Pentagon Reconsiders What
To Put On The Net

WASHINGTON (AP) -- The chairman of the Joint Chiefs of Staff looked on as Pentagon cyber-warriors clicked away at their laptops and showed how would-be terrorists could find his son's home address.
Army Gen. Henry Shelton then got a demonstration of how a skilled adversary might combine publicly available biographies and contractor information on military Web sites with a few well-placed phone calls to pin down the dates of highly classified nuclear exercises.
The classified briefing, held in Shelton's Pentagon office, was then given to other generals and admirals as well as senior civilians, generating a momentum that has led the military to order a massive scrub of its vast network of Internet sites.
Deputy Defense Secretary John Hamre said military Web sites offered adversaries "a potent instrument to obtain, correlate and evaluate an unprecedented volume of aggregated information" that could, when combined with other sources of information, "endanger Department of Defense personnel and their families."
Instituted Dec. 7, the policy change has touched off a debate as some critics argue the Pentagon went too far in restricting the information that it makes public on the Internet.
In response, defense and national security officials have become more willing to discuss, on condition of not being identified by name, the nature of the risk their detailed review of military Web sites revealed.
"There was information that was potentially tactically useful to an adversary, the kind of thing where if someone really wanted to do harm to your personnel, it could facilitate them in undertaking an attack," said one senior defense official working on Internet security issues. Another national security official called the briefings "eye-openers" that startled commanders.
The briefings stemmed from work done in 1997 and 1998 by Pentagon "red teams," a term associated with a notional enemy force in war games. Team members tried to learn how much mischief they could do by skillfully scanning military Web sites, without any sophisticated hacking. They showed Shelton, himself a former special operations specialist, how his own biography posted on a military Web site combined with non-military databases could quickly lead a terrorist to the home address of one of his sons living in Florida.
The red teams found detailed maps and aerial photographs of military installations that would help anyone planning a strike or a terrorist action. These were the kinds of pictures, one senior official noted ruefully, that the United States spent billions to get during the Cold War through its spy satellite network. Now the United States was giving such imagery away for free on the Internet.
Senior officers were particularly concerned when one of the red teams was able to combine a variety of data and make highly accurate estimates about the timing of nuclear weapons drills, exercises and readiness checks, according to two senior national security officials familiar with the briefings.
Biographies of individual commanders of units likely to be involved in such operations combined with phone calls to those commanders' bases yielded information about temporary duty assignments in Nevada at installations involved in nuclear weapons handling. Military Web sites containing contractor information, particularly formal requests for bids to supply particular security equipment, helped further hone this detective work, according to the officials.
Cleaning the military Web sites of potentially dangerous information has proved a monumental task. Bill Leonard, a top Pentagon information security official, said the military was unsure initially how many Web sites it had, and even today can only provide an estimate. For a time, the Army completely closed off access to its 1,000 Web sites. Now back online, the Army's Web sites have been substantially trimmed, as have those of the other services. Entire Internet addresses have been put off limits, with the terse message on the computer screen that information previously available has been removed for security reasons.
Some think the scrub of military Web sites has gone too far.
"This is a wartime information policy," said John Pike of the Federation of American Scientists, a Washington-based research group that follows military and intelligence matters. "All kinds of program information is being withdrawn. Almost anything that discloses what an agency actually does, beyond a brief mission statement, is going away."
The Federation is pursuing release of some of the deleted information under the Freedom of Information Act. In its filing with the Pentagon's security review office, the Federation said anything released as a result of the complaint should come in electronic form so the Federation can post the information on its Web site.
To date, the Pentagon cannot point to a specific incident where information posted on a military Web site resulted in harm to U.S. national security.
"The menacing scenarios have remained just that -- only scenarios," according to George Smith, editor of The Crypt Newsletter, an online publication dealing with computer security.
But the Pentagon says it has solid electronic evidence that foreign countries, including some adversaries, are regular visitors to U.S. military Web sites.