DOD warns against the dark side of social networking

The pull of the online world is strong, but security must be maintained

In an earlier era, “loose lips sink ships” was the military’s warning not to let even small details about military movements and operations slip in casual conversation. In contrast, social media Web sites today thrive on loose lips, making it even tougher to maintain operational security.

The problem is not so much people twittering away secrets as letting slip many smaller pieces of information that an adversary can piece together.

“There’s a tendency to think that if information is not classified, it’s OK to share,” said Jack Kiesler, chief of cyber counter intelligence at the Defense Intelligence Agency, in a presentation last month in Orlando, Fla., at the DODIIS Worldwide Conference for intelligence information systems professionals.

Kiesler and colleague Nick Jensen, an operational security analyst at DIA, gave a presentation titled “How Adversaries Exploit Poor Operational Security."

Operational security refers to the process of denying information to potential adversaries about capabilities or intentions of individuals or organizations by identifying and protecting generally unclassified information on the planning and execution of sensitive activities.

An adversary trying to uncover secrets will start by chipping away at operational security indicators that point them toward a target, Kiesler said. A foreign agent seeking to steal stealth technology might start by trying to identify individuals who are working on the technology, figuring out whom they associate with, following their movements, looking for clues on new research areas and so on.

Much of that information might be available through a professional profile on LinkedIn, for example. Furthermore, participation in online discussion groups or blogs might help foreign intelligence services single out disgruntled military or intelligence agency employees who could be recruited or blackmailed, Kiesler said. Not only are younger employees immersed in the social media culture, but older ones often become participants without understanding their limited control over the information they post online, he added.

Although operational security is supposed to be a standard component of military operations, Kiesler seeks to pursue it in a more disciplined way, with proactive tests of an organization’s operational security. Rather than embarrassing the organizations and individuals who flunk the test, the goal is to educate them, he said.

Jensen presented a fictional scenario that he said was based on those kinds of tests, in which a foreign agent named Jane starts by exploring the membership of a LinkedIn group called Intelligence Professionals.

In Jensen’s scenario, LinkedIn provides a target DIA employee’s basic résumé with a link to his blog. The blog, in turn, has links to other social media sites the person participates in, so the adversary can browse Flickr photos and Twitter messages, continuing to round out the picture. The DIA employee uses the same handle on many Web sites, allowing Jane to search for posts he has made elsewhere. On Slashdot, he mentions something about the Starbucks near his house.

That allows Jane to bump into her target at Starbucks, hack the wireless session he initiates from his iPhone and eventually capture information, including his online banking password. From there, she has many options to monitor his every move, drain his bank account or blackmail him.

Of course, the pull of the online world is not so easily countered. There really is an Intelligence Professionals group on LinkedIn, and Kiesler and Jensen found 163 LinkedIn members who listed DIA as their current employer, including at least one information security analyst based in Washington, D.C.

But Kiesler and Jensen said people can learn to be more circumspect and take precautions such as varying their online signatures rather than using the same user name on multiple Web sites.

About the Author

David F. Carr is a special contributor to Defense Systems.

Reader Comments

Mon, Mar 8, 2010

Did you ever go into the fact that some people have been stalked through social networking? That's the darkest side of all.

Thu, Jun 18, 2009

I wonder then, given this scenario presented here, what the proper role of social networking online should be for the individual concerned about operational security. You can't change the next generation's reliance on such tools, but it is even possible to separate your work and personal life in a virtual environment?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.