Hamre Orders DoD Web Security Review
American Forces Press Service
WASHINGTON, Sept. 25, 1998 Deputy Defense Secretary John Hamre directed a security review Sept. 24 to ensure information on publicly accessible DoD Internet sites does not compromise national security or place personnel at risk.
"The Internet World Wide Web provides the department with a powerful tool to convey information quickly and efficiently on a broad range of topics," Hamre said in a memorandum sent departmentwide. "At the same time, … " he added, "such information, especially when combined with information from other sources, increases the vulnerability of DoD systems and may endanger DoD personnel and their families."
Hamre said he was concerned about the possibility of personal and private information being posted to publicly accessible Web sites, such as service members' Social Security numbers or home addresses.
The department uses the Internet in a variety of ways, including contract administration, finance, electronic commerce and news reporting. The activities won't change, he said, but more attention will be given to the security implications of Web technology. "Security and efficiency can be achieved at the same time," he said.
Hamre's order for the review includes the creation of a task force to develop policy and procedures addressing operational, public affairs, acquisition, technology, privacy, legal and security issues associated with the use of DoD Web sites. The group's preliminary guidance should be issued to the field by late November, he said.
Pending the task force guidance, and provided that essential missions are unaffected, all DoD organizations have 60 days to remove from their public Web sites: plans or lessons learned that would reveal sensitive military operations, exercises or vulnerabilities; information on sensitive troop movements; personal data such as Social Security numbers, birth dates, home addresses and home phone numbers; and any other identifying information about family members of DoD employees and military personnel.
The Hamre order directs all DoD components to conduct a comprehensive security assessment of all their Web sites within three months of receiving the task force guidance, and conduct annual reassessments thereafter. It orders a plan be implemented by March 1999 that uses reserve component assets to conduct operational security and threat assessments of DoD Web sites. It also orders the development of a Web information security training program by March 1999.
"I believe that these steps will help us to better manage Web information services to strike the appropriate balance between openness and sound security," Hamre said. For more information and discussion about department Web security issues, visit DoD's home page at www.defenselink.mil and its special, Web security pages at http://websecurity.afis.osd.mil.