Internet Presents Web of Security Issues
By Paul Stone
American Forces Press Service
WASHINGTON, Sept. 25, 1998 In a briefing room deep in the Pentagon earlier this year, Air Force Lt. Col. Buzz Walsh and Maj. Brad Ashley presented a series of briefings to top DoD leaders that raised more than just a few eyebrows.
Selected leaders were shown how it was possible to obtain their individual social security numbers, unlisted home phone numbers, and a host of other personal information about themselves and their families simply by cruising the Internet.
Walsh and Ashley, members of the Pentagon's Joint Staff, were not playing a joke on the leaders. Nor were they trying to be clever. Rather they were dramatically, and effectively demonstrating the ease of accessing and gathering personal and military data on the information highway information which, in the wrong hands, could translate into a vulnerability.
"You don't need a Ph.D. to do this," Walsh said about the ability to gather the information. "There's no rocket science in this capability. What's amazing is the ease and speed and the minimal know-how needed. The tools (of the Net) are designed for you to do this."
The concern over personal information on key DoD leaders began with a simple inquiry from one particular flag officer who said he was receiving a large number of unsolicited calls at home. In addition to having the general's unlisted number, the callers knew specifically who he was.
Beginning with that one inquiry, the Joint Staff set out to discover just how easy it is to collect data not only on military personnel, but the military in general. They used personal computers at home, used no privileged information not even a DoD phone book and did not use any on-line services that perform investigative searches for a fee.
In less than five minutes on the Net Ashley, starting with only the general's name, was able to extract his complete address, unlisted phone number, and using a map search engine, build a map and driving directions to his house.
Using the same techniques and Internet search engines, they visited various military and military-related Web sites to see how much and the types of data they could gather. What they discovered was too much about too much, and seemingly too little concern about the free flow of information vs. what the public needs to know.
For example, one Web site for a European-based installation provided more than enough information for a potential adversary to learn about its mission and to possibly craft an attack. Indeed, the Web site contained an aerial photograph of the buildings in which the communication capabilities and equipment were housed. By pointing and clicking on any of the buildings, a Web surfer would learn the name of the communications system housed in the building and its purpose.
Taking their quest for easily accessible information one step further, the Joint Staff decided to see how much information could be collected just by typing a military system acronym into an Internet search engine. While not everyone would be familiar with defense-related acronyms, many of them are now batted around the airwaves on talk shows and on the Internet in military-related chat rooms. They soon discovered how easy it was to obtain information on almost any topic, with one Web site hyper-linking them to another on the same topic.
What the Joint Staff was doing when they collected their information is commonly called "data mining" -- surfing the Net to collect bits of information on individuals, specific topics or organizations, and then trying to piece together a complete picture. Individuals do it, organizations do it and some companies do it for profit.
While the information they discovered presented legitimate concerns, it wasn't all negative. The Army's Ft. Belvoir, Va., home page was cited as one example of a Web site which served the needs of both the military and the public. It had the sort of information families or interested members of the public need and should get.
So what does all this mean? Is DoD creating individual and institutional security problems? In the rush to make information available to the internal audience, is too much being made available to the public and those who might want to inflict harm?
The Joint Staff doesn't pretend to have all the answers to these questions, but is encouraging users to think about these issues whenever they put information on the Internet; and they believe that, in some cases, DoD is it's own worst enemy.
Michael J. White, DoD's assistant director for security countermeasures, agrees with the Joint Staff analysis. Moreover, as a security expert, he is concerned DoD does indeed exceed what needs to be on the Internet.
"For fear of not telling our story well enough, we have told too much," he said. "Personally, I think there's too much out there and you need to stop and ask the question: Does this next paragraph really need to be there, or can I extract enough or abstract enough so that the intent is there without the specificity? And that is hard to do because we are pressed every day. So sometimes expediency gets ahead of pausing for a minute and thinking through the process: Does the data really need to be there? Is it going to hurt me tomorrow morning?
DoD's policy on releasing information to the public, as spelled out by Defense Secretary William Cohen in April 1997, requires DoD "to make available timely and accurate information so that the public, Congress and the news media may assess and understand the facts about national security and defense strategy." The same statement requires that "information be withheld only when disclosure would adversely affect national security or threaten the men and women of the Armed Forces."
"On the one hand," Ashley said, "we have fast, cheap and easy global communication and coordination. On the other hand, we find ourselves protecting official information and essential elements of information against point-and-click aggregation. Clearly, this balancing act is a function of risk management. Full openness and full protection are equally bad answers. We have a serious education, training and awareness issue that needs to be addressed."
The Joint Staff repeatedly returns to the issue of "point- and-click aggregation" as a problem that is often overlooked when military personnel and organizations place data on the Internet. What they're referring to is the ability to collect bits of information from several different Web sites to compile a more complete picture of an individual, issue or organization with very little effort.
"The biggest mistake people make is they don't understand how easy it is to aggregate information," Walsh said.
The lesson from this is that even though what is posted on the Net is perfectly innocent in and by itself, when combined with other existing information, a larger and more complete picture might be put together that was neither intended nor desired.
A more obvious problem, yet still one not always considered when posting information on the Internet, is that the "www" in Web site addresses stands for "world wide" Web. Information posted may be intended only for an internal audience perhaps even a very small and very specific group of people. But on the Net, it's available to the world.
This, security experts agree, is an enormous change from the time when foreign intelligence gathering was extremely labor intensive and could only be done effectively on U.S. soil.
"If I'm a bad guy, I can sit back in the security of my homeland and spend years looking for a vulnerability before I decide to take a risk and commit resources," Ashley said. "I'm at absolutely no risk by doing that. I can pick out the most lucrative targets before hand, and may even just bookmark those targets for future use. We won't know something has been compromised until it's too late."
White agrees with the Joint Staff's concern.
"You can sit in Germany and have access to the United States just as easily as you can in Australia or the People's Republic of China or Chile," White said. "It doesn't matter where you are. You can go back and forth and in between and lose your identity on the net instantaneously. Those who seek to use the system feel comfortable they won't be discovered."
In addition to these issues, security experts see another recurring and disturbing problem. In the rush to take advantage of the Net's timeliness and distribution capabilities, military personnel are forgetting about or ignoring the For Official Use Only policies which previously made the information more difficult to obtain. Yet anyone using the Internet doesn't have to venture far into the array of military Web sites to come across one which states: "For Official Use Only."
If the information is For Official Use Only, security experts said Web site developers, managers and commanders must ask themselves whether the information should be there in the first place.
While officials are most concerned about the information being placed on military Web sites, they had similar warnings about individual or family Web sites. The Joint Staff recommends the same precautions should apply at home, especially as personnel move into high-ranking, key leadership positions.
At a time when the flow of information is beyond anyone's capability to either digest it or control its direction, it's not likely the problems brought forward recently by the Joint Staff will be solved any time soon. The first step, security experts said, is awareness the problems exist. Commanders have to understand not just the information capabilities of the World Wide Web, but the information vulnerabilities as well.
The second step, Walsh pointed out, is for commanders to become actively involved in the issue of what's being put on the Internet. Current DoD policies require that local commander, public affairs and security reviews prior to release of data on Web pages. But the flow of information is so great, these reviews may not be occurring and few are looking at the aggregation problem.
"I think it would be very appropriate for a public affairs officer to be the commander's lead representative," Walsh said. "But it's a commander's issue and it should go down command lines. This is certainly an operational security issue. Just like operational security is everybody's business, this ultimately is everyone's responsibility."
White concurred and recommends installations create "security-integrated product teams" which would be tasked to develop and implement guidelines for creating and monitoring Web sites on the installation.
"I think having a group come together before the (Web site development) process begins will remove an awful lot of pain in the long run," White said. "We need to step back one step and think before we begin any effort, because once it's done you can't undo it. That makes it very hard in a digital environment."
Although it's not possible to retrieve what's already on the World Wide Web, nor predict how it will influence future security issues, Walsh, Ashley and White believe it's not too late to make a difference. With a little more forethought and a lot more planning, it will be possible to better protect the next generation of warfighters, both on and off the battlefield, they said.