DOD Weighs JavaScript Ban

Doug Brown and Todd Spangler, ZDNet

The Department of Defense is considering banning all JavaScript and other mobile code from military Web sites because the tools could pose a security risk to its computer systems.

JavaScript and Microsoft's ActiveX have been flagged because hackers are increasingly breaking into DOD systems, and department officials fear that mobile code is serving as an easy gateway for them to enter military networks, sources said. The tools are widely used by Web site developers to add animation and interactivity to Web pages.

DOD spokeswoman Susan Hanson confirmed there have been discussions within the DOD about the future use of mobile code. She would not confirm that the department is talking about banning mobile code, but a high-level government source said it is common knowledge that the department's deputy chief information officer, Marvin Langston, is considering eliminating the use of the code within department Web pages.

Langston was traveling and unavailable for comment.

The security threat posed by the codes has been discussed within both the DOD and the Department of Justice since early this year. Many are concerned that the codes can carry malicious programs that surreptitiously launch from a user's browser.

"I think it's wise to be worried about mobile code security issues," said Edward Felten, director of the Secure Internet Programming Lab at Princeton University. "Right now, there is no mobile code [safe] enough for high-security uses."

The Sun-Netscape Alliance, which markets JavaScript, and Microsoft, which developed ActiveX, were not immediately available for comment.

But without the popular code, Web sites become largely passive and unable to deliver the most basic interactivity. Dave Plummer, a vice president for Internet and Java at the GartnerGroup consulting firm, noted that without any mobile code capabilities, DOD Web sites would become much more static than standard corporate Web sites.

"Your sites will end up being less competitive overnight," Plummer said, adding that a complete ban on all mobile script capabilities could lead to a Web presence that does not permit online chats or the filling out and sending of online forms.

According to a high-level DOD official, the department has more than 2,500 primary Web sites, including one for the U.S. Army and another for the Defense Contract Audit Agency, and hundreds of servers to host the Web sites. It hosts the largest network of Web pages in the federal government.

In April alone, according to statistics, the DOD's primary Web sites were accessed 5.4 million times by 422,000 unique visitors, who received 365,000 megabytes of data.

Security has long been a headache for the DOD as it has inched its way into the online world. The department houses and protects extremely classified and potentially volatile information on its computer networks. Keeping hackers away from classified information has been a prominent concern within the department.

"These guys [in the DOD] are extremely nervous about allowing ActiveX and JavaScript," said Ron Moritz, chief technology officer at Finjan Software, a security software firm. "They are getting hit consistently."

Many companies, he said, do have policies of some sort toward mobile code. Some companies, for example, will order employees not to open e-mail attachments.

Moritz said that in 1998, 20 percent to 30 percent of companies banned ActiveX and JavaScript. But that percentage is dropping because so many of the functions offered on Web pages now depend upon mobile code.

"Take a Wall Street firm," Moritz said. "There are undoubtedly a number of folks who need to use the EDGAR database, and that uses JavaScript, so it's mobile code that drives the service. One year ago, you would find many corporations with their finger in the dike, but now companies are finding they have to allow JavaScript and ActiveX. JavaScript is on 80 percent of sites. You can't deliver to the desktop browsers that have these services disabled because there are just too many sites that use this."

News of Langston's proposal caused immediate ire on an internal DOD listserv. One poster called the idea a perfect case of "throwing out the baby with the bathwater." Another asked: "So now we're not going to use the Web?"