The DOD Makes Social Media Official

The Social Media policy states that the NIPRNET shall be configured to provide secure access to the INTERNET. That is not actionable unless DoD knows how to do that. There is no evidence that DoD knows how to fully secure the existing NIPRNET for assured secure communications from the INTERNET. The proposed social networking policy leaves DoD vulnerable to a wide range of attacks. The policy should have outlined a solution for reducing the attack surface through desktop and server virtualization. This would place secure "zero clients" desktops in the cloud so that Internet access can be defended.That will especially important as people access more and more data on secure networks through mobile clients. Strassmann, former Director of Defense Information, OSD and Professor, George Mason University, Center for Secure Systems

Thanks for the comments, Professor Strassman. You bring up some good points, and I am interested in hearing what others have to say as well. --Katie from SIGNAL Scape

Just to follow up with Mr. Strassman's comment that "The policy should have outlined a solution for reducing the attack surface through desktop and server virtualization." - the policy itself is intended to address a wide range of capabilities, not just the various technologies we are concerned about today. The larger intent is to get DoD to start keeping pace with these emerging technologies and ensure our infrastructure is protected and that we are taking advantage of the opportunities to improve our mission. While I definitely agree that solutions for reducing the attack surface through desktop and server utilization is a great idea worth pursuing, this shouldn't be embedded in the policy itself. The policy should list the Component who is responsible for fulfilling that task, and others like it. In fact this is what was done - CDR USSTRATCOM has the responsibility to "Assess risks associated with the use of Internet-based capabilities, identify operational vulnerabilities, and work with the ASD(NII)/DoD CIO to mitigate risks to the GIG."(Page 9, 6.b.). Respectfully, if we put the level of detail Mr. Strassmann advocates in the policy itself, we would need to rewrite the policy every time a new emerging technology created additional risks.

The existing policy which states that: "...CDR USSTRATCOM has the responsibility to "Assess risks associated with the use of Internet-based capabilities, identify operational vulnerabilities, and work with the ASD(NII)/DoD CIO to mitigate risks to the GIG..." That is not a policy at all. It is a way of abdicating responsibility by throwing the issue over the fence for USSTRATCOM Components to pick up for action months and possibly years later. Actionable policy should offer tangible guidance for implementation. There is nothing wrong with rewriting the OSD policy every few years (that has been the pattern anyway). New versions are useful if the technologies for dealing with social computing securely change every decade. As the OSD Director of Defense Information (that was before there was an OSD CIO) in 1990-1993 I preferred to task my policy writers to produce text that offered guidance how to proceed with implementation. The chances that the fundamentals of secure social computing would change does not give policy writers an excuse to produce text that endorses continuation of existing risky practices until somebody stands up and changes the rules. The current policy, promised in May of 2009, is nothing but passing a problem for action in a distant future. Meanwhile, social computing will remain a source of toxic infestation of the NIPRNET.

Prof. Strassman, I think both you and Noel have points here. I worked for years on the development of a technical policy (DODI 1322.26) that related to the development of e-learning content and we were constantly going back and forth over crafting the guidance with sufficient detail as to provide a clear path forward while at the same time not creating an overly detailed policy on a technical subject wherein the ground was changing so rapidly that agility was called for right along with security. I also agree virtualization offers a promising solution for both access and security. I do have 2 questions though: #1 The NIPRNET currently allows access to the Internet - within certain limits. Prof. Strassman, is part of your concern that "secure" part of the policy inasmuch as that is directing DOD to do something it can not currently do? Is that really then a question of the accuracy of the language involved? #2 As the NIRPNET does currently allow constrained access to the Internet, could you enumerate and specifics on the assertion that "The proposed social networking policy leaves DoD vulnerable to a wide range of attacks."? That is, what NEW vulnerabilities are created, from a technical standpoint, that are not currently in existence due to any connection to the Internet? v/r Mark Oehlert

Mr. Oehlert: Here are answers to your two questions: 1. According to USSTRATCOM news release of last week DoD operates 15,000 networks. A large share of these networks (and possibly over one half) use the INTERNET to communicate. The policy that directs USSTRATCOM and Components to somehow secure these communications 100% is unrealistic. There is not enough money or people to watch such a large attack surface against penetration 24/7, with the inevitable human lapses and technology errors. The issue here is not improving the accuracy of the language of the new policy, but the chance that it can be executed. My position is that the policy is flawed since it cannot be implemented with a degree of assurance that will meet cyber warfare requirements. 2. The connection of any part of the NIPRNET - that will now be allowed - to the INTERNET exposes DoD to an enormous onslaught of attaches, whether they are easily launched viruses or botnets. For instance, the recent Conflicter worm (one of >100,000 currently active viruses) has infected over 10 million computers since it has been launched in 2009. The original W32.Downadup.A exploited the MS08-067 vulnerability in Windows XP Service Pack 2 and Windows 2003 Service Pack 1 operating systems, for which Microsoft issued a patch but only too late because it had to be installed outside of its regular monthly patching cycle. That is only a small example of one of ten thousands vulnerabilities. Even with patches and after applying anti-virus programs (far too late for zero-day exploits) the infection will not be completely stopped. It takes only a few compromises to diminish the integrity of the NIPRNET. v/r Paul Strassmann

I'm still not sure I would agree that you answered #2... Conflicker did infect many machines but that doesn't answer Mark's question wrt additional vulnerabilities that SN places on the network beyond what is out there today. The vulnerabilities you refer to are just as easy through e-mail, file transfer, website, ... there is always the social engineering aspects. This leads back to #1... if you can't protect it today and we basically mitigate risks that we have, then what makes SN so much worse? So, if #2 doesn't introduce much of anything new, and SN provides operational value (although not proven yet), then what is the issue beyond the current day threats?

Prof. Strassmann, I have no involvement in the writing/issuing of the policy. Nor do I have any involvement is administration of DoD computer systems. But as an "outside observer" who works for the Department of the Army, It is my personal opinion that the "policy" letter was targeted specifically to address "attitudes" similar to yours. (Please understand that I am throwing vague terms around here freely on purpose.) To oversimplify the situation to provide a point of reference, the "policy" is to "correct" the DoD's current policy of "Denial of Service" by imposing draconian security measures. Access to "services" is one of the things that DoD IT needs to "allow" not "deny" by default. There is also the gargantuan problem of very poorly implemented technology and procedures. As an example our IT department has deployed a program to check for certificate revocation. But for two weeks now it has been showing me red alerts that AKO's certificates have been revoked and should not be visited. The only thing achieved is that now your "average user" has learned to ignore any warnings and drive on. I can site dozens of similar examples. As a comedic close. The Internet was designed by the DoD to survive a nuclear war. I hope it can handle a few visits to/from Facebook and Twitter. Chaim Krause Usual CYA disclaimers apply