Perhaps the greatest irony is when an organization devoted to security succumbs in certain areas to a culture of apathy and disinterest in the very things which might threaten it, and as a result threaten the things which it has been put in place to protect. A recent article on the Pentagon’s Defense Link website has outlined the official policy direction of the US military with regard to, drum roll: access to social networking sites. The article has a certain fun and vibrant tone one might recall finding in their high school newspaper some years ago, perhaps upon the announcement of the homecoming game.

The paper posits social networking and electronic communication as the “modern day equivalent” of writing letters and mailing them. It also compares the Department of Defense and its branch operations to any private business, where security cannot overshadow productivity. The article then concludes by proclaiming that nothing should stand in the way of social networking or electronic communication and if anyone has a security concern, they just need to figure it out on their own time. After all, the show must go on.

The difficulties with this glibness are, of course, manifold. To start with, social networking and electronic communications for personal use are not equivalent to writing letters. As wonderful as technology is, it is not a necessity and, as with all things in the military, should not be so heavily leaned on that one does not know how to get along without it. Aside from this, we still can write letters. It is understandable that access to social networking sites and other electronic communication be utilized, as such instant communication can be an important morale boost for troops. However, if there is a security matter that makes it risky to use such technology, this should not be even a consideration until the issue is sufficiently mitigated or other means are found.

Another assumption apparently present here seems to be that any security concerns are not so significant as to require aggressive action in response, which may include restricting certain social network access and the like. The fact is that malware writers are writing more malware applications for Facebook, LinkedIn, and MySpace every day. They are also creating bogus user accounts with links to malicious websites on Twitter at an equal or even greater pace. Malware is a very serious issue, because it can, among other things, allow a hacker to gain access to even ostensibly secure information inside a network, and it can let them do so for long periods undetected.

What is sad is that the US military has been warned repeatedly about the need for proper network security all the way back to the earliest days of networked computers. Clifford Stoll wrote about this almost three decades ago. His book, The Cuckoo’s Egg, recounts how he tracked a hacker through his Lawrence Berkeley Laboratory computer system into various military and contractor mainframes and back to a KGB spy working via phone modem in West Germany. Stoll describes how he repeatedly warned defense officials and members of the intelligence community, even the NSA, that military systems had been compromised, but for ten months as over 400 military computer systems were breached, none of the authorities would seriously investigate. By that time, the hacker had literally had his run of a host of compromised computers, as well as the German phone system, as he sold stolen passwords, projects, and other information to the Soviets. And this was just a single hacker. The book describes that the miscreant was at times associated of a gang of hackers.

Naturally, countless others since then have written about this but not much has taken place to truly address it in terms of overall security philosophy. Another area of concern that has emerged over the last few years has been the danger associated with the US military using computer hardware technology imported from regimes like Communist China. China has in the past threatened to use asymmetrical warfare, including information warfare that includes computer espionage against the US. Shortly after the buzz began, reports also began to surface of discoveries of malware implanted in the firmware of such devices, which ranged from digital picture frames to hard drives and thumb drives, to whole computers, something I both predicted and followed up on at my personal weblog, as have others, including Former Secretary of Homeland Security, Michael Chertoff, before me. During an interview with NTDTV's Dong Xiang in October of 2008, Larry Greenblatt, the Lead Instructor at Internetwork Defense pointed out that:

- Some corporate IT departments reported that 70% of the source traffic that hits their firewalls and is blocked is from China. They say it’s difficult to tell how much more made it past the firewall undetected.

- Consumer electronic such as digital picture frames, which happen by the way to be made in China, have been found to contain rootkits and Trojan horses that have been sending passwords and other user data back to China - and they still aren't sure if that's all yet. They're calling it the "nuclear bomb of viruses".

- The Pentagon can't think of any of the IT hardware devices they use which are made in the U.S.

The last bulleted point should drive the threat home to anyone reading it. It is quite significant. In fact, this threat was further realized in November of 2008 when a piece of external hardware was linked to a massive virus that spread through the Pentagon. The result was a complete ban on all external hardware devices, such as thumb drives, DVD devices, and so forth.  While certainly there are still, for instance, some computer chips that are made in the US, the US share of this market – less than 25% – is decreasing every year, on top of which even the US-made products are comprised substantially of Chinese-made components.

This mindset affects military security from multiple angles, by ignoring various possible points of attack through disregarding just how easy it is to do so as well as perhaps the intensity with which an endless host of actors – from 15 year old kids with nothing to do to terrorist organizations to hostile state actors – would like to exploit them. Examining Facebook alone, there are several ways in which a compromise can occur: through malicious applications installed within Facebook by a user on Facebook that also install something on the local computer without the user’s knowledge, by social engineering attacks (fooling the user into giving up information, usually computer account information or other restricted information), and by exploiting the user’s own lack of understanding about constantly-changing security and privacy features on Facebook, which might allow the attacker to, for instance, browse the user’s list of contacts. Another technique is to spoof an account of an acquaintance or friend of your target known in real life, and get the target to add you as a “friend”. This and the other techniques all allow the attacker to gain access to at least indirectly sensitive information. They can also then compile lists of user’s personal schedules and habits, learning where the user is most likely to be successfully compromised either on or offline. Then there is the risk that an authorized user with malicious intent could use such commonly available exploits to cover his or her tracks by making it appear as if he or she were simply a victim of malware accidentally stumbled upon and had no idea data was being stolen from his or her machine or network. This and the other reasons are perhaps part of the rationale behind a number of intelligence organizations around the world forbidding employees from using social networking sites, as do some American military contractors, depending on specific remits.

E-mail has been a much longer-standing security concern, as it remains the primary way in which malware is spread, followed by hostile or compromised websites. Clearly, as anecdotal evidence and news accounts suggest, not enough is being done. This is particularly true with social networking sites, which is the newest threat to develop for IT security, and has done so even as the old ones have yet to be sufficiently mitigated. For instance, according to various sources, some of the US Government’s civilian agencies, which would understandably be considered lower-value targets, have stricter security policies in place than do some parts of the US military with regard to sites such as Facebook and Twitter, banning them completely.

In fact, there is a serious concern that many government computer systems and users are not adequately equipped and trained to meet the IT security challenges of the 21^st Century. This is, of course, no state secret and the Chinese, Russians, et al., are already more than aware of it. After all, this operational security malaise has been occurring for three decades.

To explain his part, principal deputy assistant secretary of defense for public affairs Price Floyd offers this:

“Opsec needs to catch up with this stuff. This is the modern equivalent of sending a letter home from the front lines,” he added. “Opsec needs to be considered on this stuff, but the more our troops do this stuff, the better off we are.”

One has to wonder why our troops are “better of doing this stuff” when it has serious potential to compromise national security. The idea that military employees should have free access to social networking sites is questionable at present – particularly since it seems apparent the Pentagon’s IT security appears to still be trying to play catch-up. This is not an advantageous place to be, particularly given China’s and Russia’s increasingly aggressive – and effective – information warfare operations (to say nothing of other actors). It should not in any way be acceptable to simply take our chances so that users can enjoy updating their status messages. The return does not at present justify the risk and as such should be strongly reconsidered.