- WASHINGTON (AP) -- The chairman of the Joint Chiefs of Staff looked on as
Pentagon cyber-warriors clicked away at their laptops and showed how would-be
terrorists could find his son's home address.
- Army Gen. Henry Shelton then got a demonstration
of how a skilled adversary might combine publicly available biographies
and contractor information on military Web sites with a few well-placed
phone calls to pin down the dates of highly classified nuclear exercises.
- The classified briefing, held in Shelton's
Pentagon office, was then given to other generals and admirals as well
as senior civilians, generating a momentum that has led the military to
order a massive scrub of its vast network of Internet sites.
- Deputy Defense Secretary John Hamre said
military Web sites offered adversaries "a potent instrument to obtain,
correlate and evaluate an unprecedented volume of aggregated information"
that could, when combined with other sources of information, "endanger
Department of Defense personnel and their families."
- Instituted Dec. 7, the policy change
has touched off a debate as some critics argue the Pentagon went too far
in restricting the information that it makes public on the Internet.
- In response, defense and national security
officials have become more willing to discuss, on condition of not being
identified by name, the nature of the risk their detailed review of military
Web sites revealed.
- "There was information that was
potentially tactically useful to an adversary, the kind of thing where
if someone really wanted to do harm to your personnel, it could facilitate
them in undertaking an attack," said one senior defense official working
on Internet security issues. Another national security official called
the briefings "eye-openers" that startled commanders.
- The briefings stemmed from work done
in 1997 and 1998 by Pentagon "red teams," a term associated with
a notional enemy force in war games. Team members tried to learn how much
mischief they could do by skillfully scanning military Web sites, without
any sophisticated hacking. They showed Shelton, himself a former special
operations specialist, how his own biography posted on a military Web site
combined with non-military databases could quickly lead a terrorist to
the home address of one of his sons living in Florida.
- The red teams found detailed maps and
aerial photographs of military installations that would help anyone planning
a strike or a terrorist action. These were the kinds of pictures, one senior
official noted ruefully, that the United States spent billions to get during
the Cold War through its spy satellite network. Now the United States was
giving such imagery away for free on the Internet.
- Senior officers were particularly concerned
when one of the red teams was able to combine a variety of data and make
highly accurate estimates about the timing of nuclear weapons drills, exercises
and readiness checks, according to two senior national security officials
familiar with the briefings.
- Biographies of individual commanders
of units likely to be involved in such operations combined with phone calls
to those commanders' bases yielded information about temporary duty assignments
in Nevada at installations involved in nuclear weapons handling. Military
Web sites containing contractor information, particularly formal requests
for bids to supply particular security equipment, helped further hone this
detective work, according to the officials.
- Cleaning the military Web sites of potentially
dangerous information has proved a monumental task. Bill Leonard, a top
Pentagon information security official, said the military was unsure initially
how many Web sites it had, and even today can only provide an estimate.
For a time, the Army completely closed off access to its 1,000 Web sites.
Now back online, the Army's Web sites have been substantially trimmed,
as have those of the other services. Entire Internet addresses have been
put off limits, with the terse message on the computer screen that information
previously available has been removed for security reasons.
- Some think the scrub of military Web
sites has gone too far.
- "This is a wartime information policy,"
said John Pike of the Federation of American Scientists, a Washington-based
research group that follows military and intelligence matters. "All
kinds of program information is being withdrawn. Almost anything that discloses
what an agency actually does, beyond a brief mission statement, is going
- The Federation is pursuing release of
some of the deleted information under the Freedom of Information Act. In
its filing with the Pentagon's security review office, the Federation said
anything released as a result of the complaint should come in electronic
form so the Federation can post the information on its Web site.
- To date, the Pentagon cannot point to
a specific incident where information posted on a military Web site resulted
in harm to U.S. national security.
- "The menacing scenarios have remained
just that -- only scenarios," according to George Smith, editor of
The Crypt Newsletter, an online publication dealing with computer security.
- But the Pentagon says it has solid electronic
evidence that foreign countries, including some adversaries, are regular
visitors to U.S. military Web sites.