25 September 1998
Source: Fax from Office of the Assistant Secretary of Defense for Public Affairs. Thanks to SH.
1010 DEFENSE PENTAGON
WASHINGTON, DC 20301-1010
24 SEP 1998
MEMORANDUM FOR | SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOINT CHIEFS OF STAFF UNDER SECRETARIES OF DEFENSE DIRECTOR, DEFENSE RESEARCH AND ENGINEERING ASSISTANT SECRETARIES OF DEFENSE INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE DIRECTOR, OPERATIONAL TEST & EVALUATION COMMANDERS OF THE COMBATANT COMMANDS ASSISTANTS TO THE SECRETARY OF DEFENSE DIRECTOR, ADMINISTRATION AND MANAGEMENT DIRECTORS OF THE DEFENSE AGENCIES DIRECTORS OF THE DOD FIELD ACTIVITIES |
SUBJECT: Information Vulnerability and the World Wide
Web |
The World Wide Web provides the Department of Defense with a powerful tool to convey information quickly and efficiently on a broad range of topics relating to its activities, objectives, policies, and programs. It is at the heart of the Defense Reform Initiative and is key to the reeingineering and streamlining of our business practices. Similarly, fundamental to the American democratic process is the right of our citizens to know what government is doing, and the corresponding ability to judge its performance.
At the same time, however, he Web can also provide our adversaries with a potent instrument to obtain, correlate and evaluate an unprecedented volume of aggregated information regarding DoD capabilities, infrastructure, personnel and operational procedures. Such information, especially when combined with information from other sources, increases the vulnerability of DoD systems and may endanger DoD personnel and their families.
All DoD components that establish publicly accessible Web sites are responsible for ensuring that the information published on those sites does not compromise national security or place DoD personnel at risk. By authorizing the establishment of Web sites, component heads assume management responsibility that extends beyond general public affairs considerations regarding the release of information into their realm of operational security and force protection. Component heads must enforce the application of comprehensive risk management procedures to ensure that the considerable mission benefits gained using the Web are carefully balanced against the potential security and privacy risks created by have aggregated DoD information more readily accessible to a worldwide audience.
In view of the growing information roles and vulnerability of the Web within DoD, I am directing the following steps:
I believe that these steps will help us to manage Web information services better to strike the appropriate balance between openness and sound security. My point of contact is Mr. J. William Leonard. OASD(C3I) at (703) 697-2242.
[Signature]John J. Hamre
Date: Fri, 25 Sep 1998 10:05:11 -0400 Reply-To: jim.knotts@OSD.PENTAGON.MIL Sender: DOD NEWS LIST <DODNEWS-L@DTIC.MIL> From: dlnews_sender@DTIC.MIL = N E W S R E L E A S E = = OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE = (PUBLIC AFFAIRS) = WASHINGTON, D.C. 20301 = = PLEASE NOTE DATE ==================================================== No. 500-98 IMMEDIATE RELEASE September 25, 1998 (703)695-0192(media) (703)697-5737(public/industry) DEPUTY SECRETARY HAMRE ORDERS REVIEW OF WEB SECURITY Deputy Secretary of Defense John Hamre today directed a department-wide review of information placed on publicly available Internet sites of the Department of Defense. All defense components with publicly accessible Web sites must ensure information published on their sites does not compromise national security or place DoD personnel at risk. The World Wide Web provides the Department of Defense with a powerful tool to convey information quickly and efficiently on a broad range of topics. It has allowed the Department to embrace a Revolution in Business Affairs and re-engineer many of its business practices, such as paper-free contract administration and finance, Internet-based commerce, and Internet-based publishing. The global reach of the Web makes information, whether a press release or a statistical chart, easily available to everyone from individual Service members to the international community. At the same time, the Internet may provide our adversaries with a potent instrument to obtain, correlate, and evaluate an unprecedented volume of aggregated information on defense personnel and activities. The Department must assess the information posted on public DoD Web sites to ensure national security is not compromised or personnel placed at risk. In signing out his review directive, Hamre stated, "Recently... I have become aware that some information...provides too much detail on DoD capabilities, infrastructure, personnel, and operational procedures. Such details, especially when combined with information from other sources, may increase the vulnerability of DoD systems and potentially be used to threaten or harass DoD personnel and their families." In particular, Hamre was concerned about the possibility of personal and private information relating to Service members such as social security numbers or home addresses being posted to a publicly accessible web site. Hamre added, "This new security guidance does not diminish in any way our plans to utilize Internet technology to revolutionize the business practices of the Department. Our actions to advance electronic commerce and develop a paper-free acquisition system will continue at full speed. We will, however, be more attentive to the security implications of this technology. Security and efficiency can be achieved at the same time." The review ordered today includes the following steps: * Establishment of a task force to develop policy and procedural guidance addressing operational, public affairs, acquisition, technology, privacy, legal and security issues associated with the use of DoD web sites, reporting to the Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence). This task force should issue preliminary guidance to DoD components by late November 1998; * Requirement for a security assessment of its Web sites by each DoD component within three months of receiving the above task force guidance and annually thereafter; * Development of a training program on Web information security issues by March 1999; * Implementation of a plan by March 1999 to use Reserve Component assets for ongoing operational security and threat assessments of DoD Web sites; and * Development and implementation of a computer architecture which enhances the protection of sensitive but unclassified information. Pending the development of detailed, procedural guidance and provided it would not adversely impact essential mission accomplishment, all DoD organizations are immediately required to remove certain information from publicly accessible Web sites, i.e., not domain or password-protected, including * plans or lessons learned which would reveal sensitive military operations, exercises or vulnerabilities; * information on sensitive movements of military assets or the location of units, installations, or personnel where uncertainty regarding location is an element of the security of a military plan or program; and * personal data such as social security account numbers; complete dates of birth; home addresses; and telephone numbers other than public telephone numbers of duty offices. In addition, names, locations and any other identifying information about family members of DoD employees and military personnel should be removed. In directing these measures, Hamre said, "I believe that these steps will help us to better manage Web information services to strike the appropriate balance between openness and sound security." -END- NOTE: This is a plain text version of a web page. If your mail reader did not properly format this information, the original is online at http://www.defenselink.mil/news/ ====================================================