With all its many benefits, the internet can also do a great deal of harm, if not used properly. Information on the internet that may be intended for a limited audience is actually available to a worldwide audience. The web was not designed with security in mind, and unencrypted information is at a high risk of compromise to any interested adversary or competitor.
The Department of Defense (DoD) has been among the first government departments to take the lead in spelling out rules for what should and should not go on a website and how information should be reviewed before it is posted on a website. The DoD policy, cited under Reference below, should be reviewed prior to posting DoD or DoD-controlled information to a website. This policy applies to all unclassified DoD websites and to review and approval of requests received from DoD contractors and subcontractors or other U.S. governmental agencies to post DoD information on their websites.
DoD guidelines take into account what security access controls, if any, are in effect for the site, the sensitivity of the information and the target audience for which the information is intended.
Related: Search for security clearance jobs.
Briefly, most types of sensitive, unclassified information discussed in this module may not go on a website unless that site is protected by encryption. In other words, DoD technical information, "For Official Use Only" information, export-controlled information, unclassified nuclear information, and Privacy Act information may not be posted on an unencrypted website. Decisions on the handling of proprietary or trade-secret information in the private sector are made by the owners of that information.
DoD guidelines also require that judgments about the sensitivity of information take into account the potential consequences of "aggregation." The term "sensitive by aggregation" refers to the fact that information on one site may seem unimportant, but when combined with information from other websites, it may form a larger, more complete picture that was neither intended nor desired. In other words, the combination of information from multiple websites may amount to more than the sum of its parts. Similarly, the compilation of a large amount of information together on one site may increase the sensitivity of that information and make it more likely that site will be accessed by those seeking information that can be used against us.
Related: Discover your perfect career path and get customized job recommendations based on your military experience and vocational interests with Military.com's Military Skills Translator + Personality Assessment.
The following table from the DoD guidance on reviewing websites has been modified to fit into a smaller space. The table is a guide to determining an acceptable level of risk, but the listed types of access controls are not necessarily the only options available for protecting information.
| If access control is: | The vulnerability is: | And information can be: |
| Open -- no access limitations, plain text, unencrypted. | Extremely high. Subject to worldwide dissemination and access by everyone on the internet. | Nonsensitive, of general interest to the public, cleared and authorized for public release. Worldwide dissemination must pose limited risk even if information is combined with other information reasonably expected to be in the public domain. |
| Limited by internet domain (e.g., mil, gov) or IP address. Plain text, unencrypted. | Very high. This limitation is not difficult to circumvent. | Non-sensitive, not of general interest to the public although approved and authorized for public release. Intended for DoD or other specifically targeted audience. |
| Limited by requirement for user ID and password. Plain text, unencrypted. | High. Still vulnerable to hackers, as user IDs and passwords can be compromised if encryption is not used. | Non-sensitive information that is appropriate only for a specific targeted audience. |
| User certificate based (software). Requires PKI. Encryption through use of secure sockets layer. | Moderate. This provides a moderate level of secure access control. | Sensitive unclassified information, and information that is "sensitive by aggregation." |
| User certificate based (hardware). Requires PKI encryption. | Very low vulnerability. | Sensitive unclassified information, and information that is "sensitive by aggregation" where extra security is required. |
Before putting any information on a website, you must consider how an adversary or competitor might use that information to target your organization's personnel or activities. This requires applying risk management concepts to balance the benefits gained from using the internet against the potential security and privacy risks created by having that information available to a worldwide audience.
People make several common mistakes when deciding what to put on a website. One is to ignore the danger associated with personal data on the internet. Another is to assume that information is not sensitive just because it is not marked with any sensitivity indicator. A third is that people underestimate the ease and potential significance of "point-and-click aggregation" of information.
Inclusion of information about home addresses or family members in biographical summaries is one of the most common errors. Personal information that could facilitate criminal, harassment or terrorist activity against military personnel or government or defense contractor employees should not be on the internet. This includes home addresses, telephone numbers other than those readily available to the public, Social Security number, date of birth and any identifying information at all about family members.
Related: For the latest veteran jobs postings around the country, visit the Military.com Job Search section.
"For Official Use Only" information and other sensitive information is normally marked with a sensitivity indicator at the time it is created. However, the absence of any sensitivity marking is not a valid basis for assuming that information is nonsensitive. Before putting unmarked information on a website, it must be examined for the presence of information that requires protection and qualifies as exempt from public release.
Don't depend on your memory or general impressions when trying to make this determination. Check the appropriate classification guide or regulation or ask a knowledgeable person.
People who have not themselves developed strong skills at searching the internet generally underestimate the amount and nature of the information that can be found there and the ease with which it can be located. The vast quantity of information on the internet, combined with powerful computer search engines, has spawned sophisticated "data mining" techniques for the rapid collection and combination of information from many different websites.
Very little know-how is needed, as the tools of the internet have been designed to do this. A single user sitting at a computer in a foreign country can now identify, aggregate and interpret information available on the internet in ways that sometimes provide insights into classified or sensitive unclassified programs or activities.
Information relevant to operations security (OPSEC) is a particular concern. Commanders and program managers responsible for OPSEC need to identify what needs to be protected and then take a "red team" approach to how outsiders might obtain unauthorized knowledge. As a double check, military reserve units have been tasked to conduct ongoing operations security and threat assessments of Defense Department websites.
One useful tool is to do your own keyword search on the internet to learn what related information is already out there that others might use to deduce information about your sensitive activity. As you visit these other sites or read newsgroup messages, see whether they have information that could be used in conjunction with your information, or with information from another site, to deduce your sensitive information.
For example, seemingly nonsensitive technical data, when associated with a specific research or development program, might provide clues to a new weapon's capabilities, vulnerabilities or intended uses. Similarly, unclassified and seemingly innocent information on things, such as personnel travel, commercial support contracts, changes in unit deployment or training, changes in communications patterns, messages between soldiers and family members, supply and equipment orders or deliveries, etc., might, when combined with other information, provide a tip-off to sensitive plans and intentions.
Related: Does your resume pass the 6-second test? Get a FREE assessment.
The Next Step: Find the Right Veteran Job
Whether you want to polish up your resume, find veteran job fairs in your area, or connect with employers looking to hire veterans, Military.com can help. Sign up for a free Military.com membership to have job postings, guides and advice, and more delivered directly to your inbox.
Reference
1. "Web Site Administration Policies and Procedures, November 25, 1998, Office of the Assistant Secretary of Defense (C3I). Approved by the Deputy Secretary of Defense December 7, 1998.
