25 September 1998

Source: Fax from Office of the Assistant Secretary of Defense for Public Affairs. Thanks to SH.

DEPUTY SECRETARY OF DEFENSE

1010 DEFENSE PENTAGON
WASHINGTON, DC 20301-1010

24 SEP 1998

MEMORANDUM FOR

SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOINT CHIEFS OF STAFF UNDER SECRETARIES OF DEFENSE DIRECTOR, DEFENSE RESEARCH AND ENGINEERING ASSISTANT SECRETARIES OF DEFENSE INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE DIRECTOR, OPERATIONAL TEST & EVALUATION COMMANDERS OF THE COMBATANT COMMANDS ASSISTANTS TO THE SECRETARY OF DEFENSE DIRECTOR, ADMINISTRATION AND MANAGEMENT DIRECTORS OF THE DEFENSE AGENCIES DIRECTORS OF THE DOD FIELD ACTIVITIES

SUBJECT: Information Vulnerability and the World Wide Web

The World Wide Web provides the Department of Defense with a powerful tool to convey information quickly and efficiently on a broad range of topics relating to its activities, objectives, policies, and programs. It is at the heart of the Defense Reform Initiative and is key to the reeingineering and streamlining of our business practices. Similarly, fundamental to the American democratic process is the right of our citizens to know what government is doing, and the corresponding ability to judge its performance.

At the same time, however, he Web can also provide our adversaries with a potent instrument to obtain, correlate and evaluate an unprecedented volume of aggregated information regarding DoD capabilities, infrastructure, personnel and operational procedures. Such information, especially when combined with information from other sources, increases the vulnerability of DoD systems and may endanger DoD personnel and their families.

All DoD components that establish publicly accessible Web sites are responsible for ensuring that the information published on those sites does not compromise national security or place DoD personnel at risk. By authorizing the establishment of Web sites, component heads assume management responsibility that extends beyond general public affairs considerations regarding the release of information into their realm of operational security and force protection. Component heads must enforce the application of comprehensive risk management procedures to ensure that the considerable mission benefits gained using the Web are carefully balanced against the potential security and privacy risks created by have aggregated DoD information more readily accessible to a worldwide audience.

In view of the growing information roles and vulnerability of the Web within DoD, I am directing the following steps:

• Pending the development of detailed, procedural guidance, each component head shall immediately remove the following information from their publicly accessible (e.g. not password protected or domain restricted) Web sites:
  
  • Plans or lessons learned which would reveal sensitive military operations, exercises or vulnerabilities.
  • Reference to any information that would reveal sensitive movements of military assets or the location of units, installations, or personnel where uncertainty regarding location is an element of the security of a military plan or program.
  • All personal information in the following categories about U.S. citizens, DoD employees and military personnel: 1) Social Security Account Numbers; 2) dates of birth; 3) homes addresses, and 4) telephone numbers other than numbers of duty offices which are appropriately made available to the general public. In addition, remove names, locations and any other identifying information about family members of DoD employees and military personnel.
  • Addressees may grant waivers on a non-delegable basis when it has been determined that the immediate removal of information would adversely impact essential mission accomplishment.
    

• Within 60 days of this memorandum, each addressee shall report the completion of the above actions to the Assistant Secretary of Defense Command, Control, Communications, and Intelligence (ASD(C3I)). Included in this report will be instances where the addressee has granted a waiver.
  
  • During the above period, each component will evaluate the sensitivity of technological data included on its Web sites. These assessments will address the extent that such information, when compiled with other unclassified information, reveals an additional association or relationship that meets the standards for classification under Section 1.8(e) E.O. 12958. Recommendations addressing this issue should be included in the above report.

• The Assistant Secretary of Defense (C3I) will establish a task force to develop policy and procedural guidance that addresses the operational, public affairs, acquisition, technology, privacy, legal, and security issues associated with the use of DoD Web sites. Preliminary guidance will be promulgated within 60 days from the date of this memorandum.

• Within 3 months of the promulgation of the above procedural guidance, addressees will ensure that a comprehensive, multi-disciplinary security assessment is conducted for their DoD Web sites, and annually thereafter.

• Within six months from the date of this memorandum, the Assistant Secretary of Defense (C3I) will develop, in coordination with the Chairman of the Joint Chiefs of Staff, USD(P&R), and OGC, recommendations relating to the establishment of a training program which addresses information security on the Web.

• Within 6 months from the date of this memorandum, the Assistant Secretary of Defense for Reserve Affairs and the Chairman of the Joint Chiefs of Staff will develop and implement a plan that uses Reserve Component assets to conduct ongoing operational security and threat assessments of component Web sites.

• The Assistant Secretary of Defense (C3I) will accelerate the development and implementation of an architecture which enhances the protection of sensitive but unclassified information.

I believe that these steps will help us to manage Web information services better to strike the appropriate balance between openness and sound security. My point of contact is Mr. J. William Leonard. OASD(C3I) at (703) 697-2242.

[Signature]

John J. Hamre

Date:         Fri, 25 Sep 1998 10:05:11 -0400
Reply-To: jim.knotts@OSD.PENTAGON.MIL
Sender: DOD NEWS LIST <DODNEWS-L@DTIC.MIL>
From: dlnews_sender@DTIC.MIL

= N  E  W  S      R  E  L  E  A  S  E
=
= OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
= (PUBLIC AFFAIRS)
= WASHINGTON, D.C. 20301
=
= PLEASE NOTE DATE
====================================================


No. 500-98
IMMEDIATE RELEASE
September 25, 1998
(703)695-0192(media)
(703)697-5737(public/industry)

DEPUTY SECRETARY HAMRE ORDERS REVIEW OF WEB SECURITY

Deputy Secretary of Defense John Hamre today directed 
a department-wide review of information placed on publicly 
available Internet sites of the Department of Defense.  
All defense components with publicly accessible Web sites 
must ensure information published on their sites does not 
compromise national security or place DoD personnel at risk.

The World Wide Web provides the Department of Defense with 
a powerful tool to convey information quickly and efficiently 
on a broad range of topics.  It has allowed the Department to 
embrace a Revolution in Business Affairs and re-engineer many 
of its business practices, such as paper-free contract 
administration and finance, Internet-based commerce, and 
Internet-based publishing.  The global reach of the Web makes 
information, whether a press release or a statistical chart, 
easily available to everyone from individual Service members 
to the international community.

At the same time, the Internet may provide our adversaries with 
a potent instrument to obtain, correlate, and evaluate an 
unprecedented volume of aggregated information on defense 
personnel and activities.  The Department must assess the 
information posted on public DoD Web sites to ensure national 
security is not compromised or personnel placed at risk.

In signing out his review directive, Hamre stated, "Recently... 
I have become aware that some information...provides too much 
detail on DoD capabilities, infrastructure, personnel, and 
operational procedures.  Such details, especially when combined 
with information from other sources, may increase the 
vulnerability of DoD systems and potentially be used to threaten 
or harass DoD personnel and their families."  In particular, 
Hamre was concerned about the possibility of personal and private 
information relating to Service members such as social security 
numbers or home addresses being posted to a publicly accessible
web site.

Hamre added, "This new security guidance does not diminish in 
any way our plans to utilize Internet technology to revolutionize 
the business practices of the Department.  Our actions to advance 
electronic commerce and develop a paper-free acquisition system 
will continue at full speed.  We will, however, be more attentive 
to the security implications of this technology.  Security and 
efficiency can be achieved at the same time."

The review ordered today includes the following steps:

* Establishment of a task force to develop policy and procedural 
  guidance addressing operational, public affairs, acquisition, 
  technology, privacy, legal and security issues associated with 
  the use of DoD web sites, reporting to the Office of the 
  Assistant Secretary of Defense (Command, Control, Communications 
  and Intelligence).  This task force should issue preliminary 
  guidance to DoD components by late November 1998;

* Requirement for a security assessment of its Web sites by each 
  DoD component within three months of receiving the above task 
  force guidance and annually thereafter;

* Development of a training program on Web information security 
  issues by March 1999;

* Implementation of a plan by March 1999 to use Reserve Component 
  assets for ongoing operational security and threat assessments 
  of DoD Web sites; and

* Development and implementation of a computer architecture which 
  enhances the protection of sensitive but unclassified information.

Pending the development of detailed, procedural guidance and 
provided it would not adversely impact essential mission 
accomplishment, all DoD organizations are immediately required to 
remove certain information from publicly accessible Web sites, i.e., 
not domain or password-protected, including

* plans or lessons learned which would reveal sensitive military 
  operations, exercises or vulnerabilities;

* information on sensitive movements of military assets or the 
  location of units, installations, or personnel where uncertainty 
  regarding location is an element of the security of a military 
  plan or program; and

* personal data such as social security account numbers; complete 
  dates of birth; home addresses; and telephone numbers other than 
  public telephone numbers of duty offices.  In addition, names, 
  locations and any other identifying information about family 
  members of DoD employees and military personnel should be removed.

In directing these measures, Hamre said, "I believe that these steps 
will help us to better manage Web information services to strike 
the appropriate balance between openness and sound security."

-END-

NOTE: This is a plain text version of a web page.
If your mail reader did not properly format this information,
the original is online at http://www.defenselink.mil/news/
====================================================