The Pentagon ordered on Friday the removal of sensitive data from Department of Defense Web sites and an immediate review of its policy for posting information on the Internet -� at a time when its sites are besieged by cyber attacks from all over the world.
The order follows Pentagon officials' realization that users can access sensitive data about operations, military capabilities, and personnel from various military Web sites.
"This is a good start, but it's only a start," said Gene Spafford, director of the Computer Operations Audit and Security Technology. "There are many more things that need to be done if military networks are to become secure."
Security experts recommend that the Department of Defense take further steps to protect more than 1,000 military Web sites that get hit an average of 60 times a week. On Friday, the department reported that crackers penetrated military Web sites last year and altered soldiers' medical files.
In a separate incident, US Navy servers have recently come under coordinated attacks from at least 15 different sources, some of them originating outside the United States, according to Stephen Northcutt, head of intrusion detection at the Naval Surface Warfare Center.
Northcutt has called for the establishment of a national computer cracker "forensics center" to analyze and trace attacks from the Internet.
"Police forensics experts can assess the time of a shooting, the speed of the bullet, and the angle it was fired from," said Northcutt. "Well, we need the same thing for the Internet to assess how the server was accessed and from where."
Department of Defense officials pass information about cyber attacks to US intelligence agencies, said Northcutt, but organizations such as the Defense Intelligence Agency don't pass information back.
"It's a write-only file, if you know what I mean," said Northcutt. "If they know who is attacking my network and keep it quiet, then it doesn't help my job one darn bit."
Spafford believes that military personnel should be held responsible.
"Whether it's a tech sergeant who fails to download the latest security patch or the admiral who chooses an operating system that crashes and disables the latest submarine, they need to be accountable for their [technical] decisions," he said.
Friday's order is to prevent people from gathering information that may be sensitive in nature.
"We have become aware that information such as blueprints of military bases, goals of military operations, and future research and development was freely available," Suzan Hansen, spokeswoman for the Department of Defense at the Pentagon. "Intelligence is only the ability to gather data and draw some useful conclusion from it."
All areas of the Department of Defense must remove sensitive information from their Web sites immediately.
The department will establish a task force to investigate the matter, making preliminary recommendations to the Office of the Assistant Secretary of Defense by the end of November.
