• Print

Loki's Net

The National Security Risks of Gov 2.0 and the Social Web

Every culture has its Trickster myths because Trickster
lives on the edge of what the rest of us perceive as "real." He
crosses boundaries so often and with such ease, not to mention panache, that
our own boundaries expand because of him. Trickster is “the doorway leading
out, the spirit of the road at dusk” (Lewis Hyde) that doesn’t belong to any
town but is in-between all towns; the province of thieves and spies.

Here’s an updated version of an old Trickster tale that I
think is particularly relevant to the topic of this post–the national security
risks associated with a more open Government in general and social software in
particular.

Loki, the Norse God of mischief and mayhem, had taken to the
mountains for refuge after angering the other Gods with his latest antics. The
first thing he did was build a house with four doors; one on every side so that
he could see in all directions. With his Intrusion Detection System in place,
Loki spent the rest of his time playing in the water as a salmon, leaping
waterfalls and negotiating mountain streams.

One morning, Loki sat by a fire and considered how the gods
might capture him. Since he spent much of his time as a fish, Loki grabbed some
linen string and fashioned a fishing net of a size and weight sufficient to
snare him. Unfortunately, just as he finished, the other Gods rushed in. Loki
threw the net into the fire, transformed into a salmon, and swam away. Acting
quickly, the Gods extracted the ashes of the net from the fire and, from the
remnants, rebuilt Loki’s net, eventually ensnaring him in it.

Like Loki, we construct through our Twitter posts, Facebook
Wall entries and LinkedIn profiles our own unique “net” that sets us up for a
social engineering exploit, a financial crime, or an act of espionage.

The Trickster archetype aptly frames this discussion about
the risks and benefits of bringing Government into a Web 2.0 world because the
classic Trickster is neither good nor bad, but encompasses elements of both.
Too often, the debate surrounding Gov 2.0 becomes polarizing. Critics are
frequently grouped together as Gov 1.0 thinkers struggling against a 2.0 world,
while advocates sometimes embrace Gov 2.0 as a holy quest, refusing to
acknowledge any significant risks whatsoever.

I cannot emphasize enough that the surest way to slow our
progress toward a more technologically open Government is to try to craft this
debate in dualistic terms. Indigenous Trickster tales teach us that a more
valuable approach is to substitute utility for morality. Loki and Coyote (a
famous Trickster in Native American lore) both understand how to trap a fish
because they have swum as fish. Hyde writes in his book <a href="http://www.lewishyde.com/publications.html"Trickster Makes This
World
that “nothing counters cunning like more cunning. Coyote’s wits are sharp
precisely because he has met other wits.”

There are serious and significant risks associated with
Government 2.0 and the use of Social Software from a national security
perspective that need to be talked about and addressed. It is a topic that is
both complex and far-ranging and deserves much more coverage than I can provide
in this post, although I hope to at least start the conversation at a new and
edgier level. To give some perspective to the problem, there are 22,000,000
employed by the U.S. government, not counting government contractors. That fact
alone makes Gov 2.0 a very significant technological evolution.

There is ample evidence that state and non-state actors are
engaged in finding ways to exploit vulnerabilities in the U.S.’s critical
infrastructure as well as the Department of Defense’s secure (SIPRNET) and
non-secure (NIPRNET) networks. Many of these attacks have been well-documented
by Inspectors General (IG) and Government Accountability Office (GAO)
investigations as well as through Congressional committee testimony by experts.
One of the easiest ways for an attacker to gain access to those protected
networks is not through the firewall, but through the user. In any secure
system, the human element is always the weakest link. As Tim Thomas wrote in
his excellent "Cyber-Skepticism" article
for IO Sphere, the mind has no firewall but skepticism. The attack vector that best takes advantage of that vulnerability is known as social engineering.

Do you recall how Matthew Broderick’s character cracked the
password for the DOD computer Joshua in the 1983 movie “War Games?" He
studied details about the life of its creator. That’s the same strategy that
David Kernell used when he allegedly hacked into Governor Palin’s Yahoo
account, except he had the benefit of a Web 2.0 invention known as Wikipedia.

How did the individuals behind the GhostNet espionage ring
manage to entice so many people (1300 computers in 103 countries) to open an
infected document which loaded a Chinese trojan named ghostRAT onto their
system? They crafted an enticing email and document that was tailor-made for
their audience — supporters and/or employees of the Office of His Holiness the
Dalai Lama. It was such an effective social engineering campaign that 30% of
the infected computers were in sensitive government offices. And to make
matters worse, most anti-virus programs failed to identify the Trojan.

In Cyber Warfare terms, these types of hacks are a part of
Computer Network Operations (CNO) known as Computer Network Exploitation (CNE).
Today, over 130 countries are developing a cyber warfare capability with CNE as
one component.

Social media like Twitter, Facebook, MySpace, LinkedIn,
GovLoop, and many others are very attractive venues for CNE by our adversaries
because they are easily accessible, target-rich environments that can be
exploited with little to no risk under cover of anonymity.

According to a recent study conducted for one of the U.S.
Armed Services, 60% of the service members involved in the study have posted
enough information on MySpace to make themselves vulnerable to adversary
targeting. And these weren’t only young recruits making bad Operations Security
(OPSEC) decisions. The 60% group included officers and enlisted troops from Intelligence and Security postings as well as other sensitive positions posting such things as units they have deployed with, new duty stations, personal medical data, job duties, information about training, and pictures of
themselves at deployed locations.

In their paper “Social Software and National Security,"
Mark Drapeau and Linton Wells discuss the use of Twitter by Colleen Graffy, formerly Deputy Assistant Secretary of State for
Public Diplomacy, to “impress her
personality and message on foreign media prior to arriving in their countries,
and after leaving.” As the authors point
out, there are positives and negatives to Graffy’s method of using Twitter. One
of the negatives that they do not address is that Graffy’s Twitter usage can
become a vector for a non-state hacker to exploit with a @colleen_graffy tweet
containing a malicious link disguised as a tiny URL. All of a sudden, Graffy‘s
public diplomacy 2.0 effort could result in a State Department computer
becoming a zombie.

The Open APIs on Twitter and Facebook provide a virtually
unlimited resource for building target profiles on employees of sensitive
government agencies like the Departments of Defense, State, Justice, Energy,
Transportation, and Homeland Security. The Twitter stream, for example, adds a
timeline for tracking when you’re at work, where you’re going after work, and
what you are doing right now.

Another risk category is disinformation. Twitter received a
lot of coverage during the Mumbai terror attacks of November, 2008 for its role
in covering the events in real time. Part of what emerged was the potential for
terrorists to use Twitter to propagate disinformation about their whereabouts;
i.e., to announce a new attack occurring at a wrong address, thus adding chaos
and confusion to an already chaotic situation.

Finally, there is the phenomenon of online trust. If you
work in a targeted industry, you will be approached, sooner or later, by
someone who isn’t who she claims to be for the purpose of gaining and
exploiting your trust to further her own nation’s intelligence mission. One of
the quickest ways to establish trust online is by finding things you both hold
in common. Both Twitter and Facebook postings excel at that discovery effort.

How do you mitigate the risks while enjoying the benefits of
Gov 2.0 and the social web? You do it by thinking like your opponent; or like
the Trickster. Read your post twice before you hit send; once as you and once
as your adversary who is looking to exploit you. If you work for the DOD or a
government contractor, start by re-reading your employer’s OPSEC guidelines and
edit your profile and your posts accordingly. If your office hasn’t created any
OPSEC guidelines for social media yet, please let me know. My company GreyLogic is
creating training for precisely that purpose. In the meantime, here are five
things that you can do right now to reduce your risk profile
:

1. Involve your family members. They should understand that
by virtue of your employment with a department, agency, or service, their posts
are prime fodder for CNE. You can start by having them read this article.

2. Make OPSEC fun by making a game of it. For example, trade
Twitter or Facebook aliases among your coworkers and see how much information
you can learn about each other by using publicly available search tools. Then
draft two or three email topics that would entice that person to take your bait
if you were an adversary running a Spear Phishing operation. I promise that
you’ll be amazed at the results. In fact, you should do this same exercise with
your family members.

3. Be more skeptical about anyone who contacts you as a
result of your posting on a social network. See if you can find their Internet
footprint by searching on their name and email address. An alias with no
Internet history should immediately raise a red flag.

4. Anyone can start a DOJ, DHS, DOE or other government
agency community on Ning, LiveJournal, Facebook, etc. Don’t affiliate yourself
with any community that you don’t know for sure is an officially sponsored and
sanctioned one. Talk about shooting fish in a barrel.

5. Facebook recently reported that 70% of its traffic comes
from overseas. Become more cautious about who you friend and who is privy to
reading your posts.

In myth, like in life, the Trickster relies on the instincts
and appetites of his prey to spring his trap. For those of us in Government or
affiliated with Government, we would do well to remember that as we engage with
Gov 2.0 on the social web.

tags: , , ,
  • Kelcy

    Storytelling seems more effective in discussing difficult subjects or telling people “no”. Hopefully this storyline and others will continue the discussion on the need to manage the risks associated with social media. Risks that cover more than just national security but include predators into our personal lives. Openness and transparency are desirable attributes but must be balanced with common sense and education in order to protect privacy and security.

  • http://www.intelfusion.net Jeff

    Thanks for the feedback, Kelcy. I’m working on implementing your suggestion even as I type this reply!

  • http://piershollott.blogspot.com Piers Hollott

    The security layer on the OLPC XO was named “bitfrost” after Bifröst, the mythological bridge between the world of mortals and gods, which was built to be strong, but eventually is broken, an acknowledgment that there’s no such thing as a perfect security system. If you believe you are immune to exploitation, it’s only a matter of time until you are exploited.

  • http://greylogic.us Jeff

    Good point, Piers, and thanks for adding another mythical analogy that demonstrates how a dualistic all or nothing outlook doesn’t serve us very well.

  • http://www.technologyslice.com.au Technology Slice

    The sad part is most people have no idea what is happening with their private data. They give every little piece of information that is asked of them without questioning it.

  • http://www.stapleton-gray.com Ross Stapleton-Gray

    It would also be good if federal agencies abandoned the “M&M” model for security (a hard external shell, but a soft, unprotected interior) in favor of being able to survive even malicious insiders, let alone those who’ve been compromised through social engineering.

    My personal pet rock, though, re the government and IT security is the DoD’s Wide-Area Work Flow (WAWF) site, which I’m required to use to submit invoices for grant work: the site has an invalid certificate, but that’s ok, just use it anyway (and only with IE… doesn’t permit Firefox). So every day the DoD is training its contractors to disregard security warnings. Try it: http://wawf.eb.mil

  • http://twitter.com/LaurieVanLeuven Laurie VL

    Jeff, I enjoyed your article and the advice at the end is right on point. I just graduated from the Naval Postgraduate School, Center for Homeland Defense and Security and authored my thesis about Citizen engagement during emergencies through use of Web 2.0 technologies. I appreciate the counter-arguement, since we all know there are no magic bullets. Please see link for to my thesis if interested.
    Laurie

    https://www.hsdl.org/homesec/docs/theses/09Mar_VanLeuven.pdf&code=199bde753c51d80f5305712e979165af

  • http://publicdiplomacypressandblogreview.blogspot.com/ john brown

    Thank you for a very interesting post. I found your comment on Ms. Graffy’s twittering particularly thought-provoking. You might be interested in my blog, “Public Diplomacy Press and Blog Review.”
    http://publicdiplomacypressandblogreview.blogspot.com/
    Best wishes.

  • Michael

    I for one will not blindly follow the logic or conclusions of this article. Are their risks involving government in web 2.0 technologies, absolutely. Any more risk then other communication mediums, hardly. Young Marines, soldiers and civilians are using these systems everyday to effectively communicate personal information and is becoming their default messaging tool. The DOD and govt community was just as apprehensive about email and now they are all crackberry addicts. It is time to embrace the technology, put effective guidance and op sec policy in place.

  • http://www.cfc.forces.gc.ca/136/285-eng.html Paul T. Mitchell

    This is a terrific post. There is a group of scholars at the Canadian Forces College who are starting a research project on risk, trust and security in the information age that is looking at this problem directly. You are bang on with the observation that we have to move beyond the dichotomy between social networking activists and the grim stone walling by the military and intelligence community. Would appreciate the opportunity to discuss this with you more directly.

  • http://macmudgeon.wordpress.com Jack Repenning

    Great myth-making, Jeff, only I think you picked the wrong protagonist. Trickster’s errors come from over-dreaming, and his failures are visible to us all, and may through visibility be avoided (as your post helps do). The one whose casual oversights lead to this kind of disaster is the “big boss,” say Odin, who relies on authority or power or secrecy for a safety all too illusory: http://snurl.com/jar9m [macmudgeon_wordpress_com].

  • http://piershollott.blogspot.com Piers Hollott

    @Jack Repenning – Odin, or Woden, was originally a trickster figure in the Norse pantheon, as evidenced by the association with Wednesday (french Mercredi is a reference to Mercury, another trickster figure). Scholars have suggested that Odin and Loki were once different names for the same figure. Hump day has always been about trickster characters.

    Not to be pedantic, though. I agree with the point you are making.

  • http://macmudgeon.wordpress.com Jack Repenning

    An interesting and pertinent news event: Man Robbed After Twittering “I’m On Vacation.”

    http://tinyurl.com/owqcdy

    @Piers Hollott: but pedantry is so much fun! For example, in some tellings, Elder Brother is also a Trickster. And Tricksters are often creators. It’s definitely more complicated than I make it.

    Maybe Oedipus is a safer example of a non-trickster character whose good intentions in a very responsible role are ineluctably brought to naught by his ordinary, fallible humanity.

  • Jeffrey

    Thank you for the many comments.

    Laurie, I’m looking forward to reading your thesis. Thanks for the link.

    Paul, sorry you had such a hard time reaching me. Glad we were finally able to connect.

    Michael, while I respect a good rant, your closing sentence actually makes my point – i.e., that we can have both Gov 2.0 including the use of Social Software with improved OPSEC policies and training in place.

    Piers and Jack – indigenous legends are rich with material on Tricksters. Thanks for providing your feedback on the subject.

    I apologize for the short responses but I’m at a conference getting ready to give a talk on Russian Cyberwarfare and need to prep a bit more for a ‘tough audience’. :-)

  • http://Silona.org Silona

    I have often said that google did us a favor by showing us just how public we actually are.

    Our data was taken from us years ago in marketing databases, credit card files, banking db etc etc

    The interesting thing is people only get upset about the personal data being public to friends or associates not realizing the other impacts that data could have… like here!

    I do like your game though (Could be made into an interested cellphone or facebook game ala trival pursuit your social network :-) ponder ponder)

    cheers,
    Silona