Enable breadcrumbs token at /includes/pageheader.html.twig

Physical-Cyber Convergence Outside the Perimeter

Oversharing online places federal personnel in harm’s way.

The Cyber Edge Writing Contest 3rd-Place Winner, 2023


The challenge of converging cyber and physical security within an agency’s perimeter is nothing new for federal military and civilian organizations. Now, cyber threats taking place outside an organization’s perimeter are adding a layer of complexity that must be addressed immediately by both physical and cyber security teams.

Threats such as impersonations, doxing, swatting, cyber stalking and more are being planned online by threat actors targeting military service members or government officials intending to do physical harm to draw attention to themselves or their cause or to oppose the target’s role in government. Tragic events driven by a variety of motives are now occurring as the result of perpetrators using a digital platform to broadcast information or raise support to execute senseless physical acts. These types of attacks become a matter of national security when they target a government employee.

The complexity of protecting against such security incidents is compounded by the increasing role of information that family members, friends and even the target themselves post online. Seemingly innocent social media posts by friends and family are increasingly exploited by threat actors and are putting service members in harm’s way. Because of this, security teams are left scrambling to determine what can be done to minimize risk to a protectee’s physical safety. The solution becomes clearer by better understanding how these attacks are executed.

Threat actors have been known to track and exploit information provided by a victim’s immediate inner circle. For centuries, intelligence has been gathered by befriending or tracking a target’s family members and exploiting the connection to reach their target. As the target, those in your inner circle are the most reliable way to establish patterns of life and time-location predictability. Once verified, physical threats such as home invasions, kidnapping, extortion, etc., can be planned and executed much more efficiently.

In the era of social media, information gathering has become much easier. Those closest to you can feed threat actors an abundance of information simply by posting to social media. Unfortunately, they have very little awareness of how an innocent post translates into valuable intelligence for those seeking to do harm. Take a look at how a threat actor might translate a well-meaning post from a friend or family member and analyze it to gather intelligence on an individual:

Facebook Post: “Our grandson started at the Naval Academy today. So proud he is following in his father’s footsteps to become a Navy officer!”

Translation: This post has identified two prime targets: the grandson on track to be an officer, and his father, a high-ranking official.

Risk: Posting acceptance to a school, university, sports team or other programs that publish event dates and locations (i.e., Parent’s Day, graduation or a tournament schedule) enables a threat actor to establish time-place predictability for a target, which in this case, is a high-ranking official. The son’s time-place predictability found in the same Facebook post makes him a bonus target for possible kidnapping, extortion or further information gathering. These published events can also communicate to adversaries that family homes will be vacated for predictable amounts of time, making them an attractive target for reconnaissance, vandalism or burglary. 

It’s not just military personnel who are exposed by friends, family and their own posts online. Civilian government officials, supreme court justices and federal judges have found themselves and family members in harm’s way due to social media. Content posted with good intentions has made personally identifiable information accessible, which has enabled doxing, compromise of credentials and other forms of threat tactics to be utilized. Even if sensitive information such as home addresses or executive travel plans are protected within organizational walls, that does not mean the same sensitive information is well-protected online.

To that end, the U.S. commander in chief recently stated he had given his grandchildren money for Christmas using Venmo. Inadvertently, he created a national security issue when a news outlet researched his Venmo account, exposing a network of his private social connections, including his children, grandchildren and senior White House officials. 

On the international front, the targeting of family members via social channels has been used as a war tactic:

Used by Ukraine’s own Ministry of Internal Affairs to “stoke anti-government rage inside Russia,” the organization posted to Telegram graphic images of dead Russian soldiers, asking for family members to identify the corpses. After only a short time, the Telegram channel had more than 620,000 subscribers.

The lack of soldiers’ personal discipline when handling devices, apps and social media has compromised military activities and resulted in the death of soldiers, as observed during the Ukraine conflict in particular. Social media postings have been used to identify soldier positions and troop movement.

Some fitness apps allow users to share workout information, including a map of a user’s run with friends and fellow service members. In a case recently reported, the Strava app unwittingly revealed the locations and habits of military bases and personnel, including those of American forces in Iraq and Syria.

Information provided on social media also can pose a risk to job security and can disqualify valuable candidates from being hired into government roles. Divisions within the government are now evaluating social media use when hiring for certain positions because of the threat that online activity and promoted data pose to the individual and potentially to the agency’s mission.

According to Military.com, one lance corporal learned a difficult lesson when he posted a selfie during a force-on-force training exercise. The photo geolocated him and his team, and they were taken out by the enemy. Thankfully, the lesson was learned during a training exercise and not during live combat. Others have not been so fortunate.

A candidate who regularly records life events online may minimize their hiring potential. Law enforcement candidates who have already shared too much online may simply never be considered for undercover roles.

Staying off social media altogether is impossible for military service members and their family members. For better or worse, social media is a primary tool for conducting government business and communicating in general.

So how can the government improve its protections from physical threats that originate in the cyber realm? Detailed guidance, established policies and enforcement of those policies will make a significant impact. It is also important to establish an external official presence in these environments to avoid adversaries setting up impersonation accounts that cannot be distinguished from an official account. Without an official account presence, it is difficult for social media companies to prove that a fake account is not real. In many cases, a fake account may have existed years before being discovered.

Military personnel should always seek guidance from their department or agency and follow published policies and guidelines before taking action. Federal social media policies and guidelines such as the U.S. Department of Defense’s (DoD’s) recently released DODI 5400.17 do exist and provide a measure of guidance on how DoD personnel should use official social media accounts. However, with a shortage of staff available to monitor and the mass amount of information being posted, policy is generally difficult to enforce. In addition, the online activity of friends and family members creates a risk that agency policy cannot govern or guide and likely does not have visibility into.

Image
 Civilian government officials, supreme court justices and federal judges, along with their families, can find themselves in harm’s way due to social media. Credit: Shutterstock/Gorodenkoff
Civilian government officials, supreme court justices and federal judges, along with their families, can find themselves in harm’s way due to social media. Credit: Shutterstock/Gorodenkoff

While most high-ranking officials and those in the intelligence community understand the professional risk of posting personal information online, family postings are a real pain point. And they are proving to be a real gift to foreign actors. Even the simplest of posts by a family member can provide a rich source of intelligence.

As the frequency of physical security incidents increases, it will ultimately diminish the public’s confidence in the government’s ability to protect its own. When physical attacks on federal personnel are successful, it not only compromises morale and agency operations, but it makes others question their interest in working as a public servant.

One of the most effective and immediately available ways to improve protections for agency personnel—military or civilian—is to implement a strong monitoring solution that includes:

  • Monitoring and detection for threats such as impersonations, stolen credentials and other threats across social media, surface web and deep and dark web.
  • High fidelity alerts for physical threats and disruptive events that pose a risk to key executives and their families.
  • Reputation protection to safeguard citizen engagement.
  • Executive threat intelligence, reporting and assessments focused on staff and extended family members to improve situational awareness and to harden them against targeting and social engineering attacks.
  • Cyber awareness training to help lock down and reduce staff and families’ cyber footprint.
  • Takedown capabilities for removing fraudulent profiles and offending content.
  • Ongoing monitoring and removal of personal information from data broker websites.

While a government organization implementing this kind of solution cannot stop friends and family from oversharing online, it can help detect a threat in motion and inform government personnel of what personal information is being shared publicly. With greater awareness, they are better educated and can feel safer at work, while traveling and at home.

 

James Carnall has more than 20 years of experience in the cybersecurity and threat intelligence industry working with government and commercial organizations. Carnall has most recently served as general manager and vice president of Public Sector Services with ZeroFox and as general manager of Cyveillance. He holds a Bachelor of Science in information technology with a minor in business management from George Mason University.

Enjoying The Cyber Edge?