Pentagon orders new Net rules

The Defense Department wants sensitive information off its Web sites, including the location of military operations.

3 min read
The Pentagon may be a bastion of security, but the Defense Department's approximately 1,000 affiliated Web sites may have been giving up sensitive information to global computer users.

So Deputy Defense Secretary John Hamre announced a new policy Friday to keep off the Net the location of military operations, officials' itineraries, and sensitive personal information about employees, for example.

"The Internet World Wide Web provides the department with a powerful tool to convey information quickly and efficiently on a broad range of topics," Hamre said in a memorandum sent to the department.

"At the same time, such information, especially when combined with information from other sources, increases the vulnerability of [Defense Department] systems and may endanger [Defense Department] personnel and their families," he added.

The order comes in the wake of a General Accounting Office report released last week that found that 24 of the largest U.S. agencies, including the Defense Department, put critical government operations and data at "great risk of fraud, misuse, and disruption."

For now, all of the Defense Department 's organizations have 60 days to remove from their Web sites the following material: "plans that could reveal sensitive military operations, exercises or vulnerabilities; information on sensitive troop movements; personal data such as Social Security numbers, birth dates, home addresses and home phone numbers; and any other identifying information about family members of DOD employees and military personnel."

The department also has created a task force to develop security policies for its various Web sites by late November and the plans are to be implemented by March.

The department began making plans for the Web site reviews earlier this month. Recently, national security officials were given a demonstration by staff that showed how easy it was to find out where, for instance, a top military official lived by "data mining" or taking certain information from a Department of Defense site and combining it with other details found on the Net.

"There has been particular concern about information that may lead to divulging too much about the privacy of individuals, such as posting a biography or a promotion list--we don't want any Social Security number or home phone inadvertently revealed," Susan Hansen, spokeswoman for the Defense Department, said today.

The FBI has had similar concerns about the Environmental Protection Agency's plans to post online chemical manufacturers' "worst-case" accident scenarios, which could include an estimate of how many people would die if toxic gases were released, if an explosion took place, or if dangerous liquids were spilled. The FBI worries these plants will become terrorist targets.

But the recent terrorist bombings in Africa, national security assertions that the U.S. is the target of cyberterrorism attacks, the computer break-in at the Pentagon last April, and "low-visibility" attacks on U.S. Navy network security were not cited as reason for the Defense Department's new policy.

"Privacy issues on the Web have been of growing concern; I can't tie to any one event," Hansen said. "We don't want to deny information under the Freedom of Information Act, but on the Internet it's all aggregated and provides a bigger picture than if we provided the information locally or through a piece of paper."

Still, the Defense Department could have anticipated the General Accounting Office's report, which was commissioned by Congress and which the GAO had been working on for some time. The report called for immediate action: "The need for improved federal information security has received increased visibility and attention, but more effective actions are needed both at the individual agency level and the government-wide level," it says.