05 August 2009

Let's talk OP-SEC, ba-by, let's talk about you and me...

(Yes, the early 90s really were that lame)

This post is in response to a number of articles (Today at SWJ, plus the round-up posted the other day here at WOI, as well as some great articles from Soldiers in the Blogosphere) regarding the risks to OPerational SECurity (OPSEC, as we call it) which might stem from blogs, and Web 2.0 social networking sites.

Soldiers in the Blogosphere (thanks for the back-link, guys) posted an article a few months back regarding the risks to operational security posed by blogs and social networking sites, and how to go about mitigating the risk. If you hadn't guessed by now, the military is still trying to find the happy median between the risks to operational security versus the payoff of good public relations and information operations.

Certainly, anyone who posts information on the Internet should be aware of the risks to privacy and operational security. There's two schools of thought within the military with regards to attitudes towards blogs. One camp feels that blogs represent an immense security risk. One the other hand, another camp embraces this new technology. This latter group includes figures such as Lt. Gen. Caldwell (US Army Combined Arms Center Commander, who blogs at the USACAC website), Maj. Gen. Oates (10th Mountain Division Commander, who blogs at Task Force Mountain), and Admiral James Stavridis (who blogged at his former post at the US Southern Command website). Although these officers have immense support, they still face incredible organizational resistance. From DefenseLink:

“[Lt. Gen. Caldwell says] For the first four or five months there, I kept working through the system to get permissions to allow us to blog, go on YouTube, play with Facebook,” he said. “I wanted to engage in these social media forums, and you just couldn’t get access to them on your military computers.”

But Caldwell met with red tape everywhere he turned -- until he mentioned his frustration to Casey, now Army chief of staff, during one of Casey’s monthly visits to the Combined Arms Center.

“He looked at me and said, ‘Just do it,’” Caldwell said. “And when I asked him if this meant he was giving his permission to do this, he said, ‘Absolutely.’ He said, ‘We have got to change the culture of the Army, and you can help make this happen.’”

Then-Army Secretary Pete Geren turned into another big advocate of giving soldiers access to social media.

Caldwell got the ball rolling at the Combined Arms Center by starting to blog on the center’s Web site. “I’m not a prolific blogger, but I recognize that if I don’t get on there periodically and do it, nobody else will,” he said. “I saw it as a venue to stimulate discussion. It was a great mechanism to reach out and touch a large portion of the United States Army about an issue we might want to talk about or dialog on.”

He recognized many soldiers’ resistance to blogging, especially after a Defense Department message had outright prohibited the practice in late 2006. Those willing to give it a try still felt hampered by longstanding approval chains that stilted opinion-sharing and individual expression.

So Caldwell began requiring his students to blog as part of their curriculum at the center. His goal, he said, is to help create a new generation of leaders who recognize the power of social media and help the Army change its cultural mindset so it’s able to embrace it.

“The idea is, once you have done it and have seen the power of social networking that can be done through the blogosphere, we are hoping that it becomes a routine habit they have through the rest of the academic year,” he said. “That way, by the time they graduate, they are comfortable doing it and recognize it as something they can use … as a great connectivity tool.”

The Army traditionally errs on the side of caution when it comes to blogs and social media. To this end, a number of organizations within the military have created PowerPoint briefings regarding the risks posed by open-source information mining.

Soldiers in the Blogosphere links to a great presentation created by the 1st Information Operations Command, but you need access to Army Knowledge Online to access it. I'll hit some of the high points, along with some analysis.

I should first note that although it is good to educate Soldiers about the inherent security risks of blogging, our OPSEC classes never discuss how blogs and social media sites actually help the American cause in the complex 21st Century world. Indeed, by only talking about the risks posed by blogs, these classes often resemble those scare-tactic filmstrips you saw in Catholic school about the horrors of masturbating (WTF was wrong with my childhood?).

Anyway, on to the standard OPSEC class. I should note that it is actually quite good, and discusses some great aspects of online security. Indeed, anyone with ill intentions can read an American blog. I'd be foolish to think that all those IPs from Iran that stumble upon this blog are just looking for Megan Fox pics--although the majority of them are, in fact, directed by Google Images from searches for "Megan Fox".

Anyway, on to OPSEC and some miscellaneous thoughts. First—The presentation from 1st IO Command gives some unintentional advertising for Greyhawk’s Mudville Gazette. (As a side note, you need to add Greyhawk to your RSS feed and check his site daily. It is probably one of the best collections of Milblogs you will find.) The presentation notes, correctly, that Greyhawk links to a few hundred milblogs, and has a huge following, mostly from the retired military crowd. Which is great, since there's a lot of people who want to see what troops are doing in combat zones. On the other hand, the presentation notes that it's also a great one-stop shop....FOR TERRORISTS!

It's a little alarmist. Reading the Mudville Gazette, there's very little on the site that seems to tip our hand in regards to our tactics (he does a great job at staying within the happy median). OPSEC purists might disagree, though. For example, some might find offense with a batch of stories earlier this week which talk about the weather in Iraq--which was plagued with heavy dust storms. Some may view this as an OPSEC risk, whereas I, on the other hand, take the point of view that our enemies in Iraq who want to kill us are also living through the same dust storms as we are. I think most Iraqis are well aware that Iraq is a.) hot, b.) sandy and c.) plagued with sandstorms.

Secondly, the presentation examines the grey area of what is permissible and what is not permissable to speak about. While the presentation errs on the side of caution, I'm not so certain. For example, the presentation recommends not discussing the names of units in Iraq, even though they are usually published months ahead of deployment. Indeed, my old battalion first found out that they were deploying to Afghanistan when CNN published a list of upcoming unit rotations. They're hardly alone, either. Even the local small-town newspapers seem to know of upcoming deployments.

The presentation also discusses that it's important not to discuss morale issues. Unfortunately, I have to disagree with this one as well, since a.) family and morale issues are often brought up in the mainstream media--for example, First Lady Obama's emphasis on military families--and b.) that talking about the small morale issues gives a blog a more human quality that allows the reader to connect with the author. Those little complaints here and there reassure the reader that the blog is authentic, and that it's not sanctioned propaganda.

The presentation also brings up some great points about real threats, which are important to highlight to Soldiers. Insurgent and terrorist groups can and do look for pictures of "battle damage assessment" (BDA) and military tactics online, in order to take notes and refine their tactics, techniques and procedures. Indeed, if you're wondering why I don't post more cool flying stories, it's because I know someone's reading and taking notes.

Another good point to take into consideration is the potential for exploitation and intimidation of military members and their families. (Boss Mongo also astutely noted this earlier this week) I'm not going to go into detail about that, except for the fact that I would emphasize the importance of setting profiles on social networking sites to private during deployments, and not listing your location as "Iraq". Oh, and above all, do not list your location as a ten-digit grid coordinate as some jackasses do. I'm not making that up, either. People really give the location of their bunks down to the square meter. Seriously, don't do that.

Commanders--get net-savvy and do a routine check of your Soldiers' profiles to ensure they're complying with OPSEC. There's a lot of great potential for these new technologies to spread a great message. There's also a lot of potential for exploitation. However, we have to be adept at this technology, because our enemies are almost as adept at using the Internet as we are. And with their alleged use of the Dark Web and the Deep Internet, they're just as difficult to hunt and combat online as they are in the physical world.

Focus: Where is the happy middle ground between online security and a successful information operation?


Sarah Sofia Ganborg said...

You know people can talk all they want and justify anything... What counts is the intention - which always does reflect in the statistics of their actions!

Anonymous said...

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.



Akinoluna - a female Marine said...

I still think it's funny how they are SO worried about the "us" and our social networking and blogging, when the government's own websites are responsible for FAR more OpSec violations.