Reserve Sets Up Web Security Cell
By Douglas J. Gillert
American Forces Press Service
WASHINGTON, Mar. 11, 1999 High-speed computers with memory not available off the shelf are beginning to fill a room at the Defense Information Systems Agency in Arlington, Va. There, 22 reservists will soon start scanning DoD Internet Web sites for operations security violations.
Defense Secretary William S. Cohen approved creation of the Web security cell in January, with DISA as the executive agent charged with making it happen. Since then, DISA and DoD Reserve Affairs have been purchasing equipment and hiring reservists with operational backgrounds and computer savvy. When the cell becomes operational March 20, DoD will have the ability to scan all 3,000 of its Web sites at least once a year.
"We're taking an operations security approach to looking at publicly available information on DoD component-sponsored Web sites," said Charles L. Cragin, assistant secretary of defense for reserve affairs. Besides looking at individual sites for security violations, he said, the cell also will do aggregate analyses -- see whether combining information from multiple sites creates a security risk.
When the team discovers a possible security problem, it will report the findings to the service component for corrective action. The cell helps defense agencies police their sites, but has no enforcement authority itself, Cragin said.
"We're not the 'black hat' guys. We're the guys who help the commanders and others improve their Web services," said Al Murphy, reserve program manager at DISA. "I think the sky is really the limit in regards to what we can offer the services and other DoD agencies in supporting this initiative."
Organizations won't have any warning before a Web security cell "visit."
"There's really no reason," Cragin said. "These sites are available to any member of the public worldwide, 24 hours a day, 365 days a year. We're essentially just going out and scrutinizing what has been put out for public consumption."
Murphy said cell members are currently attending an operations security school run by the National Security Agency. "We're also taking a look at how other private and federal agencies police their Web sites and benchmark our program against some already well-established ones," he said.
When the reservists assigned to the cell begin scanning sites, they'll work in teams of five, mostly on weekends when they would normally pull reserve duty. In the future, they may also work from alternate sites.
"Reservists don't necessarily have to be in one location," Cragin said. "We're starting out at DISA, but [Deputy Defense Secretary John] Hamre has asked us to report back to him in six months on the progress of the cell and also whether it's going to require an augmentation."
Defense leaders chose the reserve components to conduct Web surveillance because the job doesn't require full-time employment, Cragin said. "What it does require is operational expertise as well as technological expertise," he said. "We want people with backgrounds in aviation, surface warfare or armor, for example, so they can understand what they're reading. But they also have to know how to get at this information, how to utilize point-and-click and advanced search engines on the Internet.
"Secretary Cohen has found that in many instances we [the reserves] can get that level of expertise and retain it," Cragin said. "People in the reserve community are lured to the civilian community by the big bucks, but at the same time they're patriotic and want to serve."
The reserve component commanders also enthusiastically endorsed the plan, Cragin said. With the exception of DoD funding for computer equipment, the components will cover cell members' pay and allowances and provide two full-time administrative support positions from their manpower authorizations. "There was no addition to any end strength to stand up this unit," Cragin said. "It was all taken out of hide."
When DISA reports back to Hamre in August, it may be with a request for additional manpower, Murphy said. Based on an October 1998 pilot program, it would take 32 people to complete the average four-hour visits to each DoD Web site annually. But cooperation from the services, he said, could also help accomplish the task.
"We've gotten calls from the service components and some commands asking for help in setting up internal Web security cells," he said. "I think a partnership between those people and us would be a good thing."
Both Cragin and Murphy expressed confidence the cell will accomplish its mission. And that, Cragin said, is to improve the way DoD uses the Internet.