Army cleaning up Web sites

The Army is working diligently to remove all potentially damaging data from its publicly accessible Web sites and recently found a new glitch that it is in the process of fixing, the service's director of information assurance said.

Col. Thaddeus Dmuchowski, director of information assurance in the Army's Chief Information Officer Office, said the service was "caught blindsided" when it first learned of more than 70 examples of publicly accessible Army Web sites containing "inappropriate information."

The examples were contained in a report released June 5 from the Defense Department's inspector general and the DOD's Joint Web Risk Assessment Cell.

After learning of the site problems in February when it saw a first draft of the report, the Army established its own Web Risk Assessment Cell and closed every hole identified in the report and even more outlined in the first quarter of this year, he said.

The latest problem, which was identified by the Army in the past week, involves "hidden" sites that are no longer visible to basic searches or indexes, but can still be found through more sophisticated digging. Dmuchowski likened it to a Microsoft Corp. PowerPoint presentation with hidden slides that may not be visible, but are still there.

The problem may have arisen as Webmasters were trying to clean sites and figured that if information was no longer visible, then the requirement was being met. However, that information is now being removed completely as it is found, he said.

The DOD IG report said that from June to August of last year, the joint cell identified 77 public Army sites that contained inappropriate information, including:

* Fourteen examples of operational plans.

* Four cases of personal information.

* Forty-eight instances of policies and procedures on military operations.

* Eleven documents marked for official use only.

Furthermore, in the first quarter of this year, the joint cell identified more than 370 potential problem sites, 174 of which needed remediation in one of seven categories:

* Sixty examples of force protection issues.

* Nineteen in communications.

* Seven in logistics.

* Sixty-two in personnel.

* Eleven in operations.

* Ten in critical infrastructure.

* Five in persistent cookies.

"When you look across the Army, that's not too bad," Dmuschoski said. He added that once problems are identified, it usually takes only a day or two to fix them, and the Army is now focused on "for official use only" as a search term.

Examples of inappropriate information found this year included:

* One post that had building and infrastructure diagrams — down to the manhole locations — available on a site.

* Pictures of soldiers and their families posted with names, base locations and other sensitive material available in the background.

* The Command and General Staff College (CGSC) posted learning materials, discussion papers and white papers with potentially sensitive data.

The CGSC has removed all the information in question and will be unveiling a new, secure Web site later this month with a different format and structuring "to list those kinds of discussions," he said.

Dmuchowski said the DOD joint cell submits a quarterly list of concerns for the Army to work through, but now the service also is going back in its own to examine command sites and other past problem areas.

"We're at the next level," he said. "We're being preventative as well as reactive. The report was bad, but we've come a long way in four months."