, and to ensure the policy "is consistently applied."

The policy says other information might be inappropriate for the Web, even if it is not typically designated "for official use only," including:

"Military operations and exercises information," including unit organization,
detailed mission statements, standard operating procedures, or tactics,
techniques and procedures;

"Test and evaluation information [that] could result in an unfair advantage or
disadvantage to the manufacturer or producer or could reveal the capabilities,
limitations, or incapabilities of a DOD weapons system or component"; and

"Outsourcing studies that provide detailed descriptions of sensitive
organizational operations."

Of particular concern to the Defense Department is the ability of a potential aggressor to aggregate a vast amount of information off the Internet in a short period of time -- information that may be innocuous in isolation but might provide valuable "intelligence" to a terrorist if pieced together correctly.

Balancing this concern against a desire to provide information to the U.S. public and to interested contractors appears to be one of the more vexing aspects of setting the policy.

"The American democratic process rests on the right of our citizens to know what government is doing, and the corresponding ability to judge its performance," states the policy. "Access to information by the public through
the Web is an important component of this right. Nevertheless, careful examination of the potential consequences of placing information on the Web must be undertaken before it is made available."

Policy concern over the kind of information appearing on DOD Web sites runs from potentially life-and-death issues, such as the posting of sensitive information regarding the movement of troops, to lighter issues of style and graphics. In an example of the latter, the policy states that "organizations shall avoid flashy graphics or other indicators that create a misperception of danger, such as skull-and-crossbones logos or 'warning' signs."

Nor should the Defense Department appear to be promoting particular commercial interests, the policy suggests. "Graphics or logos depicting companies/products shall not appear on publicly accessible DOD Web sites," according to the document.

The creation of the draft policy by the office of the assistant secretary of defense for command, control, communications and intelligence came in time to meet a 60-day deadline Hamre set in a pivotal Sept. 24 memo calling the attention of the military services and defense agencies to the information vulnerability posed by the World Wide Web. Shortly thereafter, the Army took the drastic measure of pulling nearly all its 1,000 sites from the Internet, pending a security scrub (Inside the Pentagon, Oct. 1, p1).

In the September memo, Hamre launched the C3I directorate's effort to establish an overarching policy, saying, "Component heads must enforce the application of comprehensive risk management procedures to ensure that the considerable mission benefits gained by using the Web are carefully balanced against the potential security and privacy risks created by having aggregated DOD information more readily accessible to a worldwide audience."

On Nov. 23, Hamre issued a memo to the service secretaries and the chairman of the Joint Chiefs of Staff encouraging continued participation in three task forces he has created: one to create the new policy; another to examine ways to utilize the reserve components in this area; and a third to review security education and training.

In a Dec. 7 memo Hamre issued upon approving the Web policy, the deputy secretary launched three new reviews:

"The DOD general counsel [will] lead a review of statutes as they relate to our ability to safeguard sensitive, unclassified information and advise me of any recommended changes;

"The director of administration and management [will] lead a review of 'privacy-related' policies, and release of information to ensure that we are maintaining the proper balance with respect to individuals' privacy; [and]

"The [under secretary of defense for acquisition and technology will] lead a review of the department's ability to safeguard sensitive, unclassified information in our electronic commerce systems."

Hamre also asked that the top C3I official work with other Pentagon leaders to codify the new policy in DOD's publication system within 120 days.

-- Elaine M. Grossman

Inside the Pentagon, Oct. 1, p1

Reacting to Hamre web security directive . . .


The Army, reacting to Deputy Defense Secretary John Hamre's directive on Web site security measures, last week took the drastic step of removing all of its nearly 1,000 sites from the Internet until they meet the safety criteria established by the Defense Department.

The Army's interpretation of Hamre's directive was the strictest of the three services, and critics of the new Pentagon policy charge the service's response was unnecessary and an overreaction to a flawed policy.

The Army says it pulled all of its sites from the Internet because to do otherwise would unnecessarily burden webmasters and system administrators who would be unable to complete the security review while simultaneously keeping up the maintenance of active sites.

Critics, however, charge the service went overboard, interpreting Hamre's directive in the strictest terms. Advocates of increased government openness also believe the directive could encourage military components to dramatically reduce the amount of information made public if they interpret Hamre's memorandum in a similar fashion.

The other services did not follow the Army's lead, choosing instead to keep their sites up and running while they are searched for content that meets Hamre's definition of damaging to national security or potentially harmful to Defense Department employees and military personnel.

The Navy, in fact, was like the other services informed that Hamre's directive was coming and sent advance word out to the service. Accordingly, says a service official, the Navy was already examining its sites when the Hamre memo was issued.

The Hamre initiative, first reported Sept. 11 by Defense Information and Electronics Report, is designed to prevent adversaries from using the Web as a "potent instrument to obtain, correlate and evaluate an unprecedented volume of aggregated information regarding DOD capabilities, infrastructure,
personnel and operational procedures," he wrote in a Sept. 24 memorandum. "Such information, especially when combined with information from other sources, increases the vulnerability of DOD systems and may endanger DOD personnel and their families."

Hamre also stressed in his memo that he wants to ensure Defense Department sites achieve a "balance between openness and sound security."

But critics of the Hamre initiative charge it is too wide-ranging -- an opinion they say is best evinced by the Army's reaction to pull from the Internet all of its sites.

Defense Department spokesman Capt. Michael Doubleday told Inside the Pentagon Hamre did not specifically instruct the services how to conduct their searches of Internet sites for potentially damaging information.

"I don't think it was what he hoped they would do," Doubleday said of the Army's decision, but he added that "certainly if the Army felt it was necessary to pull down all the sites in order to review them," that's an
acceptable step.

"Dr. Hamre believes the Web is a very important information tool," Doubleday said, noting that in the statement announcing the new policy last week, Hamre was quoted as saying the new guidance "does not diminish in any way our plans to utilize Internet technology to revolutionize the business practices of the

That quote, Doubleday stressed, was written by Hamre himself to highlight his concern that balance between openness and security be achieved.

But Steven Aftergood, director of the Federation of American Scientists' Secrecy and Government Project, argues that Hamre's directive amounts to a knee-jerk response that ultimately will fail.

"To say they have overreacted is an understatement," Aftergood said. He and colleague John Pike, who runs several FAS Web sites, argue that the vague language in Hamre's memo invites overreaching responses from the services.

"No one can accuse the Army of disobeying," said Aftergood. "They're following orders with a vengeance."

Pike added that the Army's decision shows that the service's leadership "doesn't know which end the bullet comes out of. This significantly diminishes my confidence in the ability of the Army leadership to deal with information security issues."

But Col. John Deal, executive officer to Army Director of Information Systems for Command, Control, Communications and Computers Lt. Gen. William Campbell, told Inside the Pentagon last week the service felt that the best way to fully comply with Hamre's memo was to pull all its sites, instruct commanders to review them for damaging information, and allow the sites to come back up once any is removed.

Acknowledging that the move is "disruptive" in the short term, Deal argues that the Army's reaction will actually be less disruptive once the reviews are completed.

"It's an inconvenience for a few days," he said. "If the server is in operation, it's very, very difficult for the system administrator . . . to perform those types of scrubs of the content that we believe are appropriate" given Hamre's direction.

"I think we are going to take a prudent and judicious approach" in deciding what content, if any, should be removed from Army sites, Deal said.

Approximately 1,000 Army sites were pulled off the Internet following a Campbell message issued late last week after Hamre's memo was distributed. "All Army activities must immediately remove from the Internet all publicly accessible websites under their control," states the message, obtained by Inside the Army.

"Once these websites are removed from the public Internet, Army activities must review the information that was contained on the website prior to re-establishing public access," Campbell added.

Commands are given the authority to certify compliance on their own, Deal noted, but "teams" of service personnel will be assigned the task of checking to make sure the sites are in compliance once they are returned to the Internet.

According to Hamre's memo, the following types of information are to be removed from all DOD Web sites:

"Plans or lessons learned which would reveal sensitive military operations, exercises or vulnerabilities;

"Reference to any information that would reveal sensitive movements of military assets or the location of units, installations, or personnel where uncertainty regarding location is an element of the security of a military plan or program;

"All personal information in the following categories about U.S. citizens, DOD employees and military personnel: 1) Social Security Account numbers; 2) dates of birth; 3) home addresses, and 4) telephone numbers other than numbers of duty offices which are appropriately made available to the general public. In addition, remove names, locations and any other identifying information about family members of DOD employees and military personnel."

As of Tuesday morning, Deal noted, six Army sites had already been returned to the Internet, and more were expected to be available every day.

That hasn't mollified critics of Hamre's directive or the Army's response. William Arkin, an independent defense analyst and author of the book "The U.S. Military Online," contends that Hamre, who heeded the advice of his military advisers in formulating the new policy, "was had."  "Maybe he's the smartest webhead on the planet and we just don't know it," Arkin said, disputing Hamre's assertion that the Internet poses a significant new threat.

Arkin says the Hamre directive has its roots in a Joint Staff briefing on information vulnerability that has been circulating for about a year. The brief, he argues, amounts to "basically a frontal attack on the Internet"
because it "shows how all sorts of information that could possibly do damage to national security is online."

The examples cited most often in coverage of Hamre's move include a site that features a "virtual tour" of Chairman of the Joint Chiefs of Staff Gen. Henry Shelton's home, and sites that include personal information about military personnel.

According to Arkin, however, many of these examples involve commercial, not military sites -- including Shelton's "virtual tour" and general search engines that can find almost anyone's name, phone number and address, not just military personnel.

Personal information about military and DOD personnel, Arkin and Aftergood agree, doesn't belong on military Web sites because it serves no purpose. But they also point out that current policies should prohibit it and classified information from being there, anyway, and that extensive Web searches have shown this information is in fact not abundantly available.

In addition, Aftergood notes that existing, publicly available technologies allow anyone to retrieve information even after it has been pulled from Internet sites. Much of the World Wide Web, in fact, has been archived in some way by various sites and search engines.

Arkin argues that Hamre's directive highlights a fear of the Internet that pervades the military. "Basically, what it's saying is that information can circulate on paper but it can't electronically," he says. "The problem of
trying to control unclassified information is that the Pentagon is a huge organization and eventually it's going to get out."

"It just makes hackers and Web hooligans believe that whatever they're doing against the Pentagon is both working and worthwhile," Arkin concludes. "It makes the military look incompetent."

-- Daniel G. Dupont