On Thursday The Department of Defense issued a memorandum setting the ground rules for accessing social media sites. All components of the DoD “shall be configured to provide access to Internet-based capabilities” which include “collaborative tools such as SNS [social networking services], social media, user-generated content, social software, e-mail, instant messaging, and discussion forums (e.g., YouTube, Facebook, MySpace, Twitter, Google Apps).”

In short, social media sites shall remain unblocked. The most interesting part of the policy concerns the maintenance of “personal, corporate or subject-specific” blogs, to which the DoD now grants access service-wide. As long as servicemembers pay due respect to operational security, the policy formally allows them to update and run a blog. However, commanders are allowed to temporarily restrict activity to “address bandwidth constraints,” a clause which might prove vague enough to allow arbitrary blocking of sites.

I’m excited that the DoD is defaulting to “yes” when it comes to social media; however, we’ll see how the policy becomes enforced.

Posted by Jeffrey Withington in Maritime Security, Navy, Soft Power

You can leave a response, or trackback from your own site.

  • Sam Kotlin

    Sounds like a clear victory for Master Sgt. Grisham over at his blog (see ‘Mess Deck Intelligence’ in February Proceedings). Fly a broom.

  • Riyawzidawn

    I’m all for OPSEC and, having been deployed, I understand bandwidth issues. However, some of the website blocking has been, to say the least, somewhat overzealous. For example, many reporters on ABC, CBS, etc. use blog and photo sites where the details of stories are placed – those details which were edited for time constraints. DoD (or local) policy has been to block those sites as “social networking” sites. I’ve yet to figure out what nefarious activity they prevent by doing that. (Actually, I do understand: “Thou shalt not, no way, no how, no exceptions” policies are very easy to manage – “blogspot.com”, gone …)

    Bandwidth concerns, especially in CONUS or at major installations overseas, seem overblown. When the E5 Association sends out an announcement of a chili dog fundraiser to an entire command as a 1.5 MB Powerpoint slide (complete with music and animation), quibbling over downloading a 125K news photo seems silly.

    The policy shift should have been no surprise. As component commanders and CJCS have their own twitter and Facebook sites, you had to know that the policy was going to have endorsement from above. (And it’s certainly been no surprise to anyone that NCOs and Petty Officers have found a delicious irony in the fact that they couldn’t see, for example, the CENTCOM FB page at work.)

    I agree with jwithington. It’s a good policy, but the real key is going to be implementation. Standing by …

  • The social media policy just signed off by the DEPSECDEF states that the NIPRNET should be configured to provide secure access to the INTERNET. That is not actionable. The new policy leaves the question how to make NIPRNET work securely without a practical resolution how to work with a fundamentally flawed INTERNET.

    DoD operates over 500 major networks plus innumerable local network connections. It connects over 5 million desktops, laptops and smart phones. A large share of these networks is switched over the public Internet, where every router and every switch are potential entry points for an attack.

    Each of the DoD networks has different configuration and inconsistent firewalls. Each has inconsistent virus protection means. There are at least 10,000 high turnover administrators trying to defend over 4,000 major applications and innumerable points of entry with patches, software updates and fault fixes. The defenders use inconsistent, incomplete and insufficiently supported management methods.

    Given this fractured environment as well as the enormously large attack surface offered to millions of potential intruders, DoD cannot secure the existing NIPRNET to accept risk-free secure communications passed through the INTERNET. NIPRNET cannot be trusted to convey over a billion/month messages from YouTube, Facebook, MySpace, Twitter, Google Apps, etc. without a zero-day attack eventually breaching through.

    The proposed social networking policy continues to leave DoD vulnerable to a wide range of attacks. All it takes is a few botnets/day to bore through an unwatched port to potentially discredit reliance on the NIPRNET.

    The new policy should also outline solutions for reducing the attack surfaces through desktop and server virtualization. As first priority this would place secure “zero clients” desktops in protected private clouds operated by DoD so that Internet access can be safeguarded. That will be especially important as people access more data to protected networks through mobile clients.
    DoD must offer collaboration services so that people do not have to resort to toxic social media to satisfy their needs.

    Strassmann, former Director of Defense Information, Office of the Secretary of Defense

  • Noel Dickover

    Just to follow up with Mr. Strassman’s comment that “The new policy should also outline solutions for reducing the attack surfaces through desktop and server virtualization.” – the policy itself is intended to address a wide range of capabilities, not just social networking services. The larger intent is to get DoD to start keeping pace with these emerging technologies and ensure our infrastructure is protected and that we are taking advantage of the opportunities to improve our mission.

    While I definitely agree that solutions for reducsing the attack surfaces through desktop and server utilization is a great idea worth pursuing, this shouldn’t be embedded in the policy itself. The policy should list the Component who is responsible for fulfilling that task, and others like it. In fact this is what was done – CDR USSTRATCOM has the responsibility to “Assess risks associated with the use of Internet-based capabilities, identify operational vulnerabilities, and work with the ASD(NII)/DoD CIO to mitigate risks to the GIG.”(Page 9, 6.b.). Respectfully, if we put the level of detail Mr. Strassmann advocates in the policy itself, we would need to rewrite the policy every time a new emerging technology created additional risks.