Enable breadcrumbs token at /includes/pageheader.html.twig

Freedom of Speech Policy Creates a Cyber Loophole

Cybersecurity risks abound in the midst of well-meaning social media policies.

In August of 2022, a lawsuit was filed against an Air Force official’s Facebook page, prompting a change to its policy of deleting comments. A retired officer had commented on the official’s page, criticizing military policies, and as a result, was blocked from posting to the page. The commenter filed a lawsuit against the official and won. To avoid “viewpoint discrimination” that violates the First Amendment, the Air Force’s social media policy had to change. That official’s page disclaimer now reads: Posts will not be removed, and users will not be banned, based on the viewpoint expressed in any comments.

In the same month, the Department of Defense (DoD) released its first-ever social media policy, DoDI 5400.17, which restricts agency personnel from removing social media content from official DoD accounts except under very limited circumstances: if there is a factual or typographical error; violation of a law, policy, term of service or user agreement; or an operations or information security concern. All other content must remain.

While the overall policy brings clarification and attempts to ensure that agency personnel do not violate First Amendment rights, it leaves a significant cybersecurity loophole that has yet to be addressed. DoDI 5400.17 presumes that content posted was generated by a real person, using a real account, voicing a real opinion. But, in fact, many comments to official government accounts come from impersonators phishing for scam victims or are from threat actors making politically charged comments that can then be amplified. If amplified enough, comments can ultimately lead to public harm such as acts of terrorism. Additionally, with the use of AI-driven chatbot tools, official DoD messaging can be drowned out by dis-, mis-, or mal-information.

To reduce the cybersecurity risk created by well-meaning social media policies that attempt to protect freedom of speech, some very complex questions must be answered:

  • Who qualifies for freedom of speech? Do people in foreign countries have the same rights as U.S. citizens when posting on an official DoD page?
  • Do bots have First Amendment rights?
  • Where do constitutional rights conflict with a social media platform’s terms of service, and how does the government create policy to address both?

Adding to the challenge, privately held social media companies are rapidly changing the way they operate, making it next to impossible for U.S. government policy to keep up. As an example, in the short time since the DoD released DODI 5400.17, Elon Musk purchased Twitter and dramatically changed the way accounts are verified. According to Twitter, as of April 1, accounts are no longer verified under the previous criteria (active, notable and authentic). Rather, they are now reportedly verified based on whether they have paid a subscription fee to a new verification system called “Twitter Blue.” In other words, anyone who pays for a monthly subscription (and also meets the minimal eligibility criteria) will be verified with a designated blue check mark. Other layers of verification have been implemented, further confusing casual users.

According to a White House email sent to staffers, Rob Flaherty, White House director of Digital Strategy, said, "It is our understanding that Twitter Blue does not provide person-level verification as a service. Thus, a blue check mark will now simply serve as a verification that the account is a paid user." He also stated that the White House would not be paying subscription fees for official staffer accounts nor would it pay $1,000 to be a verified organization. If the DoD follows the White House policy as precedent, it will not be paying for verification of official Twitter accounts either. Thus, the hundreds of thousands of impersonated “official” DoD accounts will remain on—and be promoted by—Twitter for a mere $8/month. Other social media platforms will likely follow suit. That’s right, anyone with a paid Twitter account, including those impersonating an official government account and its content, will be promoted by the platform.

Image
Jessie Smallwood, ZeroFox
To reduce the cybersecurity risk created by well-meaning social media policies that attempt to protect freedom of speech, some very complex questions must be answered.
Jessie Smallwood
Director, Department of Defense and Intelligence Community Sector, ZeroFox

Why is an impersonator’s freedom of speech an important topic for DoD cybersecurity personnel to consider? The short answer is because of the financial and reputational damage being caused at massive scale by threat actors creating impersonation accounts and generating fraudulent content. According to the FTC’s 2023 Consumer Sentinel Network Data Book, more than 800,000 consumer reports from service members (including veterans, active duty, reservists and their families) have been filed since 2018. Total losses have been estimated to be as much as $931.4 million, and that number does not account for losses from the almost certainly large number of unreported incidents.

Unfortunately, these impersonations and resulting loss numbers continue to climb. A report from ZeroFox Intelligence identified a 100 percent year-over-year increase of impersonations based on available DoD customer data since 2021. Furthermore, the report found a 100 percent increase of impersonations when comparing the first quarter (Q1) of 2022 with Q1 2023.

To date, the complexities of protecting freedom of speech on official military pages have not been fully addressed. The current policy of not deleting comments from official accounts is so broad that it inadvertently protects comments posted by cyber threat actors. This burdens cybersecurity and public affairs teams with deploying interim solutions to minimize the immense damage being done by social media impersonations.

While government leaders grapple with how to create an all-encompassing policy that protects First Amendment rights AND external cybersecurity assets, cybersecurity teams can and should deploy all available tools to disrupt impersonations and other malicious attempts by threat actors’ intent on causing financial and reputational damage to federal agencies and the public.

 

At ZeroFox, Jessie Smallwood is the director of the Department of Defense and Intelligence Community.
 

The opinions expressed in this article are not to be construed as official or reflecting the views of AFCEA International.

Enjoying The Cyber Edge?