Inside The Pentagon
August 23, 2001
Pg. 1
Many DOD Web Sites Remain Blocked In Classified Cyber-Security Case
A significant number of military Web sites have remained closed to the public for more than a month -- long after the commercial world resumed normal operations amid threat of the Code Red computer worm.
The reason for the prolonged public blackout of certain "dot-mil" sites -- which has largely gone unnoticed by the public and even many service officials -- is classified but is connected to the infamous worm that began propagating throughout the Internet last June, sources say.
The move has prompted speculation from security experts who say if the necessary software patch has already been installed to protect against the worm, there is no reason for the Defense Department to continue to cut off non-military users from any of its estimated 2,500 public Web sites.
"Because of the potential for scanning activity resulting from the Code Red worm's presence on the Internet to impact DOD networks, we have instituted protective measures to mitigate the effects of this worm, including installation of the patch for affected systems," U.S. Space Command's Joint Task Force for Computer Network Operations stated Aug. 21 in a written response to questions posed by Inside the Pentagon.
Another protective measure, the JTF-CNO added, is blocking public access from "most" DOD Web sites, although the task force declined to estimate how many sites were affected.
"This inconvenience must be weighed against the necessity to keep our networks intact and operating," the JTF-CNO later added.
Response to the blackout seems minimal, perhaps because the selected Web pages are not heavy traffic sites. The Pentagon's main Web sites and service homepages have remained open to the public.
Furthermore, most service members remain oblivious to the blackout because they can still access those sites if they are connected via the Pentagon's Non-classified Internet Protocol Router Network (NIPRNET).
"It's like the Pentagon disappeared a month ago and no one noticed," said John Pike, director of GlobalSecurity.org.
While the military wants to remind users that telephone and fax are still viable options for communication, Pike contends the blocked Web sites contain valuable documents that can be difficult to obtain from such a large organization burdened by red tape.
"The Internet is now the way people get information," Pike said. "And if the military is not releasing information on the Internet, they're not releasing information at all."
The JTF-CNO could not say when the sites will reopen.
The Pentagon announced last month it had temporarily blocked public access to all of its Web sites to install a software patch needed to protect against the Code Red worm and its several variants. On July 24, the Defense Department confirmed the restriction had been lifted (ITP, July 26, p1).
On Aug. 2, Pentagon spokesman Rear Adm. Craig Quigley told reporters DOD once again was blocking public access to some sites to avoid being "overly risky" regarding Code Red, even if it meant being too cautious.
Network security experts told ITP, however, that the same software patch installed to protect against Code Red would also protect against its variants, including the more harmful "Code Red II" worm that surfaced earlier this month.
Code Red II exploits the same vulnerability as earlier variants of Code Red I, but installs a backdoor on the system.
Sources said this week the commercial sector has not responded to any of the Code Red variants by blocking public access longer than necessary to install the software patch.
"Either dot-mil has profoundly overreacted, or the rest of the Internet has underreacted," Pike said.
During the Aug. 2 press briefing, Quigley said the patches still don't protect the servers from being scanned by other systems infected by Code Red.
"So what you see is a greatly increased volume of activity coming into a server," he said. "You keep that up long enough, and you'll crash the server."
Perhaps most puzzling, however, is why the military would choose to pull down only certain sites and not others. The Army's Air Defense Artillery Center in Ft. Bliss, TX, for example, remains open, while the Web page for Ft. Lewis, WA, is closed. The JTF-CNO was unable to comment on "operational procedures" employed to protect against the worm.
Officials at sites contacted by ITP seemed unaware of whether their pages could be accessed by the public and said all accessibility is determined by the Defense Information Systems Agency. DISA is co-located with the JTF-CNO in Arlington, VA.
"Given the fluency of the situation created by the many ongoing actions at all levels of our decentralized information systems architecture, any estimate of the number of sites not available to the public would be speculative at best," the JTF-CNO wrote in its statement.
-- Anne Plummer
