Whoops! War plans online

A new reserve unit that monitors the Defense Department's presence on the

World Wide Web has found an astonishing amount of classified or sensitive

material on public sites.

The Web Risk Assessment Team, established by the Joint Task Force for

Computer Network Defense, is made up of reservists who spend one weekend

each month scanning DOD Web sites for sensitive or classified information

that shouldn't be posted on the Internet, according to Air Force Maj. Gen.

John Campbell, commander of JTF-CND.

A recent survey of 800 major DOD Web sites revealed as many as 1,300

"discrepancies," some of them involving highly classified information, Campbell

said.

For example, the team uncovered more than 10 instances in which information

about Pentagon war plans was posted. The team also discovered information

on computer system vulnerabilities and more than 20 detailed maps of DOD

facilities.

Some of the materials included detailed plans of a facility known as

"Site R," which serves as the alternate Joint Communications Center for

U.S. nuclear forces, according to Campbell. The overhead photo of Site R

showed the location of underground tunnel entryways and a detailed floor

plan of the facility.

Likewise, the Web site for an annual exercise known as "Cobra Gold"

included an entire list of participating units, communications frequencies

and call signs for aircraft, and data on Identification Friend or Foe squawks,

which are signals used by pilots to determine if a plane is friendly. In

another instance, the team found a classified excerpt in a policy document

on counterterrorism.

"Putting this task force in place is a very important step forward,"

said Jerry Harold, president and co-founder of Network Security Technologies

Inc. and a former information systems security officer with the National

Security Agency. "A data aggregation issue can arise from the types of information

posted. While individual documents may not be sensitive, the aggregate of

several documents may provide an adversary with information that the government

would consider sensitive, or even classified."

Although the assessment team provides DOD an active defense of sorts,

the JTF-CND is shifting gears on would-be hackers by creating what are called

"honey pots," which use deception to divert hackers away from classified

information and help authorities trap them.

A more controversial tactic involves using tags that allow the JTF-CND,

in coordination with federal law enforcement, to trace stolen information

back to the hacker or criminal who stole it. Because of privacy issues that

may arise out of the use of such tactics, the JTF-CND has also added legal

counsel to its staff, Campbell said.

But legal counsel alone may not be enough, said Douglass Perritt, deputy

director of the National Infrastructure Protection Center. "Our definition

of national security has to change," as does the existing body of laws governing

how the government can react to cyberintrusions and attacks, Perritt said.

"Traditional adversaries no longer fit the mold. Can we react quickly? Absolutely

not."

Mark Gembecki, chairman of security consulting firm WarRoom Research

Inc., said the Pentagon's renewed focus on security is long overdue. "I'm

glad to see that an aggressive course of action is being taken," he said.

Although Gembecki said he believes this is an effective use of DOD resources,

there is still a role for automation, he said. "Automation is key to the

future of Internet security and the protection of proprietary information,"

Gembecki said. "Smart Internet agents are being used everyday but are limited

if an embedded intelligence collection scheme is not used."

However, textual content presents a more difficult challenge than do

images, said Matthew Patton, a senior security engineer at Network Security

Technologies Inc. and a former network security consultant for the Air Force.

"Where images are concerned, a lot of them are ornamental and, once inspected,

can be summarily dismissed," he said. "Textual content is more difficult

and needs review every time a revision is made. So have the reservists brush

up on their shell-scripting abilities."

But human analysts still play a key, irreplaceable role, Gembecki said.

"This is not necessarily a bad thing, since human cognition is a critical

element of the digital information decision process," he said. "And [it]

is far more effective than most computer programs."