DOD issues plan for scrubbing Web sites

Just one week after senior Defense Department officials expressed concern over the posting of sensitive information on DOD World Wide Web sites, Deputy Secretary of Defense John Hamre today issued a departmentwide action plan to tighten DOD's Web security policy.

"Recently I have become aware that some information provides too much detail on DOD capabilities, infrastructure, personnel and operational capabilities," Hamre said. Such details, when combined with information from other sources, "may increase the vulnerability of DOD systems, personnel and their families."

The centerpiece of the new directive is the creation of a task force to develop policies and procedures governing DOD's use of the Internet and the posting of information on DOD Web sites. According to the directive, the task force will report to the assistant secretary of Defense for command, control, communications and intelligence and is expected to issue preliminary guidance for DOD agencies by November of this year. In addition, all DOD agencies and components will be required to act on the task force's recommendations by February 1999.

Last week, some DOD Web sites began pulling online documents in an effort to keep information out of the hands of terrorists and other hostile forces who might be able to glean revealing and damaging information from the department's estimated 1,000 Web sites on U.S. forces. Some of the information on DOD Web sites includes Social Security numbers, home addresses and home telephone numbers of officers and troop members. Other sites post specific information about the capabilities of weapons and detailed floor plans of facilities. See related story.

In addition to creating a Web security task force, the Hamre directive also ordered the development of a new training program by March 1999 that will focus on Web information security issues.

"It is the ability for someone to go to a single location [on the Web] and let their fingers do the walking [to] come up with [sensitive] information that is of the most concern to us," a DOD spokeswoman said.Hamre also ordered DOD to come up with a plan for using the Reserves to conduct operational security and threat assessments of DOD Web sites and develop a new "computer architecture" that will be capable of enhancing the security of information deemed sensitive but unclassified.

Information tagged by the directive for immediate removal from DOD Web pages includes all data related to military plans, lessons learned, exercises and known vulnerabilities. The directive also called for the immediate removal of information on unit locations, military installations and various personal data on service members and DOD employees.

"I believe that these steps will help us to better manage Web information services to strike a balance between openness and sound security," Hamre said. "This new security guidance does not diminish in any way our plans to [use] Internet technology to revolutionize the business practices of the department," he said. "Security and efficiency can be achieved at the same time."