Last Friday, the Jerusalem Post reported that some 265 Israeli soldiers were lured into a cybersecurity trap, unwittingly revealing the location of a secret Israeli military base.
Soldiers who formerly served at the secret facility set up a Facebook group to serve as a mechanism to share stories and reflections about their time at the base. It was a “public, closed” group, which means the wider Facebook community could learn of the group’s existence, but applicants must request membership from the group’s organizer.
The location was exposed when a journalist requested membership, which was granted without vetting his (non-existent) military credentials.
Speaking on the condition of anonymity for fear of retribution, a soldier intimately involved in the army’s cyber operations said the group is one example of many serious security breaches by [Israeli Defense Force] soldiers in online social networks.
“It’s a security failure and they made a big mistake,” the soldier told The Media Line. “There is a reason why this base is a secret and this will undoubtedly cause harm, allowing Israel’s enemies to get important information and use it to attack Israel.
“Not only did they set up a group,” he said, “they set up the group publicly, rather than by invitation only.”
“Beyond national security, it is also a safety issue,” the source continued. “In the past Hezbollah operatives would set up a profile pretending to be Israeli women and ask to be friends with soldiers or join soldiers’ groups on Facebook. Over time through the status updates Hezbollah learned a bit about the soldiers, where they lived and were able to connect the dots. In theory, they could eventually kidnap that person,” he explained.
What’s the proper policy response? Should the IDF ban all its soldiers’ access to Facebook? That’s usually the American military’s knee-jerk response. According to Danger Room’s Noah Shachtman, education is the key. Here’s what he said in a PPI policy memo on a proper response to open-network, military-centric cyber threats:
The armed forces find it much easier to ban something than to educate its troops about responsible use. MySpace and YouTube are inaccessible from Pentagon computers – even though the military makes extensive use of the sites. Thumb drives are mostly forbidden as well, even though battlefield units rely on them to swap data in lonely places where bandwidth is hard to find. In the name of information security, information flow has been restricted. Meanwhile, secret overhead surveillance feeds are routinely left unencrypted; with an off-the-shelf satellite dish and $26 software, militants can see through the Air Force’s eyes in the sky. It’s a problem the military has known about for more than a decade but never bothered to fix. According to the Wall Street Journal, “the Pentagon assumed local adversaries wouldn’t know how to exploit it.”
Clearly, there needs to be a rather serious re-evaluation of military information assurance. The Pentagon needs to do a better job of figuring out theoretical risks from actual dangers; secret drone feeds can’t be left open while blogs are placed off-limits. Troops also need to be trained – and then trusted. The military routinely gives a 19-year-old private the power to kill everyone he sees. Surely, if that private can be taught to use an automatic rifle responsibly, he can be educated in computing without sharing secrets.
Militaries have give-and-take relationships with social networking sites. Yes, there are clearly vulnerabilities, but Facebook, Skype and Twitter are morale-boosters — they let troops in Iraq, Afghanistan and elsewhere stay connected to their families.
The military’s heavy-handed — shut-it-down mentality — kills morale and troops will get around the blockages anyway. As a former DoD civilian employee, I can give you multiple internet-based email services that allow access to your officially-blocked Gmail address.
Education is the only solution, and the military needs to embrace.
Photo credit: US Army Korea- IMCOM’s Photostream