Social Networking and OPSEC Training
September 3, 2012
What do Admiral James Stavridis, NATO’s Supreme Allied Commander in Europe, Sir John Sawers, Chief of Britain’s MI6 intelligence service, and fictional cyber threat analyst, Robin Sage, have in common?
This is not the Security version of “why did the chicken cross the road.” The three “individuals” serve as high profile, embarrassing reminders that social networking is a low-cost but highly effective means of exploiting trust, undermining Operational Security, and gaining otherwise prohibitive access to important personnel.
The Legacy of Robin Sage
In 2010, a July 18th article in the Washington Times reported “an attractive, flirtatious 25-year-old woman working as a ‘cyber threat analyst’ at the U.S. Navy’s Network Warfare Command” had accumulated several hundred contacts using the social networking site LinkedIn to target individuals in sensitive military, security, and intelligence positions. The most disconcerting problem, however, was not that Robin Sage, a name taken from a Special Operations’ training phase, had no affiliation, official or unofficial, with the U.S. Navy’s Network Warfare Command; it was that “she” did not exist at all.
Thomas Ryan, managing partner at security specialist firm, Provide Security, had created Robin Sage as an experiment to highlight the ease with which access and personal information about individuals in sensitive national security positions on social networking sites can be gained.
Sir Sawers’ Unfriendly Facebook Ultimatum
Prior to the Sage incident, in 2009, wife of Sir John Sawers, only months away from assuming the highest position at MI6, posted a few seemingly innocuous photos to Facebook. Sir Sawers’ wife unwittingly had an open profile on Facebook and had not limited her visibility settings, so photographs and information were readily available for anyone to see.
For the average Facebook user, these photos would have little consequence. For Sawers, however, it was an embarrassing leak of what was described by British newspaper, the Daily Mail, as “intimate photographs and family details.”
To be sure, the risk for the family and to state security was not overblown. The details, the Daily Mail explained, “[included] the location of the London flat used by the couple and the whereabouts of their three children and of Sir John’s parents.”
The incident clearly illustrates the potential consequences for individuals in sensitive positions posting personal information to social-networking sites.
Admiral Stavridis and the Born Facebook Identity
To casual observers the two aforementioned incidents suggest only that enhanced awareness and self-policing of social networks need to increase. However, there is much more to these examples than appears. They are not mere warning signs of potential vulnerabilities inherent in social networking; they also define a roadmap for infiltration and espionage efforts.
The British newspaper, The Telegraph, on March 10 of this year, featured a major security exploitation achieved by suspected “state-sponsored individuals in China.” A combination of social engineering, social networking, and “spear-phishing” attacks produced a fraudulent Facebook account in the name of Admiral James Stavridis to target “senior British military officers and Ministry of Defence officials” by “friending” them.
Although the motives of the perpetrators don’t appear to focus on direct espionage (as the targets were unlikely to post classified information on the social network), personal information similar to the Sawers’ incident could have led to the acquisition of email addresses, phone numbers, and locations, carrying serious security implications.
One should also wonder if this wasn’t so much an effort aimed at penetrating a specific target, as it was to create a known web of connections to be used for link analysis of other potential targets.
Nonetheless, the Chinese effort here is the first in many social-networking espionage targets of opportunity and potential long-term value. Their effort is less of a concern than the lesson that is illustrated ad nauseum: social networking/engineering is low-hanging fruit on a large tree, ripe for the taking.
Recommendations for G.I. Joe
In a recent unclassified briefing, “Geotags and Location-Based Social Networking,” the US Army identifies and articulates the implications and unintended consequences of GPS and location services on social networking sites, determining their use to be a major OPSEC issue. The top three platforms are known to: “establish patterns,” “expose places of duty and home,” and identify the “location of Army personnel.” The briefing notes that the enemy can determine targets both of consequence and of opportunity, and that ceding this information provides the enemy with greater situational awareness and data points it would not have had otherwise. Furthermore, one ill-timed or poorly conceived post can undermine an entire mission.
OPSEC Supremacy and Social Networks
The summative lesson is a frustrating one; the most innocuous slips of the keyboard can be used to derive sensitive and potentially damning information. This, though, is the nature of the intelligence beast, and any following recommendation seems to be overly simplistic.
Army recommendations include: not tagging photos with location, not leveraging location-based social networks when training or deployed, determining if the default privacy settings are OPSEC compliant, and turning off any GPS functionality on smartphones.
The problem remains. Social networking has a low-barrier to entry, casualness, and a disarming familiarity that often lulls individuals into a false sense of security. Should need-to-know carry through to social-networking, in which case, is the best solution an absolute one of abstinence?
Social networking self-denial seems, again, to be an over-simplification of the desire to interact. Demonstrated by repeated high profile indiscretions, this issue is not isolated but a systemic challenge facing the defense, intelligence, and private sector security community at large.
Ultimately, Foreign Intelligence and Security Services are playing the game and doing so very overtly. As the famous line from the 1959 movie, Goldfinger, reminds us: “Once is happenstance, twice is coincidence, the third time it’s enemy action.”