by Stephen Bryen
The US Government must prohibit the use of social media by its security-cleared employees. That it does not do so presently exposes our government to serious attack from foreign governments and terrorists.
According to Rob O’Neill, a writer for CBS Interactive based in Auckland who also writes for ZDNET, the resumes of over 27,000 people working in the US intelligence community have been culled from LinkedIn by a team of so-called “activists.” They built some scanning tools including one called LookingGlass and another called ICWatch (Intelligence Community Watch) which they have made available over the Internet.
The resumes of the intelligence professionals posted on LinkedIn “include many details about the names and functions of secret surveillance programs, including previously unknown secret codewords.”
Of course this is a bonanza for foreign intelligence services since they get free what otherwise they would spend millions on collecting.
And LinkedIn may only be the tip of the iceberg because information from LinkedIn can be cross-referenced to other social media such as Facebook and Pinterest. There you can get good photos of the professionals and photos of their families and friends. From this information it is child’s play to construct a matrix of activity that can be used to compromise the intelligence professional, track family and friends, or even use the information to construct schemes focusing on possible vulnerabilities and weaknesses.
In short the situation is even worse than one might imagine because it the information collectively forms an actionable database that can put at risk both the individuals and the classified programs and projects they work on.
Not long ago I wrote about the compromise of Twitter and Facebook information at a US military command. You can read about it in my book, Essays in Technology, Security and Strategy. The Pentagon poo-poohed the report, even though it revealed such sensitive information as the home addresses of at least one four star general. And the Pentagon did nothing else, other than dodge a few press inquiries. The “scandal” died down rather quickly, and everyone went back to business as usual.
It is a fateful mistake for the US government to turn a blind eye to the use of social media by employees involved in sensitive work.
LinkedIn is essentially a jobs advertising forum disguised as a social media project. When people advertise their skills they aim to impress their readers. For those involved in secret work, this is a bit of a challenge since you are not supposed to be allowed to publish classified information. But what is “classified” can be a murky subject, and trying to convince employees to exercise care is hard when they are looking for their next job, or seeking a promotion in the jobs they already have.
The US government religiously claims that it is trying to protect security and is organized to fight against cyber espionage. Yet when anyone looks objectively at the situation and analyzes the results that are publicly known, it looks like cyber security is rapidly deteriorating inside government. The latest heist of a 100,000 tax returns from the IRS, probably by some Russian operatives, is just one among myriad examples of increasing infrastructural attacks. Indeed one can say that attacks are rising exponentially and the government’s ability to resist is minimal.
There are many structural reasons for America’s vulnerability. One is bad policy. Another is bad technology. And the third is lack of leadership.
In regard to policy, if the government stays with the idea that it can successfully operate commercial off the shelf systems, it is living in a whacky wonderland. Commercial off the shelf systems are garbage from a security point of view. The government has long known this: one reason why NSA is so fat and apparently happy is the ease in which they can suck up literally any kind of information from computer systems and telecommunications they want to get.
Bad technology is another critical factor. Today’s security technology is always behind the power curve because it is reactive technology. As any general knows, if you are going to try and defend your country behind a cyber Maginot line, you are toast.
The third problem, and the worst of all, is lack of leadership. Our leaders want three bites out of the cake at the same time. They want to support commercial hardware and software companies because they pay for their political campaigns. This is incompatible with security policy. They also want to make sure NSA, CIA and FBI and other agencies can exploit vulnerabilities in commercial hardware and software. This means that they allow these vulnerabilities to remain. Surely items like the Heartbleed bug were long known by US intelligence. Wantonly the government left its critical infrastructure exposed for years and even financially supported the guys who produced Heartbleed so that the vulnerability would propagate far and wide. Such policies, ultimately, are reckless and playing with fire. The third bite of the cake is failing to maintain discipline in its organizations and selling phoney solutions that don’t work and cannot work. The latest brainless effort by the Pentagon, as just one example, is to approve commercial Android, iPhone and Blackberry phones as secure enough for government work. This is not only silly but dangerous, because these platforms are security nightmares, not solutions.
The lack of leadership applies directly to social media. The government has refused to put in place a hard policy that makes sense. People with security clearances should be forbidden to use social media. That is a simple and sensible rule that needs implementation now. Otherwise, as the “activists” have clearly shown, we are all toast.