When it comes to evaluating security risks and ensuring they are avoided, it always boils down to the people involved.
Even as government 2.0 advocates hailed the U.S. Defense Department's newly framed social media policy, questions persisted over the value of such a policy in the wake of cybersecurity threats. But Sumit Agarwal, who was named deputy assistant secretary of defense (public affairs) for outreach and social media in January, says that with so many people using social media on their own, enforcing a closed posture on these tools may be as ill-advised as not doing so. "We need to learn how to effectively, safely and securely use these tools, because if we don't keep up with these trends, we run the risk of driving the inevitable usage away from channels in which we can assist and safeguard our service members," he explains.
Agarwal, who also serves in the Air National Guard, points to the Marine Corps as a one example. Although Marines have very limited access to social media tools, statistically, they are among the most avid users of these services, leading to the conclusion that denying access doesn't stop the behavior.
So, after months of assessing whether opening the networks to permit social networking would compromise operational security, the Defense Department released its social media policy in late February. Agarwal says the policy reflects a change in the bias for the department from not providing access to providing access safely and effectively. While officials can use tools to monitor traffic to a certain extent, he adds, all traffic cannot be controlled. "I don't know of a magic bullet that will ensure that nothing malicious or inappropriate [happens]," he states.
Getting to that safe and effective use of technology will require education and training to increase familiarization with it and improve judgment in using it, Agarwal continues—and this position is just as true for the least connected users of technology. As he observes, the loss of a laptop or hard drive—which is the most common security problem—has nothing to do with whether one is connected to social media networks.
The second most significant threat vector Agarwal mentions are those that are not limited to social but to all networks, such as phishing scams. "Any new Internet technology carries with it attendant risks. The biggest debate is whether the next few Internet capabilities—whether it's Skype or Facebook or Twitter—carry more materially different threats than the existing Internet-based services, whether it's e-mail or just clicking a link on a Web page," he notes.
Despite the risks, the dividends of social media use in the Defense Department are starting to roll in. As the policy is implemented during its first 180 days, Agarwal points to three specific groups that are already benefiting from the new policy. Troops are very keen on the idea of keeping closer contact with their families. Professional communicators in the Defense Department are "thrilled," he says, that these tools are available to them because the technology will make them more effective at their jobs. And the U.S. and global public are aware that the department is catching up to other organizations.
More than anything, the policy needs to be organic. The key to achieving balance as these tools continue to evolve, according to Agarwal, is in thoroughly understanding both the benefits and the risks. For many, he says, "There's a perception that the downsides in the form of a compromised security posture are enormous, and the upsides, such as the return on investment and the value of doing these things, are modest or questionable at best. We need to more accurately capture what is happening on the security front...we want to more clearly capture the positives as well."
More specific implementation guidance will follow in the coming months."The actual change on the front line in terms of whether a downrange service member has access is still something that's changing slowly at best, but that's OK. We've at least established a direction," Agarwal points out.