Admiral Mike Mullen is the Chairman of the Joint Chiefs of Staff. He also has a Twitter account. His “tweet” on the afternoon of August 4: “Obviously we need to find right balance between security and transparency. We are working on that. But am I still going to tweet? You bet.”
What was that about?
It transpires that a debate is raging within the Pentagon about the value and vulnerabilities of Facebook, Twitter, and other social utilities. ADM Mullen and others see these as important forums for STRATCOM — Strategic Communication. Others, especially those charged with defending the DoD computer net against cyberattack, see the dangers as outweighing the advantages. Facebook, for instance, offers too many openings for hackers to exploit and once in the system, they can do a lot of mischief. And still others Just Don’t Get It. Short wave radio using Morse code was good enough in their day. What need of new-fangled media like Web 2.0?
The situation is odd in that, less than three months ago, the Army lifted its long-standing ban on access to Facebook, etc., using military PCs. You’d think the issue would have been thoroughly sorted out by then. But the guardians of cyberspace continued to press their case, and a few days ago the Marine Corps forbade its personnel from using social utilities. A full-scale DoD review of the issue is now underway. The best (and almost only) original reporting on this subject is being done by Wired magazine’s Danger Room. The rest of the media mostly just relays what Danger Room reports.
Here are the most relevant news items:
Marines Ban Twitter, MySpace, Facebook – Danger Room, August 3
The U.S. Marine Corps has banned Twitter, Facebook, MySpace and other social media sites from its networks, effective immediately.
“These internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries,” reads a Marine Corps order, issued Monday. “The very nature of SNS [social network sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage that puts OPSEC [operational security], COMSEC [communications security], [and] personnel… at an elevated risk of compromise.”
The Marines’ ban will last a year. . . .
Military May Ban Twitter, Facebook as Security “Headaches” – Danger Room, July 30
…“The mechanisms for social networking were never designed for security and filtering. They make it way too easy for people with bad intentions to push malicious code to unsuspecting users. It’s just a fact of life,” says a source at Stratcom, which is responsible for securing the military’s “global information grid.”
Last month, for instance, well-known venture capitalist Guy Kawasaki’s Twitter account was hijacked, and used to spread a sex video come-on to his 139,000 followers. Those following the link were asked to install a software update. The application was, in fact, a Trojan, which allowed hackers to take over a user’s machine.
Similarly, one variant of the nasty Koobface worm searches a PC to find a Facebook cookie. Then the malware program uses that information to gain access to the user’s Facebook account. Once it’s in, Koobface spreads messages to online friends, enticing them to download viruses and Trojans.
Army Orders Bases to Stop Blocking Twitter, Facebook, Flickr – Danger Room, June 10
The Army has ordered its network managers to give soldiers access to social media sites like Facebook, Flickr, and Twitter, Danger Room has learned. That move reverses a years-long trend of blocking the web 2.0 locales on military networks.
Army public affairs managers have worked hard to share the service’s stories through social sites like Flickr, Delicious and Vimeo. Links to those sites featured prominently on the Army.mil homepage. The Army carefully nurtured a Facebook group tens of thousands strong, and posted more than 4,100 photos to a Flickr account. Yet the people presumably most interested in these sites — the troops — were prevented from seeing the material. Many Army bases banned access to the social networks.
An operations order from the Army’s 93rd Signal Brigade to all domestic Directors of Information Management, or DOIMs, aims to correct that. Issued on May 18th “for official use only,” the document has not been made public until now.
It is “the intent of senior Army leaders to leverage social media as a medium to allow soldiers to ‘tell the Army story’ and to facilitate the dissemination of strategic, unclassified information,” says the order, obtained by Danger Room. Therefore, “the social media sites available from the Army homepage will be made accessible from all campus area networks. Additionally, all web-based email will be made accessible.”
The Marine ban — and the contemplated DoD ban — apply to military computers, not personally-owned PC’s. So basically if you’re Stateside you can still do the social utility thing. But if you’re down-range your access is limited to computers that are part of the military net, and that’s the problem. One work-around would be to provide so-called “dirty computers” — PC’s not connected to the military network — that service personnel could use instead. But apparently that has its own technical problems, and of course there are those who Just Don’t Get It, and can see nothing but the problems arising from indiscretions by service personnel, or the stress placed on them by, say, a spouse using Facebook to announce that she’s fallen behind on the household bills — as if the same info couldn’t be shared via phone, email, or Pony Express.
Indeed, I have the distinct impression that proponents of retaining access regard it as futile and self-defeating to opt out of Web 2.0 — if we outlaw Web 2.0, only our enemies will have Web 2.0, and thereby the ability to exploit its STRATCOM capability. (For an example of this that most of us applauded, consider the Iranian protesters who used Twiter extensively to bypass Iranian security and get out word of the stolen election and subsequent crackdown on demonstrations.) Proponents tend to pooh pooh the cybervulnerability issue as endemic to the Internet anyway and cop a sort of “Damn the hackers, full speed ahead” attitude.
Those assigned to prevent cyberattacks are, understandably, focused on the vulnerability issue. But from my exchanges with such people I have the impression, perhaps mistakenly, that they tend to view social utilities as little more than people posting status updates like, “Finally squeezed that pimple that’s been bugging me all week. Wow, what a lot of pus!”
And in between — maybe even the decisive weight in the debate — are those who know little of the technical vulnerabilities and have no clue about the STRATCOM value, because they have no direct experience with Facebook, Twitter, etc. These default to an unreflective, better safe than sorry position. These people remind me of nothing so much as the numerous academics, still locked in the Gutenberg era, who have never seen Facebook or read a blog and find the whole idea of electronic media incomprehensible and vaguely threatening. You’d think academics would have a greater degree of intellectual curiosity about this new and powerful medium. You’d be wrong. It’s weird, though gratifying, to find my own blog valued in the larger military history and national security community, whereas hitherto I’ve generally been in an environment that regarded blogging as a mere eccentricity.
Where do I come down on this? In my own small experience, I’ve seen how Facebook can be used to generate discussion about the current health care debate, how Twitter can drive traffic to my blog, and how the blog is able to influence the field of academic military history. Hundreds if not thousands of other users — ADM Mullins, other flag offcers, and numerous politicians and activists — have noticed and exploited the same synergy between Facebook, Twitter, blogs and web sites.
I think that either the vulnerabilities are endemic to the Internet, in which case it’s a matter of conceding that entire realm to adversaries less squeamish about exploiting it; or else specific to the social utilities, in which case it ought to be possible to work with Facebook, Twitter, etc., to eliminate the vulnerabilities. One would think that they would have as much stake in the issue as the military. After all, a cyberattack that, say, vacuumed up sensitive personal info on its members could destroy the market for Facebook and Twitter overnight, as members closed their accounts by the million.
Surely there’s a way to mitigate if not eliminate the cybervulnerabilities. And it’s this task that needs to be addressed — quickly, concertedly, and sufficiently resourced to handle the job. A sort of home-grown fatwa on social utilities is not the answer.
2 Comments
Agreed, Mark. But unfortunately, and you probably understand this from your time at Carlisle, the various installation DOIMs, or as I like to call them “Don’t-ems,” exert a stranglehold on the DoD. Every installation has its own set of operating rules, no consistency from one to another (other than being difficult to work with and navigate).
I think Admiral Mullen represents the tip of the iceberg of the incremental change in attitude toward social networking sites at the mid-grade and senior officer levels. I am currently at the Command and General Staff Schools at Fort Leavenworth, Kansas. As part of our requirements for graduation, we must conduct a media interview, speak to a public forum, submit an article for publication, and post on a reputable blog.
You can read a local article outlining the current CGSS commandant’s experiences with social networking sites in Iraq to get some perspective on changing leadership culture in the Army. The url is here:
http://www.ftleavenworthlamp.com/articles/2009/08/06/news/news2.txt
I personally have mixed feelings about the opening of social networking sites to military computer users. I agree that alternative media outreach is important for the army. At the same time, these sites serve as a potential source of information to our adversaries, and I certainly do not know either the extent of the information available or how the information might be used. Ill defined threats (outside of the standard hackers doing identify theft, in this case) are usually discounted, especially when leaders perceive specific positive advantages to using these sites. The DoD agencies assigned to protect our IT systems are trying to exercise due diligence–their job is just made more difficult because it is difficult to clearly articulate the threat.
MAJ James Doty, Student, US Army CGSC