Social media is a relatively underestimated yet potent tool subjected to cyber security risks. Although social media is a platform enabling social interaction, it makes private information on persons of interests available to foreign governments.
Social media is defined as a “[form] of electronic communication through which users create online communities to share information, ideas, personal messages and other content.” It is a platform that is open and accessible to all with an Internet connection, and facilitates the sharing of personal information through participation, interaction and the forming of communities within a widely interconnected network. Examples include Facebook, Twitter, Wikipedia, Pinterest and Reddit. In the globalized world, this interconnectedness leads to contacts or ‘friends-of-friends’ in all corners of the globe. In most cases this is a positive phenomenon, particularly in terms of networking, cooperation and personal travel. However, if such a tight-knit community is infiltrated, it also bears pitfalls in terms of security.
In 2010, security firm employee Thomas Ryan, designed and operated a fictitious account under the name of ‘Robin Sage’ for an experiment. The fake profile included a prestigious CV and handsome photos, and within a month ‘she’ obtained 300 contacts on LinkedIn and more than 100 on Facebook and Twitter. These included high-ranking officials on the Joint Chiefs of Staff, the NSA, the House of Representatives and many Pentagon and Defence employees. Despite none of these contacts having met her, yet belonging to the tight-knit security network, many accepted her profile based on transitive trust. This works in three ways: 1) user A sees user B listed as user C’s friend, and on this mutual base regards C as a friend, 2) a highly respected person (and trusted source) befriends ‘Sage’, and others follow, and 3) a common connection to an institution (such as university) results in ‘friendship’. With some effort (such as validating her alumni network) she could have been unmasked, but apart from a few, most users accepted her as ‘friend’. This example illustrates that individuals are much more likely to trust another based on their online profile, while in real life people desire to acquaint themselves better before forming a trusting, if any, friendship.
As a result ‘she’ had access to personal information of top officials, unpublished technical papers and tactical information. This included an official sharing a confidential report and requesting ‘her’ thoughts, and military personnel uploading mission photos containing the coordinates of their exact location. The account also received job offers from Defence contractors. Had she been a foreign agent, she would have gained both valuable information and seemingly innocent information that could prove advantageous in covert operations.
Similarly, a fake Facebook account was set up for Admiral James Stavridis, then Supreme Allied Commander Europe (SACEUR) at NATO, in 2012. It is unlikely the Admiral himself was targeted; instead, the objective was to gain personal information on befriended users. It was suggested that by means of this ploy the perpetrator gained sensitive information regarding the F-35 Joint Strike Fighter’s capabilities. Likewise, a group of Iranian hackers are known for targeting U.S. and Israeli officials through an elaborate social media ploy to obtain sensitive information. Posing as journalists or defence contractors, they send potential victims links and lure them to fake websites. This was reportedly with the intent to unleash malware and collect login details. Over 2000 people were targeted, and they had affiliations with weapon system development, the U.S.-Israeli relations and nuclear negotiations.
Perpetrators of social media and cyber abuse can differ. They can be an individual, a group or a nation and their motivations can range widely. This diffusion of power means non-traditional actors can make a meaningful contribution. It is difficult to trace the origin of a perpetrator since traces can be rerouted through other countries and even the location of the computer cannot determine who the culprit is. This further leads to the dilemma of plausible deniability: the ability to deny responsibility due to insufficient evidence to prove wrongdoing. It allows an entity to a greater degree of cover and to circumvent accountability.
The harvested information may not be directly useful but can provide portions to supplement another endeavour. Such endeavours can include influence, coercion, manipulation, recruitment, identity theft and blackmail of a target, a target’s friends or people close to a target’s friends. These can provide further consequential information or a foothold into a given computer network, allowing access at a great distance, with the purpose of covert or non-covert attacks.
In 2015, the U.S. government’s Office of Personnel Management was hacked. The culprit, believed to be China, gained access to 4 million current and former federal employees. If true, China could be in possession of information regarding individual employment locations, security clearances, financial background, foreign trips taken, social security numbers, relatives’ names, addresses, and details of their occupation as an employee. According to experts, China may be amassing a database on U.S. federal infrastructure within the departments. This forms a substantial breach of, and threat to, national security that could result in the aforementioned nefarious enterprises.
Although not a ‘usual suspect’, social media is a platform that can lead to potential security threats. Most governments are aware of this risk and have implemented policies to tackle security threats. The U.S. government has released several papers on this issue, including the 2009 guidelines by the council of the Chief Information Office (CIO) that laid the groundwork and sought solutions in policy and acquisition controls. Since then, nearly every department has a social media policy.
Many of these policies focus on logical conduct, such as advising employees to withhold references to government titles and to avoid affiliation between their professional position and personal endorsements or comments. The danger of the social media phenomenon is rooted in the three manifestations of transitive trust: (a) the need to create an exciting and impressive online image that may inadvertently reveal more than it ought, (b) a certain caution when subscribing to pages or giving contact information to Facebook applications, and (c) in general, insufficiently realizing the behaviour social media can trigger. It is therefore imperative that user behaviour also be addressed within the federal domain. Although, human behaviour may not be modified directly, creating awareness, online vigilance, providing tools and ideas to validate identities are important steps to prevent potential adversaries from gaining critical information.
Photo: “Global technology, cyber crime, hackers, cyber security, technology, devices” by Blue Coat photos. Licensed under Public Domain.
Disclaimer: The content of this article is the sole responsibility of the author and any opinions expressed therein do not necessarily represent the official position of the Youth Atlantic Treaty Association Denmark.