RICHMOND, Va.-To head off network security breaches, high-ranking Pentagon officials are drafting a policy that would ban Defense Department use of the software that drives leading-edge sites on the World Wide Web. Such a ban could be a major setback for electronic government and perhaps even for commercial use of the latest Web technology.
Marvin J. Langston, deputy chief information officer for DoD, said his office is putting the finishing touches on a directive that would prohibit DoD use of JavaScript and ActiveX, two software products that enable Web sites to interact with PCs over the Internet. Turning off these capabilities could limit DoD Web sites to providing little more than documents. Without them, it would be difficult to carry out many of the current and planned uses of the Web in buying and selling, distance learning and other kinds of transactions.
JavaScript and especially ActiveX are powerful tools that permit the use of software programs within Web sites, greatly increasing their capability to handle transactions. However, the same technology that enables a site to look up a customer in a database and update records can be used maliciously to wipe out the database or alter records with little trace. The software that moves over the network in the interaction between a Web browser and a server is known as "mobile code." It can act like a computer virus, but with more devastating effects.
Microsoft Corp., maker of ActiveX, and Netscape Corp., maker of JavaScript, have included in their products controls that can be activated to limit misuse of the technology. For example, Jeff Raikes, Microsoft's vice president for worldwide sales and support, said in a speech at an IT industry conference here, an Air Force browser can be configured to accept mobile code only from an Air Force server.
But making sure that these controls are properly activated in every DoD PC and server, and then updated to keep the security policies current, is impossible, in the view of many. "JavaScript and ActiveX are security problems that we don't know how to deal with," Langston told those attending an electronic government workshop at the conference.
Later, Langston acknowledged that the proposed ban would reduce the functionality of DoD Web sites. He said the draft policy has met with great resistance within the department and agreed that "there are big issues here." But he said preparation of the draft policy is continuing and it probably will be presented to Langston's boss, DoD CIO Arthur Money, for signature before the end of the year.
Security is "the Achilles heel to everything that's going on right now" with electronic government initiatives, Langston said at the workshop. He compared today's information warfare threat to the nuclear missile threat that dominated the defense horizon in the 1950s.
Several companies offer security products to enforce protection policies and keep them up to date against threats from mobile code. However, new vulnerabilities emerge regularly, leading many in the information technology industry to liken the situation to a cat-and-mouse game. For each new security protection on the market, malicious hackers come up with a new way to attack protected systems.