Pentagon to update rules for using commercial social media sites
CORRECTION: This story originally said that the Pentagon planned to ban the use of .mil e-mail addresses on commercial social media sites, which was incorrect. Military officials say they will soon update their social media policy with privacy and security rules, but do not plan to ban .mil addresses from social media.
In the wake of a dating site hack that exposed personal information on military subscribers, the Defense Department is planning to put new restrictions on how personnel use commercial social media sites.
DOD will soon issue a new policy directing military personnel to use non-mission related contact information, such as phone numbers and e-mail addresses, when establishing personal accounts, Aliya Sternstein reports in NextGov.
Dot-mil e-mail addresses will still be allowed on sites such as Army Knowledge Online, Sternstein writes, but not for commercial sites.
Analysis of a social site hack: Are risks too great for gov workers?
Is Facebook the next cybersecurity nightmare?
DOD has gone back and forth over social media in recent years, trying to balance the benefits of social networking with security concerns. The new policy comes on the heels of a hack that showed the vulnerabilities in some social media sites and raised questions about whether government employees should connect to them from work computers.
In March, the hacker group LulzSec attacked MilitarySingles.com, a commercial website catering to military members, stealing and later posting user names and passwords of 170,937 subscribers, many of whom had .mil addresses.
A subsequent analysis of the attack by data security company Imperva showed the potential weaknesses in sites that allow users to upload content — in this case, photos. Hackers bypassed the site’s filters to insert malicious code and then were able to crack poorly protected passwords.
Not every social media site shares the same vulnerabilities — in offering recommendations on how to better improve protection for users of social sites, Imperva cited several Facebook practices — but the report states that sites that allow user-generated content are going to face risks, which could be compounded if the users also work with sensitive information.
“Imperva calls into question if military and government employees should be held to a higher standard when it comes to social networking,” the report states. It also concluded that “social networking and the public sector don’t mix.”
With its pending policy of keeping .mil addresses and other mission-related information out of the social fray, DOD seems to have agreed.
It’s the latest turn in DOD’s social media policy, which has seen the department ban sites such as Facebook, Twitter, Flickr and YouTube, then in February 2010 issue a policy allowing use of unclassified .mil computers to access the sites.
At that time, department officials talked about the need for better information sharing, and for accommodating younger users who had come to expect social media access, while making military leaders responsible for cybersecurity.