Critics: DOD Web policies too strict
- By Dan Verton
- Dec 20, 1998
This month's release of the Defense Department's long-awaited policies and procedures for posting official information on DOD World Wide Web sites puts unprecedented discretion in the hands of local commanders and marks a significant departure from past Web guidance.
DOD's "Web Site Administration Policies and Procedures" delegates to DOD component and unit commanders the authority to decide whether a command or unit will maintain a Web site, and it lists a broad range of information— such as maps and evaluations of commercial products— as inappropriate for posting.
The document directs component and unit commanders to "ensure all information placed on publicly accessible Web sites is appropriate for worldwide dissemination and does not place national security, DOD personnel and assets, mission effectiveness or the privacy of individuals at an unacceptable level of risk."
John Pike, a defense and intelligence analyst with the Federation of American Scientists, said the policies create a narrow definition of what DOD organizations can post on the Web. "This is a wartime information policy," he said. "This [latest document] basically says, 'Loose lips sink ships.' It's an absolutely paranoid document."
The policies were developed by a joint task force appointed in September by deputy Defense secretary John Hamre as part of a departmentwide action plan to look into Web security policy [FCW, Sept. 28]. The guidance applies to all publicly and non-publicly accessible DOD Web sites as well as DOD information posted on government contractors' Web sites.
The new guidance directs all military organizations within the next four months to undertake a comprehensive, multidisciplinary security assessment, which includes the use of sophisticated natural-language search engines to determine if classified information can be gleaned from the mass of data on a Web site.
Of particular concern in the new guidance was information deemed to be "For Official Use Only," which the document describes as "information whose sensitivity may be increased when electronically aggregated in significant volume." Included under this heading of information were:
* Unit organization charts.
* Detailed mission statements.
* Specific unit phone numbers.
* Images of command and control nodes.
* Command, control, communications, computers and intelligence architectures.
* Tactics, techniques and procedures.
* Tests and evaluations of commercial products or military hardware.
* Software documentation.
* Premature release of information on patentable military systems or developmental processes.
* Unclassified technical data with military or space applications.
* Reports of technology innovations from the Centers for Industrial Technology.
* Maps, charts and geodetic data.
Pike said much of the guidance on how to tell the difference between sensitive and releasable information is vague and leaves quite a bit of room for interpretation by local commanders— a situation that could result in the removal or significant degradation of many DOD Web sites.
"My concern is that [military commanders and Webmasters] are going to look at this and say 'It's just too complicated' and then take the whole [Web site] down," Pike said. "There's no way they are going to be able to effectively implement this." According to the document, "Only information of value to the general public and which does not require additional protection should be posted to publicly accessible sites on the World Wide Web." For information "of questionable value to the general public" or which "poses an unacceptable risk" to national security, the guidance requires DOD Web sites to use access controls.
A DOD spokesperson said the document's critics do not "give common-sense credit to the [DOD] folks in the field," adding that the instructions will not result in an en masse shutdown of DOD Web sites. The spokesperson said the guidelines are strictly a means to provide security and protection to the department and are not meant to block the free flow of information. "We needed to put some markers down at some point," the spokesperson said.
Kurt Molholm, administrator of the Defense Technical Information Center, which oversees about 90 Web sites, said he does not agree that DOD's new Web guidance constitutes a wartime policy. "It's more of an information management issue than a technical issue," Molholm said. More importantly, "DOD has done a good job of opening itself to the public," he said. "What [this policy] really says is that you have to make a judgment."
Wayne Madsen, senior fellow with the Electronic Privacy Information Center, said DOD should be prepared to hire extra staff to handle all the Freedom of Information Act requests that likely will result from Web sites being shut down. "I hope they have the money in their future budgets for that," Madsen said.