With social media, should DOD go to the people, or should the people go to DOD?

Should the Defense Department be making use of public social media sites such as Facebook, or should DOD, for security reasons, build its own?

Paul A. Strassman’s recent column arguing that that DOD’s social media policy doesn’t do enough to address security sparked a lively debate among readers, many of whom question whether DOD – or government in general – is suited for hosting a social media environment.

Strassmann, former director of Defense information for the Office of the Secretary of Defense and now a professor at George Mason University’s Center for Secure Systems, cited the large number of DOD networks – and the fact that they are inconsistently managed and secured -- in arguing that DOD could not secure its unclassified but sensitive IP network (NIPRNet ).

He recommended, among other things, that DOD reduce its large “attack surface” through desktop and server virtualization and offer its own collaboration services so that people don’t have to resort to potentially non-secure social media sites such as Facebook, YouTube and Twitter. He lamented that Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, has to use Facebook to reach out to military, civilian and reserve personnel because DOD doesn’t have an alternative.

But would an in-house alternative solve the problem?

Related stories:

Original column: DOD social media policy fails to answer security questions

DOD issues long-awaited social media policy

“I think you miss a key point here that is often missed by DOD,” writes Dave Fliesen of Virginia Beach. “Adm. Mullen is using Facebook because that's where the people are. If DOD builds its own network, it just won't bring the people. I agree that DOD needs better computing systems and security measures in place, but making a DOD system to replace Facebook won't have the same reach as Facebook. Sometimes instead of ‘If we build it, they were come’ we need to think ‘where should we build it.’”

Other readers expanded on the idea. “As others mentioned, Paul's comments assume that Mullen's audience is WITHIN the firewall,” writes subbob in Kansas. “Security issues aside, that represents a fundamental misunderstanding as to one of the main reasons behind this policy -- public engagement.”

“The intent is to communicate with the public, on their 'platforms,’” writes Susan. “The public will not go to our Web sites or our social networking sites 'inside the firewall.' The use of Facebook and Twitter and the rest is to communicate with the public -- those that just so happen to support us (or in other words, whose support we need in more ways than I can mention here) in their 'spaces' .. where they communicate and congregate. And yes, the DTM does not address security, but I challenge you that there are already in existence plenty of documents that do address the security requirements and the security 'skills' of those that manage and administer our NIPRnet that there was no need, other than to list some of those documents in the reference portion of the DTM. … More attacks are caused by people getting fooled by phishing or other social engineering attacks that infiltrate our networks than anything else.

“And read the reports ... most of the time the network is compromised because someone failed to patch when they were supposed to. ...[N]o more policies will fix this ... only enforcement of existing polices, additional training and punishment to those that cannot seem to get it, will solve this problem.”

“Mr. Strassmann's comments may appear technically valid, but they are borne of a different era,” adds another reader. “Adm. Mullen's role is a public one as well as an internal one. In fact, such is the USA's military reach that he has to extend his communications to a global audience. Building virtual walls between the military and the public is Cold War thinking. As Iraq has proven, winning the war is more than just winning the battles. The issue for the military is to separate secure from insecure communications and so allow, and in fact encourage, its military and non-miltary personnel to communicate with the outside world. Hats off to Mullen for leading this cultural change. It’s time for the techies to catch up.”

“I have to agree with the government’s policy of social engagement,” writes Socialite. “The aggregation of updates into the FaceBook framework is very powerful. More flexible than industry newsletters and simpler than RSS. Suggesting that NO security incidents are the acceptable level is poor risk management.”

Nevertheless, other writers note that security is a real issue.

“Mr. Strassmann makes some very valid points as to why allowing social media sites on the NIPRnet raises more concern about network security” writes Kris Joseph. “I'm sure it was a heated debate at the Pentagon when our senior leaders were trying to develop this policy. What is clear to me in this policy is that the DOD sees more overall benefit in allowing social media rather than blocking it. And they have at the same time accepted the security risks that go along with it. Social media sites have been allowed in a large portion of U.S bases since the summer of 2009 and I haven't heard of any security issues as of yet. Time will tell.”

“It is interesting to note the history of DOD networks and systems when it comes to cybersecurity,” adds another writer. “Not to mention that DOD has servers located in other countries, often in challenging, hostile environments. In terms of the private DOD cloud argument, how is this model any more secure? Is this based on past performance, perception or entrenched business interest? For instance, OSD's SBU email system, a traditional DoD behind the firewall system, was hacked with user IDs and passwords that unlocked the entire network stolen. As a result, sensitive data housed on Defense systems was accessed, copied and sent back to the intruder. Defense officials are still concerned about data lost in 2007 network attack.”

On the question of virtualization, Noel Dickover writes: “While I definitely agree that solutions for reducing the attack surfaces through desktop and server utilization is a great idea worth pursuing, this shouldn’t be embedded in the policy itself. The policy should list the component who is responsible for fulfilling that task, and others like it. In fact this is what was done – CDR USSTRATCOM has the responsibility to ‘assess risks associated with the use of Internet-based capabilities, identify operational vulnerabilities, and work with the ASD(NII)/DoD CIO to mitigate risks to the GIG.’ (Page 9, 6.b.). Respectfully, if we put the level of detail Mr. Strassmann advocates in the policy itself, we would need to rewrite the policy every time a new emerging technology created additional risks.”

And on a side note of sorts, reader subbob took the opportunity to suggest a different approach to computing. “Recently I started reading Nicholas Carr's ‘The Big Switch,’ where he makes an analogy to distribution of electrical power and computing, or informational, power. The government does not produce its own electricity, it buys it. Does not lay down its down telephone lines and services, it buys it. … Perhaps we should move to treating computing power as a utility, something that is a provided service, rather than continuing to try and manage it (badly & costly) in house.”

“Subbob has it correct,” added Chuck in Georgia. “It is well past time that DOD could be purchasing more IT and network power at a much lower cost that what we pay for the existing systems. Almost everything we need is available from NETWORX. The product would be much less expensive and much more secure. The big issue is that IT in DOD is the biggest jobs protection program on the planet; both for government workers and contractors. It is a huge feeding trough. That has to change before we can move forward.”