DOD's new policy 'likes' social media, but with caveats

By Amber Corrin

By Amber Corrin

|

DOD is in a race against technology to maintain authority and security amid the explosion of social media.

For all its benefits and the enjoyment it brings to the people who use it, social media has a dark side. When it comes to military users, one slip — such as an inadvertent mention of a deployment timing or location — can endanger lives. But given its intrinsically open nature and constantly changing boundaries, how can the Defense Department effectively manage social media?

Pentagon officials at the highest levels recognize the importance of social media for communicating with the public and collaborating within the department, as well as providing troops access to their loved ones even when they are stationed thousands of miles away. But leaders know they must weigh those advantages against the sensitive security needs inherent to military operations.

To strike a balance, DOD officials are focusing on regulating, not restricting, social media use.

Currently, DOD’s social media policy is governed by a directive-type memorandum (DTM) from 2010 — a two-page document that superficially outlines the rules and responsibilities those under Pentagon jurisdiction must follow in their use of social media. That policy will change in the coming months as the department prepares to issue more permanent and detailed DOD instructions that will expand the existing guidance.

“Because the DTM was the first ever, it was galvanizing for the department to work its way through the potential rules around social media use at DOD,” said Rob Carey, DOD’s deputy CIO. “As you can imagine, with a very structured, hierarchical organization such as ours, we were dealing with ‘How do I use this thing?’”

The DTM was meant to be a quick set of guidelines governing activities in the social media space. It was set to expire July 15 but will remain in effect until the new policy comes out. Even now, two years after its release, the department is still determining just how to use the still-developing and sometimes unwieldy tool. With a rapidly evolving capability like social media, a hot new trend can catch fire and fizzle within a matter of weeks, so it’s difficult to issue hard-and-fast rules.

“The underlying effort of the DTM was to work toward breaking down some of the silos of keeping information together, allowing a broader perspective of options out there and seeing what we could gain,” said Jack Holt, who helped write the DTM while serving as senior strategist for emerging media at DOD; he is now director of policy analysis at Blue Ridge Information Systems. “It was partly about communicating with the American public and understanding what else we can do within the medium and how it can work behind the firewall as well.”

Where the DTM laid the groundwork by establishing definitions, responsibilities and the importance of information sharing, the new guidelines incorporate a more thorough and detailed look at social media, at least as it exists today, Carey told FCW in a preview of the new policy.

Two areas will receive particular emphasis: making sure the rules are clear and making sure security is adequately covered. Both areas will be clarified when DOD unveils the policy in the coming months, but according to Carey, the exact release date is still to be determined.

“It’s currently at the legal sufficiency review; the lawyers look at the final version one more time and determine what to address,” Carey said. “Right now there’s no date set. I can only say to stand by.”

Clearing the fog of Facebook

Social media has permeated the lives of most Americans, but for the military, it’s a relatively new capability, and rules for its use haven’t always been well understood.

One prominent misconception is that the use of dot-mil e-mail addresses on social media is forbidden. That simply isn’t true, Carey said. What matters is how a social media account associated with a dot-mil address is used. The key designation is whether or not someone is officially conducting job-related business.

“The secretary of the Navy, the commander of European Command, the defense secretary — they use social media [for an official] purpose,” Carey said. “The account that is set up is an official account, so dot-mil e-mail addresses are used to support official presences. If you’re using Facebook or any of the others for social purposes — and there’s nothing wrong with that, consistent with all the other [operations security] guidelines we have in place — you should use some other e-mail address.”

No social network sites are universally banned from military use, but there are certain circumstances in which the use of one or another might be temporarily suspended. For instance, after the tsunami struck Japan last year, access to YouTube was shut down on some military networks to free up the bandwidth needed to coordinate disaster response efforts.

The new policy will address those issues and some newer ones that have begun to crop up around the downloading of information, such as the growing and evolving use of advertising, endorsements, image alteration and gaming, Carey said.

The elephant in the room

Perhaps the biggest issue in the military’s use of social media is security. And one of the biggest problems with security is that the traditional, bureaucratic approach isn’t flexible enough to keep up with the rapidly changing social media landscape.

“The issue is not social media; it’s new software techniques that need various degrees of safeguards,” said Paul Strassmann, distinguished professor of information sciences at George Mason University’s Volgenau School of Engineering and former director of defense information at DOD. “It’s a new set of applications…and whether I’m in Kabul or Mogadishu or any other place, I need to be able to communicate. [Existing systems can be] too onerous, difficult, expensive and hard to execute. So what people do is work around using social media. Social media is a big bootlegging operation. It breaks down the structure.”

Carey believes that the new policy, combined with existing training and education, are enough to combat much of the threat that social media potentially poses. The two main concerns are cybersecurity and information security, he said.

Although social media receives the same cybersecurity treatment as any other form of DOD desktop activity — including perimeter defense, firewalls and other traditional measures — information security hinges on the training and education that are mandatory for all defense personnel, both military and civilian.

At the heart of information security is operations security, which in turn might be the pinnacle of social media security concerns.

“A lot of social media policies try to address the breadth [of concerns] not to scare people to death but to let them understand this is not the same thing as having a conversation in your living room or over a cup of coffee with a friend,” said Laurie Schive, outreach director at the Office of the National Counterintelligence Executive in the Office of the Director of National Intelligence.

There are plenty of stories about military families inadvertently revealing too much information online about a service member’s location or a geotagged photo getting publicly posted, for example.

“It’s just like someone saying it at a crowded bus stop, just the media has changed,” Carey said. “The problem with the Internet is that it’s viral to those friends. It can be a social media issue, but the first problem is that information shouldn’t have gotten there.”

Are the current efforts in training and education enough to counter security worries? Although Carey expressed confidence in existing programs, most would agree that there’s always room for improvement, even beyond military applications.

“There are a lot of things we give lip service to that before weren’t a big deal but today they are,” Holt said. “Especially for DOD and social media, they need to be addressed in basic training and for new civilian employees. But this is also something that needs to be addressed even in children. We should train kids to be on and off the Internet the same way we train [them] to cross the road — and probably at the same time.”

Young or old, good cyber habits should include understanding the potential dangers of bogus URLs, bad links and malicious attachments. Inside the federal government, preparedness rises to another level.

“It’s not just [operations security], it’s proper decorum,” Holt said. “After all, it is publishing. When you put something on the Internet, you’re still liable for defamation and things that, before ubiquitous publishing, only journalists, public affairs people, and those producing products and content for mass distribution had to consider. It’s a different story now.”

Filling in the gaps

Although DOD has unique security requirements, the concept of operations security and the protection of internal information have implications at other agencies, where officials are also grappling with social media use.

Some agencies are collaborating on the best approaches to social media — for example, via interagency working groups and by sharing information through websites such as HowTo.gov. Despite the differences in their missions, most organizations have a number of issues in common.

“We not only have to read tea leaves of where technology is going to go in the next five to 10 years, it takes a lot to revise federal policies, so it has to be evergreen,” said one government official who is familiar with federal social media strategies and agreed to speak on background. “It also has to provide for a range of operations [because] there’s not going to be one toolset that works for every department or component.”

DOD’s goal for the new policy is that it will be broad and flexible enough to fill in the gaps that have emerged as social media has evolved and governance has taken shape.

The task will be ongoing and it won’t be easy, but social media has become too powerful as an information and strategic messaging platform to be dismissed, Carey said.

“Some of the tools that we use to frame this discussion will not exist in a few years, and there will be new ones out there in their places,” Carey said. “We have to set a broad context. Implementation is targeted around the as-is, not the what’s-to-be, and that means you have to be careful about it.”

Social media missteps

Defense Department officials hope their soon-to-be-released social media policy can help service members avoid the kinds of incidents detailed below.

The appropriation of Adm. Stavridis’ identity

Adm. James Stavridis, commander of U.S. European Command and NATO’s Supreme Allied Commander Europe, is often held up as a prime example of military social media done well. Stavridis is famous for his use of Facebook and Twitter to interact with the international public, and he does it all himself.

But his prominent social media use made headlines of a different sort earlier this year when hackers created a fake Facebook profile pretending to be Stavridis and reportedly managed to befriend other NATO officials and glean some personal information. The U.K.’s Telegraph reported that Chinese hackers were behind the social engineering tactic, but like most cyber incidents, attribution is difficult.

DOD officials downplay the dangers of that kind of ploy but note that it’s yet another reason for thorough and routine training and education. “The social engineering aspect of social media is just another point of awareness that anyone, including senior leaders, need to manage and diligently monitor,” said Rob Carey, DOD’s deputy CIO. “Once an anomaly has been detected, we contact the specific sites — Facebook, Twitter, etc. — and they remove them.”

Marine dismissed for Obama-bashing on Facebook

A fierce free-speech debate was sparked in April when Marine Sgt. Gary Stein faced disciplinary action — and later, a less-than-honorable discharge — for posting remarks criticizing President Barack Obama and launching an Armed Forces Tea Party page on Facebook.

Stein drew the attention of Marine Corps officials after he wrote that he would not take “unlawful orders from Obama,” among other remarks. The comments went against a military policy, dating back to the Civil War, that limits service members’ free speech, including criticism of the commander-in-chief. Stein is reportedly fighting the dismissal in court.

Geotagging slip backfires big time

Today’s high-tech smart phones and other mobile devices include features that can come in handy but also pose huge risks. Software that tracks location is a big one, including the ability to geotag items such as photos uploaded to social networks.

The dangers were exposed in 2007 when Army soldiers snapped and uploaded photos of a new fleet of helicopters arriving at a base in Iraq. According to the Army, adversaries were able to access the pictures and, more importantly, the geo-location information that was embedded in them. Using that data, they were able to determine the exact location of the AH-64 Apache helicopters and launch a mortar attack that destroyed four of them.

Indian, British and Israeli service members leak confidential data online

Social media mistakes are not limited to the United States; a number of other countries have suffered from similar blunders.

The Times of India reported in January that a group of four Indian naval officers were caught leaking confidential information, such as the location of warships, via social networks.

Back in 2010, 10 employees of the British Ministry of Defense faced disciplinary action after they were found to have leaked sensitive information via social media sites, including Twitter, 16 times in the course of 18 months.

That same year, an Israel Defense Forces soldier posted information on Facebook that detailed the time and place of an upcoming raid on the Palestinian territories, as well as the name of the combat unit involved. According to Israel’s Haaretz newspaper, the soldier’s friends reported the status update to Facebook, leading to the soldier being relieved of combat duty and the raid being called off.

NEXT STORY: Who is Tracking Government Agencies’ Disaster Recovery Policies?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.