With social media, should DOD go to the people, or should the people go to DOD?

Should the Defense Department be making use of public social media sites such as Facebook, or should DOD, for security reasons, build its own?

Paul A. Strassman’s recent column arguing that that DOD’s social media policy doesn’t do enough to address security sparked a lively debate among readers, many of whom question whether DOD – or government in general – is suited for hosting a social media environment.

Strassmann, former director of Defense information for the Office of the Secretary of Defense and now a professor at George Mason University’s Center for Secure Systems, cited the large number of DOD networks – and the fact that they are inconsistently managed and secured -- in arguing that DOD could not secure its unclassified but sensitive IP network (NIPRNet ).

He recommended, among other things, that DOD reduce its large “attack surface” through desktop and server virtualization and offer its own collaboration services so that people don’t have to resort to potentially non-secure social media sites such as Facebook, YouTube and Twitter. He lamented that Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, has to use Facebook to reach out to military, civilian and reserve personnel because DOD doesn’t have an alternative.

But would an in-house alternative solve the problem?


Related stories:

Original column: DOD social media policy fails to answer security questions

DOD issues long-awaited social media policy


“I think you miss a key point here that is often missed by DOD,” writes Dave Fliesen of Virginia Beach. “Adm. Mullen is using Facebook because that's where the people are. If DOD builds its own network, it just won't bring the people. I agree that DOD needs better computing systems and security measures in place, but making a DOD system to replace Facebook won't have the same reach as Facebook. Sometimes instead of ‘If we build it, they were come’ we need to think ‘where should we build it.’”

Other readers expanded on the idea. “As others mentioned, Paul's comments assume that Mullen's audience is WITHIN the firewall,” writes subbob in Kansas. “Security issues aside, that represents a fundamental misunderstanding as to one of the main reasons behind this policy -- public engagement.”

“The intent is to communicate with the public, on their 'platforms,’” writes Susan. “The public will not go to our Web sites or our social networking sites 'inside the firewall.' The use of Facebook and Twitter and the rest is to communicate with the public -- those that just so happen to support us (or in other words, whose support we need in more ways than I can mention here) in their 'spaces' .. where they communicate and congregate. And yes, the DTM does not address security, but I challenge you that there are already in existence plenty of documents that do address the security requirements and the security 'skills' of those that manage and administer our NIPRnet that there was no need, other than to list some of those documents in the reference portion of the DTM. … More attacks are caused by people getting fooled by phishing or other social engineering attacks that infiltrate our networks than anything else.

“And read the reports ... most of the time the network is compromised because someone failed to patch when they were supposed to. ...[N]o more policies will fix this ... only enforcement of existing polices, additional training and punishment to those that cannot seem to get it, will solve this problem.”

“Mr. Strassmann's comments may appear technically valid, but they are borne of a different era,” adds another reader. “Adm. Mullen's role is a public one as well as an internal one. In fact, such is the USA's military reach that he has to extend his communications to a global audience. Building virtual walls between the military and the public is Cold War thinking. As Iraq has proven, winning the war is more than just winning the battles. The issue for the military is to separate secure from insecure communications and so allow, and in fact encourage, its military and non-miltary personnel to communicate with the outside world. Hats off to Mullen for leading this cultural change. It’s time for the techies to catch up.”

“I have to agree with the government’s policy of social engagement,” writes Socialite. “The aggregation of updates into the FaceBook framework is very powerful. More flexible than industry newsletters and simpler than RSS. Suggesting that NO security incidents are the acceptable level is poor risk management.”

Nevertheless, other writers note that security is a real issue.

“Mr. Strassmann makes some very valid points as to why allowing social media sites on the NIPRnet raises more concern about network security” writes Kris Joseph. “I'm sure it was a heated debate at the Pentagon when our senior leaders were trying to develop this policy. What is clear to me in this policy is that the DOD sees more overall benefit in allowing social media rather than blocking it. And they have at the same time accepted the security risks that go along with it. Social media sites have been allowed in a large portion of U.S bases since the summer of 2009 and I haven't heard of any security issues as of yet. Time will tell.”

“It is interesting to note the history of DOD networks and systems when it comes to cybersecurity,” adds another writer. “Not to mention that DOD has servers located in other countries, often in challenging, hostile environments. In terms of the private DOD cloud argument, how is this model any more secure? Is this based on past performance, perception or entrenched business interest? For instance, OSD's SBU email system, a traditional DoD behind the firewall system, was hacked with user IDs and passwords that unlocked the entire network stolen. As a result, sensitive data housed on Defense systems was accessed, copied and sent back to the intruder. Defense officials are still concerned about data lost in 2007 network attack.”

On the question of virtualization, Noel Dickover writes: “While I definitely agree that solutions for reducing the attack surfaces through desktop and server utilization is a great idea worth pursuing, this shouldn’t be embedded in the policy itself. The policy should list the component who is responsible for fulfilling that task, and others like it. In fact this is what was done – CDR USSTRATCOM has the responsibility to ‘assess risks associated with the use of Internet-based capabilities, identify operational vulnerabilities, and work with the ASD(NII)/DoD CIO to mitigate risks to the GIG.’ (Page 9, 6.b.). Respectfully, if we put the level of detail Mr. Strassmann advocates in the policy itself, we would need to rewrite the policy every time a new emerging technology created additional risks.”

And on a side note of sorts, reader subbob took the opportunity to suggest a different approach to computing. “Recently I started reading Nicholas Carr's ‘The Big Switch,’ where he makes an analogy to distribution of electrical power and computing, or informational, power. The government does not produce its own electricity, it buys it. Does not lay down its down telephone lines and services, it buys it. … Perhaps we should move to treating computing power as a utility, something that is a provided service, rather than continuing to try and manage it (badly & costly) in house.”

“Subbob has it correct,” added Chuck in Georgia. “It is well past time that DOD could be purchasing more IT and network power at a much lower cost that what we pay for the existing systems. Almost everything we need is available from NETWORX. The product would be much less expensive and much more secure. The big issue is that IT in DOD is the biggest jobs protection program on the planet; both for government workers and contractors. It is a huge feeding trough. That has to change before we can move forward.”

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

  • artificial intelligence (ktsdesign/Shutterstock.com)

    Machine learning with limited data

Reader Comments

Thu, Apr 22, 2010 Noel Dickover

As I mention above in response to Mr. Strassmann's virtualization approach, this level of detail simply doesn't belong in a DTM. This in essence would go against the rationale for calling the policy "Internet-based Capabilities" instead of "social networking". The policy shouldn't just address today's issue - it should address tomorrow's emerging technology concerns as well. While Mr. Strassmann's approach to virtualize the browsers makes sense, if that level of detail was embedded in the policy, it would be a brittle policy indeed. Additionally, if virtual browsers were deployed, this wouldn't stop the necessity of accessing and using capabilities like Facebook and others - it would simply mitigate the risks further.

Mon, Mar 15, 2010 Paul Strassmann George Mason University

To deal with social computing DoD should not build a replacement for Facebook because that will not serve the need for DoD personnel to communicate with their families and with the general population. I advocate the creation of separate and isolated virtual computers, accessed from totally thin clients (no disk, no operating system, no browser). A thin client would have two or more separate desktops that a logically and technologically isolated from each other. Thin clients can have access to several virtual computers via different and completely separate virtual desktop windows. DoD personnel can either access the sensitive NIPRNET on a separate and secure virtual desktop widow, or switch to a separate and pubic INTERNET connected virtual computer that bypasses DoD networks. In this respect this virtual computer would connect any public information services provider. Such access to the public network would follow the identical rules as any access to INTERNET from home. For technical details of the architecture how to achieve separation of the DoD private from the public INTERNET, see the recent issue in the AFCEA SIGNAL magazine that describes the proposed solution to DoD's social computing needs. SUMMARY You cannot mix NIPRNET and INTERNET communications using the current architecture that relies on "fat" desktops and laptops. For secure social computing DoD must make available a "thin" client architecture that completely separates what is defended and what is not. By opening a completely separate insecure channel to the toxic public INTERNET, DoD can serve the needs of social computing while preserving the secured integrity of the NIPRNET. Paul A. Strassmann

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group