Loki's Net

The National Security Risks of Gov 2.0 and the Social Web

Every culture has its Trickster myths because Trickster
lives on the edge of what the rest of us perceive as "real." He
crosses boundaries so often and with such ease, not to mention panache, that
our own boundaries expand because of him. Trickster is “the doorway leading
out, the spirit of the road at dusk” (Lewis Hyde) that doesn’t belong to any
town but is in-between all towns; the province of thieves and spies.

Here’s an updated version of an old Trickster tale that I
think is particularly relevant to the topic of this post–the national security
risks associated with a more open Government in general and social software in

Loki, the Norse God of mischief and mayhem, had taken to the
mountains for refuge after angering the other Gods with his latest antics. The
first thing he did was build a house with four doors; one on every side so that
he could see in all directions. With his Intrusion Detection System in place,
Loki spent the rest of his time playing in the water as a salmon, leaping
waterfalls and negotiating mountain streams.

One morning, Loki sat by a fire and considered how the gods
might capture him. Since he spent much of his time as a fish, Loki grabbed some
linen string and fashioned a fishing net of a size and weight sufficient to
snare him. Unfortunately, just as he finished, the other Gods rushed in. Loki
threw the net into the fire, transformed into a salmon, and swam away. Acting
quickly, the Gods extracted the ashes of the net from the fire and, from the
remnants, rebuilt Loki’s net, eventually ensnaring him in it.

Like Loki, we construct through our Twitter posts, Facebook
Wall entries and LinkedIn profiles our own unique “net” that sets us up for a
social engineering exploit, a financial crime, or an act of espionage.

The Trickster archetype aptly frames this discussion about
the risks and benefits of bringing Government into a Web 2.0 world because the
classic Trickster is neither good nor bad, but encompasses elements of both.
Too often, the debate surrounding Gov 2.0 becomes polarizing. Critics are
frequently grouped together as Gov 1.0 thinkers struggling against a 2.0 world,
while advocates sometimes embrace Gov 2.0 as a holy quest, refusing to
acknowledge any significant risks whatsoever.

I cannot emphasize enough that the surest way to slow our
progress toward a more technologically open Government is to try to craft this
debate in dualistic terms. Indigenous Trickster tales teach us that a more
valuable approach is to substitute utility for morality. Loki and Coyote (a
famous Trickster in Native American lore) both understand how to trap a fish
because they have swum as fish. Hyde writes in his book <a href="http://www.lewishyde.com/publications.html"Trickster Makes This
that “nothing counters cunning like more cunning. Coyote’s wits are sharp
precisely because he has met other wits.”

There are serious and significant risks associated with
Government 2.0 and the use of Social Software from a national security
perspective that need to be talked about and addressed. It is a topic that is
both complex and far-ranging and deserves much more coverage than I can provide
in this post, although I hope to at least start the conversation at a new and
edgier level. To give some perspective to the problem, there are 22,000,000
employed by the U.S. government, not counting government contractors. That fact
alone makes Gov 2.0 a very significant technological evolution.

There is ample evidence that state and non-state actors are
engaged in finding ways to exploit vulnerabilities in the U.S.’s critical
infrastructure as well as the Department of Defense’s secure (SIPRNET) and
non-secure (NIPRNET) networks. Many of these attacks have been well-documented
by Inspectors General (IG) and Government Accountability Office (GAO)
investigations as well as through Congressional committee testimony by experts.
One of the easiest ways for an attacker to gain access to those protected
networks is not through the firewall, but through the user. In any secure
system, the human element is always the weakest link. As Tim Thomas wrote in
his excellent "Cyber-Skepticism" article
for IO Sphere, the mind has no firewall but skepticism. The attack vector that best takes advantage of that vulnerability is known as social engineering.

Do you recall how Matthew Broderick’s character cracked the
password for the DOD computer Joshua in the 1983 movie “War Games?" He
studied details about the life of its creator. That’s the same strategy that
David Kernell used when he allegedly hacked into Governor Palin’s Yahoo
account, except he had the benefit of a Web 2.0 invention known as Wikipedia.

How did the individuals behind the GhostNet espionage ring
manage to entice so many people (1300 computers in 103 countries) to open an
infected document which loaded a Chinese trojan named ghostRAT onto their
system? They crafted an enticing email and document that was tailor-made for
their audience — supporters and/or employees of the Office of His Holiness the
Dalai Lama. It was such an effective social engineering campaign that 30% of
the infected computers were in sensitive government offices. And to make
matters worse, most anti-virus programs failed to identify the Trojan.

In Cyber Warfare terms, these types of hacks are a part of
Computer Network Operations (CNO) known as Computer Network Exploitation (CNE).
Today, over 130 countries are developing a cyber warfare capability with CNE as
one component.

Social media like Twitter, Facebook, MySpace, LinkedIn,
GovLoop, and many others are very attractive venues for CNE by our adversaries
because they are easily accessible, target-rich environments that can be
exploited with little to no risk under cover of anonymity.

According to a recent study conducted for one of the U.S.
Armed Services, 60% of the service members involved in the study have posted
enough information on MySpace to make themselves vulnerable to adversary
targeting. And these weren’t only young recruits making bad Operations Security
(OPSEC) decisions. The 60% group included officers and enlisted troops from Intelligence and Security postings as well as other sensitive positions posting such things as units they have deployed with, new duty stations, personal medical data, job duties, information about training, and pictures of
themselves at deployed locations.

In their paper “Social Software and National Security,"
Mark Drapeau and Linton Wells discuss the use of Twitter by Colleen Graffy, formerly Deputy Assistant Secretary of State for
Public Diplomacy, to “impress her
personality and message on foreign media prior to arriving in their countries,
and after leaving.” As the authors point
out, there are positives and negatives to Graffy’s method of using Twitter. One
of the negatives that they do not address is that Graffy’s Twitter usage can
become a vector for a non-state hacker to exploit with a @colleen_graffy tweet
containing a malicious link disguised as a tiny URL. All of a sudden, Graffy‘s
public diplomacy 2.0 effort could result in a State Department computer
becoming a zombie.

The Open APIs on Twitter and Facebook provide a virtually
unlimited resource for building target profiles on employees of sensitive
government agencies like the Departments of Defense, State, Justice, Energy,
Transportation, and Homeland Security. The Twitter stream, for example, adds a
timeline for tracking when you’re at work, where you’re going after work, and
what you are doing right now.

Another risk category is disinformation. Twitter received a
lot of coverage during the Mumbai terror attacks of November, 2008 for its role
in covering the events in real time. Part of what emerged was the potential for
terrorists to use Twitter to propagate disinformation about their whereabouts;
i.e., to announce a new attack occurring at a wrong address, thus adding chaos
and confusion to an already chaotic situation.

Finally, there is the phenomenon of online trust. If you
work in a targeted industry, you will be approached, sooner or later, by
someone who isn’t who she claims to be for the purpose of gaining and
exploiting your trust to further her own nation’s intelligence mission. One of
the quickest ways to establish trust online is by finding things you both hold
in common. Both Twitter and Facebook postings excel at that discovery effort.

How do you mitigate the risks while enjoying the benefits of
Gov 2.0 and the social web? You do it by thinking like your opponent; or like
the Trickster. Read your post twice before you hit send; once as you and once
as your adversary who is looking to exploit you. If you work for the DOD or a
government contractor, start by re-reading your employer’s OPSEC guidelines and
edit your profile and your posts accordingly. If your office hasn’t created any
OPSEC guidelines for social media yet, please let me know. My company GreyLogic is
creating training for precisely that purpose. In the meantime, here are five
things that you can do right now to reduce your risk profile

1. Involve your family members. They should understand that
by virtue of your employment with a department, agency, or service, their posts
are prime fodder for CNE. You can start by having them read this article.

2. Make OPSEC fun by making a game of it. For example, trade
Twitter or Facebook aliases among your coworkers and see how much information
you can learn about each other by using publicly available search tools. Then
draft two or three email topics that would entice that person to take your bait
if you were an adversary running a Spear Phishing operation. I promise that
you’ll be amazed at the results. In fact, you should do this same exercise with
your family members.

3. Be more skeptical about anyone who contacts you as a
result of your posting on a social network. See if you can find their Internet
footprint by searching on their name and email address. An alias with no
Internet history should immediately raise a red flag.

4. Anyone can start a DOJ, DHS, DOE or other government
agency community on Ning, LiveJournal, Facebook, etc. Don’t affiliate yourself
with any community that you don’t know for sure is an officially sponsored and
sanctioned one. Talk about shooting fish in a barrel.

5. Facebook recently reported that 70% of its traffic comes
from overseas. Become more cautious about who you friend and who is privy to
reading your posts.

In myth, like in life, the Trickster relies on the instincts
and appetites of his prey to spring his trap. For those of us in Government or
affiliated with Government, we would do well to remember that as we engage with
Gov 2.0 on the social web.

tags: , , ,