NDIA POLICY POINTS GOVERNMENT POLICY
Operational Security Erodes in Social Media Age
In 2017, fitness-tracking application Strava released a map detailing all location data uploaded by app users, including U.S. service members stationed overseas. When visualized in the publicly available Strava “heat map” of user activity, this data revealed U.S. military base locations in Afghanistan.
By unwittingly disclosing this data, service members also revealed critical habit pattern information to potential attackers. Strava is not alone in collecting this sort of data. Many other networked personal devices and technologies, broadly referred to as the internet of things, or IoT, track and report on user habits.
Risks posed by social media and IoT are often neglected as Defense Department leaders focus on high-profile cyber-attacks such as NotPetya, the Office of Personnel Management data breach and attacks on major weapons systems.
And high-visibility cyberattacks continue to increase as determined hostile actors find new tactics and techniques to break through layers of security to steal sensitive data and impede U.S. operations. However, leaders must find the time and resources to focus on pervasive yet subtle cyber threats to operations security driven by high-risk use of social media platforms and the IoT. Continued lapses and penetrations demonstrate the insufficiency of existing guidance.
The Defense Department should modify or augment its social media guidelines and policies to minimize operations security breaches that could imperil current and future service members. Additionally, given the increasing use of contractors in operational environments, these guidelines should be provided to industry as a set of best practices for their employees.
The accelerating growth of social media and the IoT, characterized by increasing volume and speed of publicly shared information, presents significant consequences for operations security beyond the more well-known dangers of identity theft or other individual damages caused by personal data breaches.
For example, in 2017 a Marine Corps task force in Afghanistan opened a social media account to share updates on its reconstruction efforts. The account shut down a year later over well-founded operations security concerns. Specifically, the page operator uploaded a photo of one of the unit’s local interpreters, even though showing the interpreter’s face publicly could jeopardize the lives of both the interpreter and their family.
To compound the issue, Army Times ran a story featuring the photograph, increasing viewership on the Marine website. The upload of the photograph indicates that even those service members running official social media accounts receive insufficient training in maintaining operations security on social media.
Compounding this threat is the rise of applications developed by competitor nation companies. For instance, the increasing number of Chinese-origin applications available for download on mobile devices includes popular titles such as TikTok, a social media platform for users to record and share 15-second videos, which boasts more than 80 million downloads in the U.S. alone. In exchange for providing entertainment value, TikTok collects significant data about its users, and is particularly popular among younger demographics who may be less privacy-focused and concerned about giving away their personal information.
Even more troubling, in 2019 the Federal Communications Commission fined TikTok $5.7 million for illegally collecting and distributing data on underage users, including names, addresses, birthdates, locations and more. This raises significant security issues beyond standard concerns about child safety.
Some members of Generation Z, many of whom already gave their personal data to the companies behind TikTok and similar platforms, will pursue careers as warfighters or defense analysts. The personal information harvested during their childhood could make them uniquely vulnerable targets to hostile actors in the future. This vulnerability also extends into the present; personal information identifying children of existing officials and service members could place their parents at risk.
Strava, the Marine website, and TikTok represent two broad categories of data that can lead to operations security breaches: user-generated information such as social media posts or location data; and harvested personal information such as financial, contact, or identification data. While the former category presents a more immediate risk to operations security, because it can highlight service member habits and routines or partner identities in conflict zones, long-term retention of personal data by foreign entities potentially drives greater risk for future U.S. military operations.
Depending on the specific case, a data packet collected by TikTok or other potentially hostile actors can yield useful personal data about the user years after the user deletes the application from their device.
The Defense Department and the services provide publicly available handbooks detailing safe social media use and internet hygiene best practices. However, persistent leaks and breaches indicate that guidance alone fails in properly preparing warfighters to protect themselves and their loved ones against malicious actors.
The federal government must recognize social media use and IoT data collection as unique challenges within the broader cyber domain, challenges that present immediate and long-term threats. Leaders need to take immediate steps to improve guidance to both warfighters and the contractors that support them while providing training and additional resources.
Without that focus, these vulnerabilities will continue to grow in scope and severity.
Zachary Kronisch is a junior policy fellow at the National Defense Industrial Association.