Whoops! War plans online
- By Dan Verton
- May 01, 2000
A new reserve unit that monitors the Defense Department's presence on the
World Wide Web has found an astonishing amount of classified or sensitive
material on public sites.
The Web Risk Assessment Team, established by the Joint Task Force for
Computer Network Defense, is made up of reservists who spend one weekend
each month scanning DOD Web sites for sensitive or classified information
that shouldn't be posted on the Internet, according to Air Force Maj. Gen.
John Campbell, commander of JTF-CND.
A recent survey of 800 major DOD Web sites revealed as many as 1,300
"discrepancies," some of them involving highly classified information, Campbell
For example, the team uncovered more than 10 instances in which information
about Pentagon war plans was posted. The team also discovered information
on computer system vulnerabilities and more than 20 detailed maps of DOD
Some of the materials included detailed plans of a facility known as
"Site R," which serves as the alternate Joint Communications Center for
U.S. nuclear forces, according to Campbell. The overhead photo of Site R
showed the location of underground tunnel entryways and a detailed floor
plan of the facility.
Likewise, the Web site for an annual exercise known as "Cobra Gold"
included an entire list of participating units, communications frequencies
and call signs for aircraft, and data on Identification Friend or Foe squawks,
which are signals used by pilots to determine if a plane is friendly. In
another instance, the team found a classified excerpt in a policy document
"Putting this task force in place is a very important step forward,"
said Jerry Harold, president and co-founder of Network Security Technologies
Inc. and a former information systems security officer with the National
Security Agency. "A data aggregation issue can arise from the types of information
posted. While individual documents may not be sensitive, the aggregate of
several documents may provide an adversary with information that the government
would consider sensitive, or even classified."
Although the assessment team provides DOD an active defense of sorts,
the JTF-CND is shifting gears on would-be hackers by creating what are called
"honey pots," which use deception to divert hackers away from classified
information and help authorities trap them.
A more controversial tactic involves using tags that allow the JTF-CND,
in coordination with federal law enforcement, to trace stolen information
back to the hacker or criminal who stole it. Because of privacy issues that
may arise out of the use of such tactics, the JTF-CND has also added legal
counsel to its staff, Campbell said.
But legal counsel alone may not be enough, said Douglass Perritt, deputy
director of the National Infrastructure Protection Center. "Our definition
of national security has to change," as does the existing body of laws governing
how the government can react to cyberintrusions and attacks, Perritt said.
"Traditional adversaries no longer fit the mold. Can we react quickly? Absolutely
Mark Gembecki, chairman of security consulting firm WarRoom Research
Inc., said the Pentagon's renewed focus on security is long overdue. "I'm
glad to see that an aggressive course of action is being taken," he said.
Although Gembecki said he believes this is an effective use of DOD resources,
there is still a role for automation, he said. "Automation is key to the
future of Internet security and the protection of proprietary information,"
Gembecki said. "Smart Internet agents are being used everyday but are limited
if an embedded intelligence collection scheme is not used."
However, textual content presents a more difficult challenge than do
images, said Matthew Patton, a senior security engineer at Network Security
Technologies Inc. and a former network security consultant for the Air Force.
"Where images are concerned, a lot of them are ornamental and, once inspected,
can be summarily dismissed," he said. "Textual content is more difficult
and needs review every time a revision is made. So have the reservists brush
up on their shell-scripting abilities."
But human analysts still play a key, irreplaceable role, Gembecki said.
"This is not necessarily a bad thing, since human cognition is a critical
element of the digital information decision process," he said. "And [it]
is far more effective than most computer programs."