18 September 1998
Thanks to D. Date: Fri, 18 Sep 1998 08:44:10 -0400 To: jya@pipeline.com Subject: CNN: Terrorist threat may limit Pentagon Web site Terrorist threat may limit Pentagon Web site September 17, 1998 Web posted at: 2:08 p.m. EDT (1808 GMT) [Sidebar: For site security purposes and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. -- Department of Defense] WASHINGTON (CNN) -- The Pentagon, concerned that some of the massive amounts of information it puts on the Internet might be useful to terrorists, is considering whether to trim its Web presence. The government's various military Web sites -- one for the Department of the Defense and one for each service branch -- "perhaps provide too much information," said Pentagon spokesman Ken Bacon. During a Wednesday news briefing he did not say whether a specific threat prompted the Pentagon's concern. Tempting to terrorists? But in August, after the United States fired cruise missiles at suspected terrorist targets in Afghanistan and Sudan, the Pentagon departed from its normal procedure and did not provide operational details of the strikes. Commanders of all service branches also were reminded not to put detailed information about the attacks on their Web sites. Military officials say information such as the names of commanders and the location of their families could be used by terrorists seeking retaliation. Some of the military's Web pages contain unclassified but detailed information about ships, planes, weapons, troop deployments and bases. Determining what stays and what goes is a project headed by Deputy Defense Secretary John Hamre, the Pentagon's point man on technology issues. [Sidebar: Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act. -- Department of Defense] Bacon said Hamre and the Joint Chiefs of Staff office have been looking "aggressively" at the military's Web sites to see what information currently is available on: Building plans; "Actual diagrams of buildings of certain military installations"; "Lessons learned on certain military operations or programs"; Future research and development goals; and "Personnel information that could perhaps provide too much information in terms of locating people or recreating identities from information provided on the Internet." Changes under review; no decision yet The Pentagon's review of material it puts on the Internet has been ongoing for some time. An announcement of what it plans to do will be made "at some appropriate time," Bacon said. "We're in the process now, as I believe many private companies are, of trying to sort out what the right balance is between providing useful information and providing more information than is necessary over the Internet," he told reporters. "Some of this involves cutting out clutter on the Internet and focusing Web sites so that they provide useful amounts of information without overwhelming users," Bacon said. U.S. government Web sites are frequent targets for hackers. Last year, the Pentagon alone recorded more than 250,000 break-in attempts and in February, hackers succeeded in gaining access to the Pentagon's unclassified files.
DoD News Briefing Mr. Kenneth H. Bacon, ASD PA Tuesday, September 15, 1998 - 2:15 p.m. [Excerpts] Q There was a report I guess last week about an impending memorandum from Dr. Hamre to lay out some stricter guidelines, I guess, on what the DoD posts on its web site. I was wondering if you could maybe give us a little bit of background on this activity, and whether or not there are some specific cases where the Pentagon may have released information inadvertently or perhaps some other fashion, and it's led Dr. Hamre to be concerned about this. A This is an example of a challenge that balances two goals. The challenge is to balance two goals. One is to have web sites that provide useful information to the users of those web sites but don't go too far in providing information that could be dangerous if misused by malefactors of various sorts. So Dr. Hamre and the Joint Staff have been aggressively looking at the content of web sites to see what sort of information they may provide on building plans, for instance; actual diagrams of buildings of certain military installations; on lessons learned on certain military operations or programs; on future R&D goals or programmatic goals, and also personnel information that could perhaps provide too much information in terms of locating people or recreating identities from information provided on the Internet. We're in the process now, as I believe many private companies are, of trying to sort out what the right balance is between providing useful information and providing more information than is necessary over the Internet. Some of this involves cutting out clutter on the Internet and focusing web sites so that they provide useful amounts of information without overwhelming users. This is a process that has been going on for some time. I don't believe it's quite over yet. At some appropriate time we'll be able to make a more detailed announcement. Q Have there in fact been specific cases where it is believed that these malefactors have gained permission and might be... A I think this is an example of trying to anticipate future problems rather than waiting for the problems to catch us.
DoD News Briefing Thursday, September 17, 1998 - 1:55 p.m. Mr. Kenneth H. Bacon, ASD (PA) [Excerpts] Q Has there been a decision yet to scrub those military web sites? And could you say how many web sites there are, and the sorts of information that would be removed from them? A First of all there has been no decision signed out on the question of web site security. I do not know offhand how many military web sites there are, but there are a lot I can tell you. Hundreds may understate it. But the policy has not been signed out yet by Deputy Secretary Hamre. Q Do you have any sense of the kind of information that you're concerned about... A Some of it is personal information such as social security numbers, home addresses, telephone numbers, home telephone numbers, things like that. Some of the information would deal with very specific information about the capabilities of weapons, particularly weapons that are being developed through the contracting process, that might come out through the contracting process. A third area would be anything that looked like, that might provide very detailed floor plans of facilities, for instance certain types of facilities. Those are the types of issues that we're looking at now, and as I said, this is something of concern to the Joint Staff and also to Secretary Cohen and Deputy Secretary Hamre. We've been looking at a way to balance the convenience of the web sites and to make them helpful and functional without giving away information that might lead to compromises of personal or other types of security. Q What can you say about the way in which this problem developed? Was it a lack of oversight and planning in terms of web site technology? Or... Why are we seeing this now? A First of all, as I said on Tuesday, we're trying to act before real problems develop. The best problems are ones you head off before they become bad problems. That's what we're attempting to do. We're attempting to make people more conscious of web site security issues. That's really the goal of the policy that's in draft form now. Q But in terms of planning or strategizing before web sites were even created... A I think that web sites bring out creativity and a desire to disclose information in people. That's what they're designed for and many of the people who have designed these web sites want to make them as sort of full of information as possible. All we're asking commanders to do, or we will ask commanders to do, is to review the web sites with a couple of basic principles that deal with personal and other types of security, and to make sure that they don't give out information that could compromise our very legitimate security needs. Q Were technical requirements for arms, or for weapons development contracts being put on web sites? A I listed that as an example of the type of thing we'd be concerned about. I don't want to get into specifics. I don't think it's appropriate to do that right now. We estimate that there are about one thousand Department of Defense web sites, but there is no central registry of web sites in the Department so we don't have a clear number. Any of you who have logged onto DefenseLink, and I hope all of you have, because it's the window into the public affairs office at the Department of Defense, and the best way to get information quickly and cheaply. Any of you who have logged into that know that you can go from DefenseLink which is the DoD web site into web sites for each of the services, for instance. From there you can go into web sites for a specific unit. Sometimes even specific ships. So there's this sort of multiplication effect where you go into the Navy web site and from there you can go into many other web sites down to carrier battle groups or ships. You can go into web sites for particular units or wings and the Marine Corps, Army, and Air Force. Then of course many agencies, many defense agencies, also have their own web sites, and many installations. For instance if you wanted to learn the history of Moody Air Force Base, you could find the Moody Air Force Base web site and it would give you a history of the base and tell you who the commander was and the command structure and what units are assigned there. I'm sure you can do this for almost any installation in the military. Moody is one I happen to have explored myself. It's quite an exciting web site. If any of you are interested in the history of Moody Air Force Base, I commend it to you.