( UPDATED 2/16/2000 ) Pentagon Pulls Web Pages By John Diamond The Associated Press W A S H I N G T O N , Feb. 16 The chairman of the Joint Chiefs of Staff looked on as Pentagon cyber-warriors clicked away at their laptops and showed how would-be terrorists could find his son’s home address. Army Gen. Henry Shelton then got a demonstration of how a skilled adversary might combine publicly available biographies and contractor information on military Web sites with a few well-placed phone calls to pin down the dates of highly classified nuclear exercises. The classified briefing, held in Shelton’s Pentagon office, was then given to other generals and admirals as well as senior civilians, generating a momentum that has led the military to order a massive scrub of its vast network of Internet sites. Deputy Defense Secretary John Hamre said military Web sites offered adversaries a potent instrument to obtain, correlate and evaluate an unprecedented volume of aggregated information that could, when combined with other sources of information, endanger Department of Defense personnel and their families. Too Hush-Hush in Policies? Instituted Dec. 7, the policy change has touched off a debate as some critics argue the Pentagon went too far in restricting the information it makes public on the Internet. In response, defense and national security officials have become more willing to discuss, on condition of not being identified by name, the nature of the risk their detailed review of military Web sites revealed. There was information that was potentially tactically useful to an adversary, the kind of thing where if someone really wanted to do harm to your personnel, it could facilitate them in undertaking an attack, said one senior defense official working on Internet security issues. Another national security official called the briefings eye-openers that startled commanders. The briefings stemmed from work done in 1997 and 1998 by Pentagon red teams, a term associated with a notional enemy force in war games. Team members tried to learn how much mischief they could do by skillfully scanning military Web sites, without any sophisticated hacking. They showed Shelton, himself a former special operations specialist, how his own biography posted on a military Web site combined with non-military databases could quickly lead a terrorist to the home address of one of his sons living in Florida. Maps of Military Installations The red teams found detailed maps and aerial photographs of military installations that would help anyone planning a strike or a terrorist action. These were the kinds of pictures, one senior official noted ruefully, that the United States spent billions to get during the Cold War through its spy satellite network. Now the United States was giving such imagery away for free on the Internet. Senior officers were particularly concerned when one of the red teams was able to combine a variety of data and make highly accurate estimates about the timing of nuclear weapons drills, exercises and readiness checks, according to two senior national security officials familiar with the briefings. Biographies of individual commanders of units likely to be involved in such operations combined with phone calls to those commanders’ bases yielded information about temporary duty assignments in Nevada at installations involved in nuclear weapons handling. Military Web sites containing contractor information, particularly formal requests for bids to supply particular security equipment, helped further hone this detective work, according to the officials. Extent of Information Mostly Unknown Cleaning the military Web sites of potentially dangerous information has proved a monumental task. Bill Leonard, a top Pentagon information security official, said the military was unsure initially how many Web sites it had, and even today can only provide an estimate. For a time, the Army completely closed off access to its 1,000 Web sites. Now back on line, the Army’s Web sites have been substantially trimmed, as have those of the other services. Entire Internet addresses have been put off limits, with the terse message on the computer screen that information previously available has been removed for security reasons. Some think the scrub of military Web sites has gone too far. This is a wartime information policy, said John Pike of the Federation of American Scientists, a Washington-based research group that follows military and intelligence matters. All kinds of program information is being withdrawn. Almost anything that discloses what an agency actually does, beyond a brief mission statement, is going away. The Federation is pursuing release of some of the deleted information under the Freedom of Information Act. In its filing with the Pentagon’s security review office, the Federation said anything released as a result of the complaint should come in electronic form so the Federation can post the information on its Web site. To date, the Pentagon cannot point to a specific incident where information posted on a military Web site resulted in harm to U.S. national security. The menacing scenarios have remained just that only scenarios, according to George Smith, editor of The Crypt Newsletter, an online publication dealing with computer security. But the Pentagon says it has solid electronic evidence that foreign countries, including some adversaries, are regular visitors to U.S. military Web sites. By Barbara Starr Special to ABCNEWS.com U.S. military officials are worried that the information superhighway is becoming a road map for terrorists, spies and other enemies seeking information about military facilities, personnel and weapons systems. The Defense Department and the individual military services run hundreds of unclassified Web sites. Web surfers can gain access to these both by direct URLs and via the numerous hyperlinks on the Pentagon’s main Web site popularly referred to as DefenseLINK by the armed forces. DefenseLINK, the first major Defense Department Web site, was launched in October 1994, initially as an online service for publishing and distributing press releases from the Pentagon. Since then, virtually every military facility and organization has developed its own Web site, many of which contain highly detailed, albeit unclassified, military information. Tracking Them Down Now, Deputy Defense Secretary John Hamre and the chiefs of the military services have begun a review of the content of all military Web sites. According to Pentagon spokesman Kenneth Bacon, they want to see what sort of information (the sites) provide on building plans, for instance, actual diagrams of buildings at certain military installations, on lessons learned on certain military operations or programs, on future research and development goals. Another concern, Bacon says, is that personnel information that could perhaps provide too much information in terms of locating people or re-creating identities from information provided on the Internet. More Than Necessary? When the United States launched cruise missile attacks on suspected terrorist sites in Afghanistan and Sudan, the Pentagon refused to disclose the names of the Navy ships that launched the strikes. Officials feared that terrorist groups could use the ships’ Web sites to locate and identify crews and their family members. We are in the process now, as I believe many private companies are, of trying to sort out what the right balance is between providing useful information and providing more information than is necessary over the Internet, Bacon explains. The Defense Department review is solely of unclassified material. The Pentagon has long maintained that its classified Web sites remain secure and have not been penetrated. Pentagon officials expect that guidelines will be issued shortly to the Webmasters of all official military sites, directing that more attention be paid to security concerns before material is posted on the Internet. But officials also want to assure their computer users that they are not throwing the Internet in the stockade. We do not want to go back to passing out pieces of paper rather than disseminating information on the Web, says one Pentagon official. Key Data Online Indeed, the Internet is now an integral part of some weapons development programs. For example, all of the key data on the Joint Strike Fighter program a multibillion tri-service effort to develop a new fighter aircraft is available online. Other Defense Department Web sites may be more troubling. The Special Weapons Agency site offers many details on how the nuclear weapons stockpile is being maintained both in the United States and in the former Soviet Union. And the Joint Chiefs of Staff’s new Force Protection site reviews U.S. anti-terrorist measures. Pentagon officials estimate that DefenseLINK alone receives more than 450,000 visitors per week. More than half are commercial users and network providers. But the Pentagon wants to make sure that, if the bad guys are also sneaking a peek, they are not getting more information than anyone wants them to have. and from 1998 : (AP) - The Defense Department's 1,000 publicly accessible World Wide Web sites may be stripped down further by the end of the year after a Pentagon-wide review of data that was being thrown out into cyberspace. Deputy Secretary of Defense John Hamre, who ordered the review, said he recently became aware that some Web sites were offering 'too much' detail on DOD capabilities, infrastructure, personnel and operation procedures.' 'Such details, especially when combined with information from other sources, may increase the vulnerability of DOD systems and potentially be used to threaten or harass DOD personnel and their families' Hamre said in a statement. Hamre said he was most concerned about the possibility that information about members of the military and their families, including Social Security numbers, telephone numbers, birth dates and home addresses, could be gained by tapping onto web sites. He ordered immediate removal of personal data from Internet sites pending results of the review in November. Specifics also were eliminated on military movements, the location of units, install- ations or personnel in cases where 'uncertainty regarding location is an element of the security of a military plan or program.' Military plans and so-called 'lessons learned' critiques of previous operations also were stripped from Web pages because the information could reveal 'sensitive military operations, exercises or vulnerabilities.' 'The Internet may provide our adversaries with a potent instrument to obtain, correlate and evaluate an unprecedented volume of aggregated information on defense personnel and activities' the Pentagon said ina statement.' The department must assess the information posted on public DOD Web sites to ensure national security is not compromised or personnel placed at risk.' The Pentagon has been using the Internet to spread information to members of the military serving around the world, partly to speed up business and eliminate paperwork for contracts and administration. It also said it was aiming to be more open with Americans and the inter- national community. Hamre said the goal now is to manage the Web sites more closely and 'to strike a balance between openness and sound security. 'Enemies of the United States such as terrorists, adversarial governments, members of organized crime and drug traffickers probably found the Pentagon sites a treasure trove of useful information, said E. Peter Earnest, president of the Association of Former Intelligence Officers, who worked for the CIA before retiring. 'It is a rich site of information, and any adversary is probing for vulner- abilities or weak spots', Earnest said. 'As you saw from the bombings in Africa, clearly enough homework was done to determine those sites had some weak spots.' On Pentagon Web sites, maps and floor plans of military facilities can be reviewed and details about what new weapons do can be downloaded. During the Cold War, when the former Soviet Union and the United States were in a nuclear standoff, much of this type of information was classified, Earnest said. Some hackers haven't been satisfied with the Pentagon's open Web sites and have tried to get into some of the department,s 2.1 million computers. In Feb- ruary, Hamre said the Pentagon's unclassified computers were hit by the 'most organized and systematic attack' to date, targeting mostly personnel records. Last year, hackers penetrated medical data banks at veterans hospitals and changed blood types in sold- ers' records, according to Federal Computer Week magazine, which quoted Art Money, a civilian awaiting nomination as assistant secretary of defense for communications and intelligence.