16 February 1999. Add AP report and historical article.
15 February 1999. Thanks to D.
The Washington Post, February 15, 1999
The Pentagon and the Web: Round Two
By William M. Arkin
Special to washingtonpost.com
"I think that our government is hemorrhaging in a way that I have never seen in my lifetime," CIA director George Tenet told Congress February 2 in an unusually emotional appeal regarding the state of official secrecy.
Tenet mostly pointed fingers at people in the executive branch, who he said were probably responsible for 80 percent of what appears in the news media.
Lt. Gen. Patrick Hughes, director of the Defense Intelligence Agency, who was testifying alongside Tenet chose a different culprit. His focus was not the Washington sport of peddling secrets for influence (after all, DIA has always been notorious for successfully keeping its thousands of employees in a protected bubble).
Hughes instead point at the Web: "We seem now to have erred on the side of making so much information available that some of it has been damaging to our governmental collective effort."
I suspect the very dynamism and anarchy of the web is at the heart of the new found military discomfort. A network that was once the military's own not only has been fully appropriated. But it shifts and changes by the minute, moving at a speed that exceeds anything that the weapon's makers can produce.
For old timers like Hughes, it is easier to focus on what is truly new with the end of the Cold War rather than to address the breakdown of internal discipline that seems to have struck the military and spy agencies in the same time period.
The Hughes-Tenet war cry may suggest leak investigations and internal crackdown. We've all heard that before.
The more tangible and publicly damaging fallout comes in the ever expanding Internet opposition in the national security community. Official Internet haters latch on to such high level statements and find solace in the call for greater control over information, and in the general sense in Washington that the United States is threatened by cyber-terror.
One senior Pentagon official likens the current dispute between "public affairs" and security proponents over the benefits and dangers of the World Wide Web to be two opposing trains careening towards one another on the same track. So seemingly successful has been the anti-web assault of late that the Federation of American Scientists, a secrecy watchdog, opines that the "golden age of public access to government information" over the Internet is over."
Granted there is a profusion of closed websites and "access denied" messages that have sprung up in the .mil domain in recent months. But FAS hyperventilates as much as the chief intelligence officers do.
The Internet is its own bullet train. Despite the efforts of security goons and information warfare operators who would like to obliterate the web, the public .mil domain remains vibrant and is growing.
The chief of Internet security for the Pentagon is J. William Leonard. Bill Leonard chairs the Department "information vulnerability and the world wide web" task force. Its December 7 "guidance" regarding the content of 3,000 or so official military websites could if taken literally, shut down the .mil domain.
Some see Bill Leonard as the Internet anti-Christ, but in his corner of the security world (that is, where they've actually taken the time to understand the web and what it's all about), Leonard is far less alarmed than Hughes-Tenet.
"When we started the review, I took a look at some random [official] websites," he says. "What struck me first was what I didn't see, which was any sort of consistency. I liken the web to business correspondence. You don't put a business letter on a postcard." Official websites, Leonard says, should have the same formality.
The task force guidance charged military commanders and agency directors with responsibility for the content of their sites. Webmasters are being elbowed aside. It is a phenomenon that every sector of the web deals with at some point - the tyranny of the techies - when the question is raised: how do all the doo-dads and gimmicks enhance our mission?
Bill Leonard denies any overall anti-web campaign ("it's like repealing the law of gravity" he says) nor any attempt to create a new classification for electronic information (see earlier column hyperlink here?).
Data mining and electronic aggregation, he argues nevertheless, is a real threat, particularly when it comes to personal information. "When you put out a personnel roster electronically, you have incurred a new host of risks and vulnerabilities," he says.
Leonard readily admits that many proposed security controls are at conflict with some of the most promising applications of web technology. These include Defense Department favorites like electronic contracting and paperless operations. "When we embark on electronic commerce, there's tremendous advantages," Leonard says. But he points out: the Pentagon is contracting for military goods and services. "There is some information that shouldn't leave the country, even by statute."
In the short term, the Pentagon is making greater use of passworded and IP controlled sites. The long term dream is to establish a superpower intranet only accessible to the cleared.
Does Leonard think that any broad system of passwords or user certificates will be secure, given that the community that the .mil domain serves -- active duty soldiers and reservists, families, veterans, allies, contractors and subcontractors -- numbers in the millions? Probably not. His crash course on the web has taught him, moreover, that the technologies that we see today will certainly not be what we see tomorrow.
Arkin can be reached for comment at email@example.com.
© Copyright 1999 The Washington Post Company
SOURCE: http://wire.ap.org/ (AP Breaking News) Associated Press, 16 February 1999, 01:31 EST Pentagon Reassesses Its Web Sites By The Associated Press WASHINGTON (AP) -- The chairman of the Joint Chiefs of Staff looked on as Pentagon cyber-warriors clicked away at their laptops and showed how would-be terrorists could find his son's home address. Army Gen. Henry Shelton then got a demonstration of how a skilled adversary might combine publicly available biographies and contractor information on military Web sites with a few well-placed phone calls to pin down the dates of highly classified nuclear exercises. The classified briefing, held in Shelton's Pentagon office, was then given to other generals and admirals as well as senior civilians, generating a momentum that has led the military to order a massive scrub of its vast network of Internet sites. Deputy Defense Secretary John Hamre said military Web sites offered adversaries "a potent instrument to obtain, correlate and evaluate an unprecedented volume of aggregated information" that could, when combined with other sources of information, "endanger Department of Defense personnel and their families." Instituted Dec. 7, the policy change has touched off a debate as some critics argue the Pentagon went too far in restricting the information it makes public on the Internet. In response, defense and national security officials have become more willing to discuss, on condition of not being identified by name, the nature of the risk their detailed review of military Web sites revealed. "There was information that was potentially tactically useful to an adversary, the kind of thing where if someone really wanted to do harm to your personnel, it could facilitate them in undertaking an attack," said one senior defense official working on Internet security issues. Another national security official called the briefings "eye-openers" that startled commanders. The briefings stemmed from work done in 1997 and 1998 by Pentagon "red teams," a term associated with a notional enemy force in war games. Team members tried to learn how much mischief they could do by skillfully scanning military Web sites, without any sophisticated hacking. They showed Shelton, himself a former special operations specialist, how his own biography posted on a military Web site combined with non-military databases could quickly lead a terrorist to the home address of one of his sons living in Florida. The red teams found detailed maps and aerial photographs of military installations that would help anyone planning a strike or a terrorist action. These were the kinds of pictures, one senior official noted ruefully, that the United States spent billions to get during the Cold War through its spy satellite network. Now the United States was giving such imagery away for free on the Internet. Senior officers were particularly concerned when one of the red teams was able to combine a variety of data and make highly accurate estimates about the timing of nuclear weapons drills, exercises and readiness checks, according to two senior national security officials familiar with the briefings. Biographies of individual commanders of units likely to be involved in such operations combined with phone calls to those commanders' bases yielded information about temporary duty assignments in Nevada at installations involved in nuclear weapons handling. Military Web sites containing contractor information, particularly formal requests for bids to supply particular security equipment, helped further hone this detective work, according to the officials. Cleaning the military Web sites of potentially dangerous information has proved a monumental task. Bill Leonard, a top Pentagon information security official, said the military was unsure initially how many Web sites it had, and even today can only provide an estimate. For a time, the Army completely closed off access to its 1,000 Web sites. Now back on line, the Army's Web sites have been substantially trimmed, as have those of the other services. Entire Internet addresses have been put off limits, with the terse message on the computer screen that information previously available has been removed for security reasons. Some think the scrub of military Web sites has gone too far. "This is a wartime information policy," said John Pike of the Federation of American Scientists, a Washington-based research group that follows military and intelligence matters. "All kinds of program information is being withdrawn. Almost anything that discloses what an agency actually does, beyond a brief mission statement, is going away." The Federation is pursuing release of some of the deleted information under the Freedom of Information Act. In its filing with the Pentagon's security review office, the Federation said anything released as a result of the complaint should come in electronic form so the Federation can post the information on its Web site. To date, the Pentagon cannot point to a specific incident where information posted on a military Web site resulted in harm to U.S. national security. "The menacing scenarios have remained just that -- only scenarios," according to George Smith, editor of The Crypt Newsletter, an online publication dealing with computer security. But the Pentagon says it has solid electronic evidence that foreign countries, including some adversaries, are regular visitors to U.S. military Web sites. Copyright 1999 The Associated Press.
American Forces Press Service, 25 September 1998 Internet Presents Web of Security Issues By Paul Stone WASHINGTON -- In a briefing room deep in the Pentagon earlier this year, Air Force Lt. Col. Buzz Walsh and Maj. Brad Ashley presented a series of briefings to top DoD leaders that raised more than just a few eyebrows. Selected leaders were shown how it was possible to obtain their individual social security numbers, unlisted home phone numbers, and a host of other personal information about themselves and their families -- simply by cruising the Internet. Walsh and Ashley, members of the Pentagon's Joint Staff, were not playing a joke on the leaders. Nor were they trying to be clever. Rather they were dramatically, and effectively demonstrating the ease of accessing and gathering personal and military data on the information highway -- information which, in the wrong hands, could translate into a vulnerability. "You don't need a Ph.D. to do this," Walsh said about the ability to gather the information. "There's no rocket science in this capability. What's amazing is the ease and speed and the minimal know-how needed. The tools (of the Net) are designed for you to do this." The concern over personal information on key DoD leaders began with a simple inquiry from one particular flag officer who said he was receiving a large number of unsolicited calls at home. In addition to having the general's unlisted number, the callers knew specifically who he was. Beginning with that one inquiry, the Joint Staff set out to discover just how easy it is to collect data not only on military personnel, but the military in general. They used personal computers at home, used no privileged information -- not even a DoD phone book -- and did not use any on-line services that perform investigative searches for a fee. In less than five minutes on the Net Ashley, starting with only the general's name, was able to extract his complete address, unlisted phone number, and using a map search engine, build a map and driving directions to his house. Using the same techniques and Internet search engines, they visited various military and military-related Web sites to see how much and the types of data they could gather. What they discovered was too much about too much, and seemingly too little concern about the free flow of information vs. what the public needs to know. For example, one Web site for a European-based installation provided more than enough information for a potential adversary to learn about its mission and to possibly craft an attack. Indeed, the Web site contained an aerial photograph of the buildings in which the communication capabilities and equipment were housed. By pointing and clicking on any of the buildings, a Web surfer would learn the name of the communications system housed in the building and its purpose. Taking their quest for easily accessible information one step further, the Joint Staff decided to see how much information could be collected just by typing a military system acronym into an Internet search engine. While not everyone would be familiar with defense-related acronyms, many of them are now batted around the airwaves on talk shows and on the Internet in military-related chat rooms. They soon discovered how easy it was to obtain information on almost any topic, with one Web site hyper-linking them to another on the same topic. What the Joint Staff was doing when they collected their information is commonly called "data mining" -- surfing the Net to collect bits of information on individuals, specific topics or organizations, and then trying to piece together a complete picture. Individuals do it, organizations do it and some companies do it for profit. While the information they discovered presented legitimate concerns, it wasn't all negative. The Army's Ft. Belvoir, Va., home page was cited as one example of a Web site which served the needs of both the military and the public. It had the sort of information families or interested members of the public need and should get. So what does all this mean? Is DoD creating individual and institutional security problems? In the rush to make information available to the internal audience, is too much being made available to the public and those who might want to inflict harm? The Joint Staff doesn't pretend to have all the answers to these questions, but is encouraging users to think about these issues whenever they put information on the Internet; and they believe that, in some cases, DoD is it's own worst enemy. Michael J. White, DoD's assistant director for security countermeasures, agrees with the Joint Staff analysis. Moreover, as a security expert, he is concerned DoD does indeed exceed what needs to be on the Internet. "For fear of not telling our story well enough, we have told too much," he said. "Personally, I think there's too much out there -- and you need to stop and ask the question: Does this next paragraph really need to be there, or can I extract enough or abstract enough so that the intent is there without the specificity? And that is hard to do because we are pressed every day. So sometimes expediency gets ahead of pausing for a minute and thinking through the process: Does the data really need to be there? Is it going to hurt me tomorrow morning? DoD's policy on releasing information to the public, as spelled out by Defense Secretary William Cohen in April 1997, requires DoD "to make available timely and accurate information so that the public, Congress and the news media may assess and understand the facts about national security and defense strategy." The same statement requires that "information be withheld only when disclosure would adversely affect national security or threaten the men and women of the Armed Forces." "On the one hand," Ashley said, "we have fast, cheap and easy global communication and coordination. On the other hand, we find ourselves protecting official information and essential elements of information against point-and-click aggregation. Clearly, this balancing act is a function of risk management. Full openness and full protection are equally bad answers. We have a serious education, training and awareness issue that needs to be addressed." The Joint Staff repeatedly returns to the issue of "point-and-click aggregation" as a problem that is often overlooked when military personnel and organizations place data on the Internet. What they're referring to is the ability to collect bits of information from several different Web sites to compile a more complete picture of an individual, issue or organization with very little effort. "The biggest mistake people make is they don't understand how easy it is to aggregate information," Walsh said. The lesson from this is that even though what is posted on the Net is perfectly innocent in and by itself, when combined with other existing information, a larger and more complete picture might be put together that was neither intended nor desired. A more obvious problem, yet still one not always considered when posting information on the Internet, is that the "www" in Web site addresses stands for "world wide" Web. Information posted may be intended only for an internal audience -- perhaps even a very small and very specific group of people. But on the Net, it's available to the world. This, security experts agree, is an enormous change from the time when foreign intelligence gathering was extremely labor intensive and could only be done effectively on U.S. soil. "If I'm a bad guy, I can sit back in the security of my homeland and spend years looking for a vulnerability before I decide to take a risk and commit resources," Ashley said. "I'm at absolutely no risk by doing that. I can pick out the most lucrative targets before hand, and may even just bookmark those targets for future use. We won't know something has been compromised until it's too late." White agrees with the Joint Staff's concern. "You can sit in Germany and have access to the United States just as easily as you can in Australia or the People's Republic of China or Chile," White said. "It doesn't matter where you are. You can go back and forth and in between and lose your identity on the net instantaneously. Those who seek to use the system feel comfortable they won't be discovered." In addition to these issues, security experts see another recurring and disturbing problem. In the rush to take advantage of the Net's timeliness and distribution capabilities, military personnel are forgetting about or ignoring the For Official Use Only policies which previously made the information more difficult to obtain. Yet anyone using the Internet doesn't have to venture far into the array of military Web sites to come across one which states: "For Official Use Only." If the information is For Official Use Only, security experts said Web site developers, managers and commanders must ask themselves whether the information should be there in the first place. While officials are most concerned about the information being placed on military Web sites, they had similar warnings about individual or family Web sites. The Joint Staff recommends the same precautions should apply at home, especially as personnel move into high-ranking, key leadership positions. At a time when the flow of information is beyond anyone's capability to either digest it or control its direction, it's not likely the problems brought forward recently by the Joint Staff will be solved any time soon. The first step, security experts said, is awareness the problems exist. Commanders have to understand not just the information capabilities of the World Wide Web, but the information vulnerabilities as well. The second step, Walsh pointed out, is for commanders to become actively involved in the issue of what's being put on the Internet. Current DoD policies require that local commander, public affairs and security reviews prior to release of data on Web pages. But the flow of information is so great, these reviews may not be occurring and few are looking at the aggregation problem. "I think it would be very appropriate for a public affairs officer to be the commander's lead representative," Walsh said. "But it's a commander's issue and it should go down command lines. This is certainly an operational security issue. Just like operational security is everybody's business, this ultimately is everyone's responsibility." White concurred and recommends installations create "security-integrated product teams" which would be tasked to develop and implement guidelines for creating and monitoring Web sites on the installation. "I think having a group come together before the (Web site development) process begins will remove an awful lot of pain in the long run," White said. "We need to step back one step and think before we begin any effort, because once it's done you can't undo it. That makes it very hard in a digital environment." Although it's not possible to retrieve what's already on the World Wide Web, nor predict how it will influence future security issues, Walsh, Ashley and White believe it's not too late to make a difference. With a little more forethought and a lot more planning, it will be possible to better protect the next generation of warfighters, both on and off the battlefield, they said. End