September 25, 1998
Deputy Secretary of Defense John Hamre today directed a department-wide review of information placed on publicly available Internet sites of the Department of Defense. All defense components with publicly accessible Web sites must ensure information published on their sites does not compromise national security or place DoD personnel at risk.
The World Wide Web provides the Department of Defense with a powerful tool to convey information quickly and efficiently on a broad range of topics. It has allowed the Department to embrace a Revolution in Business Affairs and re-engineer many of its business practices, such as paper-free contract administration and finance, Internet-based commerce, and Internet-based publishing. The global reach of the Web makes information, whether a press release or a statistical chart, easily available to everyone from individual Service members to the international community.
At the same time, the Internet may provide our adversaries with a potent instrument to obtain, correlate, and evaluate an unprecedented volume of aggregated information on defense personnel and activities. The Department must assess the information posted on public DoD Web sites to ensure national security is not compromised or personnel placed at risk.
In signing out his review directive, Hamre stated, "Recently... I have become aware that some information...provides too much detail on DoD capabilities, infrastructure, personnel, and operational procedures. Such details, especially when combined with information from other sources, may increase the vulnerability of DoD systems and potentially be used to threaten or harass DoD personnel and their families." In particular, Hamre was concerned about the possibility of personal and private information relating to Service members such as social security numbers or home addresses being posted to a publicly accessible web site.
Hamre added, "This new security guidance does not diminish in any way our plans to utilize Internet technology to revolutionize the business practices of the Department. Our actions to advance electronic commerce and develop a paper-free acquisition system will continue at full speed. We will, however, be more attentive to the security implications of this technology. Security and efficiency can be achieved at the same time."
The review ordered today includes the following steps:
Establishment of a task force to develop policy and procedural guidance addressing operational, public affairs, acquisition, technology, privacy, legal and security issues associated with the use of DoD web sites, reporting to the Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence). This task force should issue preliminary guidance to DoD components by late November 1998; Requirement for a security assessment of its Web sites by each DoD component within three months of receiving the above task force guidance and annually thereafter;
Pending the development of detailed, procedural guidance and provided it would not adversely impact essential mission accomplishment, all DoD organizations are immediately required to remove certain information from publicly accessible Web sites, i.e., not domain or password-protected, including
In directing these measures, Hamre said, "I believe that these steps will help us to better manage Web information services to strike the appropriate balance between openness and sound security."