DOD's new policy 'likes' social media, but with caveats

For all its benefits and the enjoyment it brings to the people who use it, social media has a dark side. When it comes to military users, one slip — such as an inadvertent mention of a deployment timing or location — can endanger lives. But given its intrinsically open nature and constantly changing boundaries, how can the Defense Department effectively manage social media?

Pentagon officials at the highest levels recognize the importance of social media for communicating with the public and collaborating within the department, as well as providing troops access to their loved ones even when they are stationed thousands of miles away. But leaders know they must weigh those advantages against the sensitive security needs inherent to military operations.

To strike a balance, DOD officials are focusing on regulating, not restricting, social media use.

Currently, DOD’s social media policy is governed by a directive-type memorandum (DTM) from 2010 — a two-page document that superficially outlines the rules and responsibilities those under Pentagon jurisdiction must follow in their use of social media. That policy will change in the coming months as the department prepares to issue more permanent and detailed DOD instructions that will expand the existing guidance.

“Because the DTM was the first ever, it was galvanizing for the department to work its way through the potential rules around social media use at DOD,” said Rob Carey, DOD’s deputy CIO. “As you can imagine, with a very structured, hierarchical organization such as ours, we were dealing with ‘How do I use this thing?’”

The DTM was meant to be a quick set of guidelines governing activities in the social media space. It was set to expire July 15 but will remain in effect until the new policy comes out. Even now, two years after its release, the department is still determining just how to use the still-developing and sometimes unwieldy tool. With a rapidly evolving capability like social media, a hot new trend can catch fire and fizzle within a matter of weeks, so it’s difficult to issue hard-and-fast rules.

“The underlying effort of the DTM was to work toward breaking down some of the silos of keeping information together, allowing a broader perspective of options out there and seeing what we could gain,” said Jack Holt, who helped write the DTM while serving as senior strategist for emerging media at DOD; he is now director of policy analysis at Blue Ridge Information Systems. “It was partly about communicating with the American public and understanding what else we can do within the medium and how it can work behind the firewall as well.”

Where the DTM laid the groundwork by establishing definitions, responsibilities and the importance of information sharing, the new guidelines incorporate a more thorough and detailed look at social media, at least as it exists today, Carey told FCW in a preview of the new policy.

Two areas will receive particular emphasis: making sure the rules are clear and making sure security is adequately covered. Both areas will be clarified when DOD unveils the policy in the coming months, but according to Carey, the exact release date is still to be determined.

“It’s currently at the legal sufficiency review; the lawyers look at the final version one more time and determine what to address,” Carey said. “Right now there’s no date set. I can only say to stand by.”

Clearing the fog of Facebook

Social media has permeated the lives of most Americans, but for the military, it’s a relatively new capability, and rules for its use haven’t always been well understood.

One prominent misconception is that the use of dot-mil e-mail addresses on social media is forbidden. That simply isn’t true, Carey said. What matters is how a social media account associated with a dot-mil address is used. The key designation is whether or not someone is officially conducting job-related business.

“The secretary of the Navy, the commander of European Command, the defense secretary — they use social media [for an official] purpose,” Carey said. “The account that is set up is an official account, so dot-mil e-mail addresses are used to support official presences. If you’re using Facebook or any of the others for social purposes — and there’s nothing wrong with that, consistent with all the other [operations security] guidelines we have in place — you should use some other e-mail address.”

No social network sites are universally banned from military use, but there are certain circumstances in which the use of one or another might be temporarily suspended. For instance, after the tsunami struck Japan last year, access to YouTube was shut down on some military networks to free up the bandwidth needed to coordinate disaster response efforts.

The new policy will address those issues and some newer ones that have begun to crop up around the downloading of information, such as the growing and evolving use of advertising, endorsements, image alteration and gaming, Carey said.

The elephant in the room

Perhaps the biggest issue in the military’s use of social media is security. And one of the biggest problems with security is that the traditional, bureaucratic approach isn’t flexible enough to keep up with the rapidly changing social media landscape.

“The issue is not social media; it’s new software techniques that need various degrees of safeguards,” said Paul Strassmann, distinguished professor of information sciences at George Mason University’s Volgenau School of Engineering and former director of defense information at DOD. “It’s a new set of applications…and whether I’m in Kabul or Mogadishu or any other place, I need to be able to communicate. [Existing systems can be] too onerous, difficult, expensive and hard to execute. So what people do is work around using social media. Social media is a big bootlegging operation. It breaks down the structure.”

Carey believes that the new policy, combined with existing training and education, are enough to combat much of the threat that social media potentially poses. The two main concerns are cybersecurity and information security, he said.

Although social media receives the same cybersecurity treatment as any other form of DOD desktop activity — including perimeter defense, firewalls and other traditional measures — information security hinges on the training and education that are mandatory for all defense personnel, both military and civilian.

At the heart of information security is operations security, which in turn might be the pinnacle of social media security concerns.

“A lot of social media policies try to address the breadth [of concerns] not to scare people to death but to let them understand this is not the same thing as having a conversation in your living room or over a cup of coffee with a friend,” said Laurie Schive, outreach director at the Office of the National Counterintelligence Executive in the Office of the Director of National Intelligence.

There are plenty of stories about military families inadvertently revealing too much information online about a service member’s location or a geotagged photo getting publicly posted, for example.

“It’s just like someone saying it at a crowded bus stop, just the media has changed,” Carey said. “The problem with the Internet is that it’s viral to those friends. It can be a social media issue, but the first problem is that information shouldn’t have gotten there.”

Are the current efforts in training and education enough to counter security worries? Although Carey expressed confidence in existing programs, most would agree that there’s always room for improvement, even beyond military applications.

“There are a lot of things we give lip service to that before weren’t a big deal but today they are,” Holt said. “Especially for DOD and social media, they need to be addressed in basic training and for new civilian employees. But this is also something that needs to be addressed even in children. We should train kids to be on and off the Internet the same way we train [them] to cross the road — and probably at the same time.”

Young or old, good cyber habits should include understanding the potential dangers of bogus URLs, bad links and malicious attachments. Inside the federal government, preparedness rises to another level.

“It’s not just [operations security], it’s proper decorum,” Holt said. “After all, it is publishing. When you put something on the Internet, you’re still liable for defamation and things that, before ubiquitous publishing, only journalists, public affairs people, and those producing products and content for mass distribution had to consider. It’s a different story now.”

Filling in the gaps

Although DOD has unique security requirements, the concept of operations security and the protection of internal information have implications at other agencies, where officials are also grappling with social media use.

Some agencies are collaborating on the best approaches to social media — for example, via interagency working groups and by sharing information through websites such as HowTo.gov. Despite the differences in their missions, most organizations have a number of issues in common.

“We not only have to read tea leaves of where technology is going to go in the next five to 10 years, it takes a lot to revise federal policies, so it has to be evergreen,” said one government official who is familiar with federal social media strategies and agreed to speak on background. “It also has to provide for a range of operations [because] there’s not going to be one toolset that works for every department or component.”

DOD’s goal for the new policy is that it will be broad and flexible enough to fill in the gaps that have emerged as social media has evolved and governance has taken shape.

The task will be ongoing and it won’t be easy, but social media has become too powerful as an information and strategic messaging platform to be dismissed, Carey said.

“Some of the tools that we use to frame this discussion will not exist in a few years, and there will be new ones out there in their places,” Carey said. “We have to set a broad context. Implementation is targeted around the as-is, not the what’s-to-be, and that means you have to be careful about it.”

Social media missteps

Defense Department officials hope their soon-to-be-released social media policy can help service members avoid the kinds of incidents detailed below.

The appropriation of Adm. Stavridis’ identity

Adm. James Stavridis, commander of U.S. European Command and NATO’s Supreme Allied Commander Europe, is often held up as a prime example of military social media done well. Stavridis is famous for his use of Facebook and Twitter to interact with the international public, and he does it all himself.

But his prominent social media use made headlines of a different sort earlier this year when hackers created a fake Facebook profile pretending to be Stavridis and reportedly managed to befriend other NATO officials and glean some personal information. The U.K.’s Telegraph reported that Chinese hackers were behind the social engineering tactic, but like most cyber incidents, attribution is difficult.

DOD officials downplay the dangers of that kind of ploy but note that it’s yet another reason for thorough and routine training and education. “The social engineering aspect of social media is just another point of awareness that anyone, including senior leaders, need to manage and diligently monitor,” said Rob Carey, DOD’s deputy CIO. “Once an anomaly has been detected, we contact the specific sites — Facebook, Twitter, etc. — and they remove them.”

Marine dismissed for Obama-bashing on Facebook

A fierce free-speech debate was sparked in April when Marine Sgt. Gary Stein faced disciplinary action — and later, a less-than-honorable discharge — for posting remarks criticizing President Barack Obama and launching an Armed Forces Tea Party page on Facebook.

Stein drew the attention of Marine Corps officials after he wrote that he would not take “unlawful orders from Obama,” among other remarks. The comments went against a military policy, dating back to the Civil War, that limits service members’ free speech, including criticism of the commander-in-chief. Stein is reportedly fighting the dismissal in court.

Geotagging slip backfires big time

Today’s high-tech smart phones and other mobile devices include features that can come in handy but also pose huge risks. Software that tracks location is a big one, including the ability to geotag items such as photos uploaded to social networks.

The dangers were exposed in 2007 when Army soldiers snapped and uploaded photos of a new fleet of helicopters arriving at a base in Iraq. According to the Army, adversaries were able to access the pictures and, more importantly, the geo-location information that was embedded in them. Using that data, they were able to determine the exact location of the AH-64 Apache helicopters and launch a mortar attack that destroyed four of them.

Indian, British and Israeli service members leak confidential data online

Social media mistakes are not limited to the United States; a number of other countries have suffered from similar blunders.

The Times of India reported in January that a group of four Indian naval officers were caught leaking confidential information, such as the location of warships, via social networks.

Back in 2010, 10 employees of the British Ministry of Defense faced disciplinary action after they were found to have leaked sensitive information via social media sites, including Twitter, 16 times in the course of 18 months.

That same year, an Israel Defense Forces soldier posted information on Facebook that detailed the time and place of an upcoming raid on the Palestinian territories, as well as the name of the combat unit involved. According to Israel’s Haaretz newspaper, the soldier’s friends reported the status update to Facebook, leading to the soldier being relieved of combat duty and the raid being called off.