Dangerous Internet Services and Web Site Access in the US Department of Defense
Much to my amazement last week I read a news item alleging that the US Army had originally banned Twitter, but that it had recently reversed its stance. This brought to mind a range of popular Internet services, including other social networking services—Facebook, and MySpace—as well as chat, instant messaging (IM), and more, and how they are often blindly tolerated in critical business and operational contexts despite the many security-related liabilities associated with such sites and services.
I have previously pointed out the security-related dangers of social networking. Not surprisingly, Twitter has recently experienced extended outages due to denial of service attacks. But the risk of denial of Twitter services pales in comparison to others. In the case of the military, national defense secrets are potentially at stake. Data leakage in social networking sites is rapidly escalating. Individuals who connect to such sites may overlook prohibitions against leaking classified information that they have learned because they are so engrossed in interacting with others that they are being open and candid with them. Having something interesting to share with friends and social affiliates may result in unintentionally leaking secrets. .
But social networking sites are in reality only part of the overall security risk problem that so many popular network-based services create. For example, IM poses another set of very serious risks, one that parallel the risks associated with participating in social networking sites. IM sessions also provide great opportunity to leak secrets. The same is true of chat sessions.
The US Department of Defense (DoD) not fared well against attacks against its systems. Consider, for example, the highly successful “Titan Rain” attacks against so many of its systems, which are widely believed to have originated in the Peoples Republic of China. The DoD has since been through multiple, sustained attacks, allegedly from the same source, and now by all appearances more recently also from North Korea. There is no end in sight. So now what happens? The US Army has said that accessing and interacting with a number of vulnerability- and exposure-prone Web sites and services in its networks is just fine.
Has the US Army taken a leave of its senses? Apparently so. At the same time, however, there is some comfort. Just two days ago the US Marine Corp banned the use of social networking services such as Twitter and Facebook. But how could the Army decide on one policy while the Marine Corp decided on one that is entirely different? I have no answer, but by all appearances a leadership vacuum in high places within the Department of Defense when it comes to information security policy. Defense Secretary Robert Gates should take notice of this and act accordingly.