Inside The Pentagon
February 25, 1999
Pg. 1

Pentagon To Form Reservist 'Cell' To Enforce Web Security Policy

Deputy Defense Secretary John Hamre earlier this month approved the formation of a team of reservists to review DOD websites to ensure they are in compliance with a new policy limiting the nature and amount of information the services and defense agencies post electronically to the Internet.

Pentagon officials said DOD intends to debut the new team, dubbed the Reserve Component Joint Web Risk Assessment Cell (JWRAC), on March 1. According to these officials, the Defense Department seeks to capitalize on the unique computer skills reserve personnel bring with them from the private sector.

In a Feb. 12 memo obtained by Inside the Pentagon, Hamre approved a JWRAC concept of operations that will allow the 22-person cadre "to conduct ongoing operations security and threat assessments of component websites."

The Pentagon's website security policy, approved by Hamre on Dec. 7, laid out far-reaching guidance aimed at reducing the military's security and privacy risks by removing a laundry list of information from the official DOD sites (ITP, Dec. 10, 1998, p1). Defense officials say that items of concern that previously were posted to some sites include the Social Security numbers of military personnel, potentially sensitive information about ongoing operations, and details about the capabilities of U.S. weapons and equipment.

In response to an initial directive on reducing website risks issued by Hamre last September, the Army temporarily pulled nearly all its 1,000 sites from the Internet (ITP, Oct. 1, p1).

The December guidelines said the heads of the military services and defense agencies must decide what information is appropriate for posting and ensure the new policy is "consistently applied."

But in the two months that the new policy has been in effect, it has been implemented somewhat haphazardly, perhaps in part because it was laid out relatively loosely to allow for case-by-case discretion, according to observers.

Critics have begun crying foul on the policy's implementation, asserting far more has been removed than is justified under existing security and privacy concerns. Entire websites have been removed or severely truncated by each of the services, while others remain largely intact, sources said.

"They clearly need a better implementation mechanism," said John Pike of the Federation of American Scientists in a Feb. 23 interview. He said one example of uneven implementation is the removal of a website sponsored by U.S. forces at Prince Sultan Air Base, Saudi Arabia, from which U.S. servicemembers enforce the no-fly zone over southern Iraq. Meanwhile, Operation Northern Watch, based at Incirlik Air Base, Turkey, still keeps its website online.

Last week, Pentagon spokesman Kenneth Bacon acknowledged the inconsistency, but urged patience. "I'm sure that the directive has been implemented with varying degrees of zeal by commands around the country," Bacon told reporters on Feb. 16. "The idea was to get the proper balance between using the Web in ways that are helpful to everybody on the one hand, and not giving away information that can compromise personal or unit security on the other hand. It may take us a little bit of time to achieve that balance, but that's what we're trying to do."

Whether the new cell of reservists will exercise a firm or lenient hand in their DOD website policing function is yet to be seen. The group will operate under the Defense Information Systems Agency, using 20 drilling reservists whose efforts are timed to ensure continuous drills at the JWRAC throughout each year, according to sources familiar with the concept of operations.

The reserve cell will comb through the defense websites and will reportedly use a standard procedure for operations security implemented throughout the military, sources said. That involves a five-step process to analyze risks comprising: identification of critical information; analyses of threats; analyses of vulnerabilities; assessment of risk; and application of appropriate operational security measures.

The group's search for potential security risks is to focus on cross-sectional analyses across DOD websites with an eye toward how unclassified material from multiple sites could be combined to create sensitive information that could pose a threat in the hands of an adversary, said one military source. If the JWRAC identifies a pressing risk, the cell will report its findings to the Joint Task Force for Computer Network Defense, or JTF-CND, which Defense Secretary William Cohen recently created at DISA to detect and shut down any computer network attacks perpetrated on the Defense Department (ITP, Dec. 24, p3).

Less urgent problems found by JWRAC will be reported to the service or defense agency which runs the website in question, defense sources said.

Pentagon critics say the newfound interest in Internet security is a belated result of years in which the Pentagon's top civilian leadership pushed a "paperless process" as a way of saving untold dollars in acquisition and contracting.

One military official noted the Pentagon leadership had cut service budgets over the years on the assumption that a paperless process would save funds. But, this source said, the services were told they must provide their own funds to start up the JWRAC, and no additional funding has been identified in the out-years.

"We have relegated [operational security] to the attic of the Pentagon for years," this source said. "Now that our vulnerability on the Web is recognized, we have to take it out of hide."

The desire to cut down on paper while at the same time increasing openness to the public has led to higher security risks for the military, according to this service source. The Pentagon's civilian leadership "is discovering you can't cover your ass with electrons," this source quipped. One military source said defense contractor websites have been among "the worst offenders" in terms of providing a treasure trove of useful information for would-be adversaries. In the wake of DOD's removal of weapons information from its official websites, these private-sector sites have only grown in size, seemingly to take up the slack, said Pike.

Pike argues the Pentagon has gone overboard in its policy implementation and says much of the controversial or sensitive information never appeared on official DOD sites in the first place. A frequent "surfer" of Defense Department websites, Pike said he has never seen a Social Security number on a DOD site and has heard of only one instance in which a floor plan for a military facility in Germany was posted on an official page.

The information does appear on the Internet, Pike acknowledged, but it shows up on non-governmental sites over which the Defense Department has no control.

Pike was pessimistic that the new JWRAC cell will aid in the balanced approach called for by Bacon, the DOD spokesman, complaining, "If they're using people to be Net cops, it's all to take stuff off."

He said "whole agencies have kind of vanished" from the Web, including the Air Force Materiel Command, the Marine Corps Tactical Systems Support Activity, the Army Program Executive Office for Aviation, and the Navy's New Attack Submarine sites.

The creation of JWRAC is "just to make sure all the residual interesting stuff is taken off," Pike said, only partly in jest.

Meanwhile, Pike noted that the Pentagon's primary website, known as "DefenseLink," prominently featured the name and photograph of the first female pilot to serve in combat during the Operation Desert Fox attacks on Iraq in December. He said he would have thought this kind of information would top the list of potential security risks during an ongoing operation.

-- Elaine M. Grossman