Article Details

Pentagon and soldiers let too many secrets slip on social networks, watchdog says. Ready, aim, mire. Loose lips sink ships, the classic line goes. Information proliferation in the internet age has government auditors reiterating that loose tweets can sink fleets, and they're concerned that the Defense Department isn't doing enough to stop sensitive info from getting out there.  The Government Accountability Office (GAO) on Monday made public a report finding that the DoD hasn't been properly training its civilian staff or military members, nor issuing proper guidance, on how to keep secrets secret. The info leaks include social media posts by military members and their families, but press releases and other information the Pentagon publishes itself were as part of the equation, too.  GAO auditors posed as threat actors and found multiple ways they could use info they discovered online to disrupt operations. Take naval maneuvers, for example. In one case, GAO auditors cited public social network support groups for families of deployed sailors, and private social media groups that discussed promotions, assignments, and squadron compositions. Such data could be used to link sailors to their immediate family members, locations, and behaviors, creating an avenue for blackmail or other coercive tactics to extract info from servicemembers. It could also endanger military units on active maneuvers, GAO noted. In another case, a press release identified - with photographs - a service member who completed urban sniper training. GAO investigators were able to buy information about the individual on the dark web, linking them to a particular unit, their rank, and other details. Additional research gave them info about the member's family, too, again opening up the possibility of blackmail.  "The digital activity of DoD's service members, contractors and family members … can generate volumes of traceable data that can threaten their privacy and safety, and ultimately our national security," GAO said of its findings.  This isn't a problem unique to the US military, either. Russian forces have outed their positions in Ukraine via social media posts since the beginning of Moscow's invasion of its neighbor. Plenty of blame to go around According to the report, 10 DoD components were guilty either of failing to train their people properly, or didn't assess their own security tactics adequately. Unfortunately, we didn't need the GAO to tell us that. Nine components had training material that was inconsistent or too narrowly focused, typically on OPSEC, while ignoring force protection, insider threats, and mission assurance. Likewise, eight of those ten components fail to conduct threat assessments across all those aforementioned areas.  Sure, soldiers, sailors, airmen, and marines bear the blame for posting things on social media that they shouldn't, but if they aren't being properly trained, the DoD only has itself to blame. The Office of the Secretary of Defense, GAO noted, "has not consistently issued policies and guidance to address the digital profile threat."  The GAO issued 12 recommendations to the DoD to help beef up its exposure to digital threats. The DoD concurred with all the recommendations and said it was taking action to address them, save perhaps the most crucial one. The GAO suggested that the Defense Security Enterprise Executive Committee, a body within the DoD responsible for security policy, assess security policies and guidance across the Defense Department to identify gaps and make recommendations to fix them. But the DoD only partially concurred, arguing that Pentagon's authority is limited when it comes to the personal activities of DoD personnel, much less that of their families.  In essence, the DoD admitted that it could be more careful about sharing information, but its hands are tied when it comes to what its people share. GAO auditors didn't seem impressed with that excuse.  "We recognize that there is a spectrum of who releases information," the GAO said in response. "However, as we depicted in our scenarios, a malicious actor does not care who releases the data … That is why we did not limit our recommendation to just policy, but also included improvements to training and awareness campaigns."  This vulture, for one, is glad he did his tour of duty in the US Army before the era of social media. Sure, a single soldier could do some damage by saying the wrong thing to the wrong person, but it's nothing like the security nightmare that comes with people publishing every aspect of their lives on the internet.  Now if only the DoD cared enough to do more than just updating old WWII-era messaging for the modern age, we'd be in a much better position.