UNITED24 - Make a charitable donation in support of Ukraine!

Intelligence

Internet Presents Web of Security Issues

 
 [Note to Editors: For a downloadable copy of this story 
 with color graphics and sidebars, point your browser to 
 www.defenselink.mil or http://websecurity.afis.osd.mil.]
By Paul Stone
 
American Forces Press Service

 WASHINGTON -- In a briefing room deep in the Pentagon 
 earlier this year, Air Force Lt. Col. Buzz Walsh and Maj. 
 Brad Ashley presented a series of briefings to top DoD 
 leaders that raised more than just a few eyebrows.
 Selected leaders were shown how it was possible to obtain 
 their individual social security numbers, unlisted home 
 phone numbers, and a host of other personal information 
 about themselves and their families - simply by cruising 
 the Internet.
 Walsh and Ashley, members of the Pentagon's Joint Staff, 
 were not playing a joke on the leaders. Nor were they 
 trying to be clever. Rather they were dramatically, and 
 effectively demonstrating the ease of accessing and 
 gathering personal and military data on the information 
 highway - information which, in the wrong hands, could 
 translate into a vulnerability.
 "You don't need a Ph.D. to do this," Walsh said about the 
 ability to gather the information. "There's no rocket 
 science in this capability. What's amazing is the ease and 
 speed and the minimal know-how needed. The tools (of the 
 Net) are designed for you to do this."
 The concern over personal information on key DoD leaders 
 began with a simple inquiry from one particular flag 
 officer who said he was receiving a large number of 
 unsolicited calls at home. In addition to having the 
 general's unlisted number, the callers knew specifically 
 who he was.
 Beginning with that one inquiry, the Joint Staff set out to 
 discover just how easy it is to collect data not only on 
 military personnel, but the military in general. They used 
 personal computers at home, used no privileged information 
 - not even a DoD phone book - and did not use any on-line 
 services that perform investigative searches for a fee.
 In less than five minutes on the Net Ashley, starting with 
 only the general's name, was able to extract his complete 
 address, unlisted phone number, and using a map search 
 engine, build a map and driving directions to his house.
 Using the same techniques and Internet search engines, they 
 visited various military and military-related Web sites to 
 see how much and the types of data they could gather. What 
 they discovered was too much about too much, and seemingly 
 too little concern about the free flow of information vs. 
 what the public needs to know.
 For example, one Web site for a European-based installation 
 provided more than enough information for a potential 
 adversary to learn about its mission and to possibly craft 
 an attack. Indeed, the Web site contained an aerial 
 photograph of the buildings in which the communication 
 capabilities and equipment were housed. By pointing and 
 clicking on any of the buildings, a Web surfer would learn 
 the name of the communications system housed in the 
 building and its purpose.
 Taking their quest for easily accessible information one 
 step further, the Joint Staff decided to see how much 
 information could be collected just by typing a military 
 system acronym into an Internet search engine. While not 
 everyone would be familiar with defense-related acronyms, 
 many of them are now batted around the airwaves on talk 
 shows and on the Internet in military-related chat rooms. 
 They soon discovered how easy it was to obtain information 
 on almost any topic, with one Web site hyper-linking them 
 to another on the same topic.
 What the Joint Staff was doing when they collected their 
 information is commonly called "data mining" -- surfing the 
 Net to collect bits of information on individuals, specific 
 topics or organizations, and then trying to piece together 
 a complete picture. Individuals do it, organizations do it 
 and some companies do it for profit.
 While the information they discovered presented legitimate 
 concerns, it wasn't all negative. The Army's Ft. Belvoir, 
 Va., home page was cited as one example of a Web site which 
 served the needs of both the military and the public. It 
 had the sort of information families or interested members 
 of the public need and should get.
 So what does all this mean? Is DoD creating individual and 
 institutional security problems? In the rush to make 
 information available to the internal audience, is too much 
 being made available to the public and those who might want 
 to inflict harm?
 The Joint Staff doesn't pretend to have all the answers to 
 these questions, but is encouraging users to think about 
 these issues whenever they put information on the Internet; 
 and they believe that, in some cases, DoD is it's own worst 
 enemy.
 Michael J. White, DoD's assistant director for security 
 countermeasures, agrees with the Joint Staff analysis. 
 Moreover, as a security expert, he is concerned DoD does 
 indeed exceed what needs to be on the Internet.
 "For fear of not telling our story well enough, we have 
 told too much," he said. "Personally, I think there's too 
 much out there . and you need to stop and ask the question: 
 Does this next paragraph really need to be there, or can I 
 extract enough or abstract enough so that the intent is 
 there without the specificity? And that is hard to do 
 because we are pressed every day. So sometimes expediency 
 gets ahead of pausing for a minute and thinking through the 
 process: Does the data really need to be there? Is it going 
 to hurt me tomorrow morning?
 DoD's policy on releasing information to the public, as 
 spelled out by Defense Secretary William Cohen in April 
 1997, requires DoD "to make available timely and accurate 
 information so that the public, Congress and the news media 
 may assess and understand the facts about national security 
 and defense strategy." The same statement requires that 
 "information be withheld only when disclosure would 
 adversely affect national security or threaten the men and 
 women of the Armed Forces."
 "On the one hand," Ashley said, "we have fast, cheap and 
 easy global communication and coordination. On the other 
 hand, we find ourselves protecting official information and 
 essential elements of information against point-and-click 
 aggregation. Clearly, this balancing act is a function of 
 risk management. Full openness and full protection are 
 equally bad answers. We have a serious education, training 
 and awareness issue that needs to be addressed."
 The Joint Staff repeatedly returns to the issue of "point-
 and-click aggregation" as a problem that is often 
 overlooked when military personnel and organizations place 
 data on the Internet. What they're referring to is the 
 ability to collect bits of information from several 
 different Web sites to compile a more complete picture of 
 an individual, issue or organization with very little 
 effort.
 "The biggest mistake people make is they don't understand 
 how easy it is to aggregate information," Walsh said.
 The lesson from this is that even though what is posted on 
 the Net is perfectly innocent in and by itself, when 
 combined with other existing information, a larger and more 
 complete picture might be put together that was neither 
 intended nor desired.
 A more obvious problem, yet still one not always considered 
 when posting information on the Internet, is that the "www" 
 in Web site addresses stands for "world wide" Web. 
 Information posted may be intended only for an internal 
 audience - perhaps even a very small and very specific 
 group of people. But on the Net, it's available to the 
 world.
 This, security experts agree, is an enormous change from 
 the time when foreign intelligence gathering was extremely 
 labor intensive and could only be done effectively on U.S. 
 soil.
 "If I'm a bad guy, I can sit back in the security of my 
 homeland and spend years looking for a vulnerability before 
 I decide to take a risk and commit resources," Ashley said. 
 "I'm at absolutely no risk by doing that. I can pick out 
 the most lucrative targets before hand, and may even just 
 bookmark those targets for future use. We won't know 
 something has been compromised until it's too late."
 White agrees with the Joint Staff's concern.
 "You can sit in Germany and have access to the United 
 States just as easily as you can in Australia or the 
 People's Republic of China or Chile," White said. "It 
 doesn't matter where you are. You can go back and forth and 
 in between and lose your identity on the net 
 instantaneously. Those who seek to use the system feel 
 comfortable they won't be discovered."
 In addition to these issues, security experts see another 
 recurring and disturbing problem. In the rush to take 
 advantage of the Net's timeliness and distribution 
 capabilities, military personnel are forgetting about or 
 ignoring the For Official Use Only policies which 
 previously made the information more difficult to obtain. 
 Yet anyone using the Internet doesn't have to venture far 
 into the array of military Web sites to come across one 
 which states: "For Official Use Only."
 If the information is For Official Use Only, security 
 experts said Web site developers, managers and commanders 
 must ask themselves whether the information should be there 
 in the first place.
 While officials are most concerned about the information 
 being placed on military Web sites, they had similar 
 warnings about individual or family Web sites. The Joint 
 Staff recommends the same precautions should apply at home, 
 especially as personnel move into high-ranking, key 
 leadership positions.
 At a time when the flow of information is beyond anyone's 
 capability to either digest it or control its direction, 
 it's not likely the problems brought forward recently by 
 the Joint Staff will be solved any time soon. The first 
 step, security experts said, is awareness the problems 
 exist. Commanders have to understand not just the 
 information capabilities of the World Wide Web, but the 
 information vulnerabilities as well.
 The second step, Walsh pointed out, is for commanders to 
 become actively involved in the issue of what's being put 
 on the Internet. Current DoD policies require that local 
 commander, public affairs and security reviews prior to 
 release of data on Web pages. But the flow of information 
 is so great, these reviews may not be occurring and few are 
 looking at the aggregation problem.
 "I think it would be very appropriate for a public affairs 
 officer to be the commander's lead representative," Walsh 
 said. "But it's a commander's issue and it should go down 
 command lines. This is certainly an operational security 
 issue. Just like operational security is everybody's 
 business, this ultimately is everyone's responsibility."
 White concurred and recommends installations create 
 "security-integrated product teams" which would be tasked 
 to develop and implement guidelines for creating and 
 monitoring Web sites on the installation.
 "I think having a group come together before the (Web site 
 development) process begins will remove an awful lot of 
 pain in the long run," White said. "We need to step back 
 one step and think before we begin any effort, because once 
 it's done you can't undo it. That makes it very hard in a 
 digital environment."
 Although it's not possible to retrieve what's already on 
 the World Wide Web, nor predict how it will influence 
 future security issues, Walsh, Ashley and White believe 
 it's not too late to make a difference. With a little more 
 forethought and a lot more planning, it will be possible to 
 better protect the next generation of warfighters, both on 
 and off the battlefield, they said.
 




NEWSLETTER
Join the GlobalSecurity.org mailing list