IMMEDIATE RELEASE
September 25, 1998
(703)697-5737(public/industry)
(703)695-0192(media)

Deputy Secretary of Defense John Hamre today directed a department-wide review of information placed on publicly available Internet sites of the Department of Defense. All defense components with publicly accessible Web sites must ensure information published on their sites does not compromise national security or place DoD personnel at risk.

The World Wide Web provides the Department of Defense with a powerful tool to convey information quickly and efficiently on a broad range of topics. It has allowed the Department to embrace a Revolution in Business Affairs and re-engineer many of its business practices, such as paper-free contract administration and finance, Internet-based commerce, and Internet-based publishing. The global reach of the Web makes information, whether a press release or a statistical chart, easily available to everyone from individual Service members to the international community.

At the same time, the Internet may provide our adversaries with a potent instrument to obtain, correlate, and evaluate an unprecedented volume of aggregated information on defense personnel and activities. The Department must assess the information posted on public DoD Web sites to ensure national security is not compromised or personnel placed at risk.

In signing out his review directive, Hamre stated, "Recently... I have become aware that some information...provides too much detail on DoD capabilities, infrastructure, personnel, and operational procedures. Such details, especially when combined with information from other sources, may increase the vulnerability of DoD systems and potentially be used to threaten or harass DoD personnel and their families." In particular, Hamre was concerned about the possibility of personal and private information relating to Service members such as social security numbers or home addresses being posted to a publicly accessible web site.

Hamre added, "This new security guidance does not diminish in any way our plans to utilize Internet technology to revolutionize the business practices of the Department. Our actions to advance electronic commerce and develop a paper-free acquisition system will continue at full speed. We will, however, be more attentive to the security implications of this technology. Security and efficiency can be achieved at the same time."

The review ordered today includes the following steps:

Establishment of a task force to develop policy and procedural guidance addressing operational, public affairs, acquisition, technology, privacy, legal and security issues associated with the use of DoD web sites, reporting to the Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence). This task force should issue preliminary guidance to DoD components by late November 1998; Requirement for a security assessment of its Web sites by each DoD component within three months of receiving the above task force guidance and annually thereafter;

• Development of a training program on Web information security issues by March 1999;
• Implementation of a plan by March 1999 to use Reserve Component assets for ongoing operational security and threat assessments of DoD Web sites; and
• Development and implementation of a computer architecture which enhances the protection of sensitive but unclassified information.

Pending the development of detailed, procedural guidance and provided it would not adversely impact essential mission accomplishment, all DoD organizations are immediately required to remove certain information from publicly accessible Web sites, i.e., not domain or password-protected, including

• plans or lessons learned which would reveal sensitive military operations, exercises or vulnerabilities;
• information on sensitive movements of military assets or the location of units, installations, or personnel where uncertainty regarding location is an element of the security of a military plan or program; and
• personal data such as social security account numbers; complete dates of birth; home addresses; and telephone numbers other than public telephone numbers of duty offices. In addition, names, locations and any other identifying information about family members of DoD employees and military personnel should be removed.

In directing these measures, Hamre said, "I believe that these steps will help us to better manage Web information services to strike the appropriate balance between openness and sound security."