Sunday, July 25, 2010

Did you hear about the RSO who wanted to know about all your Facebook contacts?

RSO, as in Regional Security Officer.  Apparently at one overseas post, the RSO has asked employees to inform the Security Office of all their Facebook contacts. Did you see that covered in the use of social media under 5 FAM 790?

If I were a paranoid RSO, I'd be thinking that Internet Russian spy sensation, Ana Chapman may have "friended" you guys in Facebook and you forgot about her. Check your Facebook contacts, pronto! 
Seriously, let's see what the new policy of using social media say about this?

5 FAM 792.5 Counterintelligence Awareness
(CT:IM-110; 06-10-2010)

All Department personnel or other U.S. Government representatives accessing Department social media sites in any capacity must be alert to the potential targeting of users for intelligence-gathering purposes. Department personnel must remain aware of their responsibilities as outlined in 12 FAM 260. Personnel must pay particular attention to the contact reporting requirements explained in 12 FAM 262.1

See -- did that say anywhere that you must report all your social media contacts?

Let's err on the side of caution and check out what 12 FAM 262.1 actually says on contact reporting requirements...

12 FAM 262.1 Policy
(CT:DS-154; 04-12-2010)

a. The Department’s regulations have long required employees to report contacts with nationals of certain countries, due to both intelligence and terrorism concerns. Presidential Decision Directive/NSC-12 issued specific instructions and mandated that all U.S. Government agencies implement similar programs. The following procedures meet the President’s requirement that those who serve in America’s most sensitive jobs work with security offices to guard against illegal or unauthorized access to classified or otherwise sensitive information.

b. All employees and contractors must report:

(1) Unofficial contact with a national from a country with critical
HUMINT threat posts listed on the Department’s Security
Environment Threat List (SETL) if the employee and/or critical
threat foreign national suggest, agree to, or actually have a second
meeting after an initial encounter. (The SETL is available on the
classified network via links on the Department’s Web site);

(2) Contact and/or association with a person or organization who the
employee knows or suspects advocate the unlawful overthrow of
the U.S. Government;

(3) Contact and/or association with a person whom the employee
knows or suspects is a member or supporter of foreign terrorist
organizations (FTOs), as designated by the Secretary of State (see
the list of FTOs);

(4) Unofficial contact with a person who the employee knows or
suspects is a member of a foreign intelligence agency, regardless of

(5) Illegal or unauthorized access that is sought to classified or
otherwise sensitive information; or

(6) When the employee is concerned that he or she may be the target
of actual or attempted exploitation by a foreign entity.

c. This policy is not intended to limit or impair professional or personal
contacts. Its purpose is to protect the security of the United States and
its employees while ensuring the privacy of employees and their freedom
of association. Further, this policy seeks to ensure that security risks to
persons or to the U.S. Government are identified at the earliest possible
opportunity and deterred, and that protective steps are taken to avoid
compromise of U.S. employees and national security interests.
Employees are considered partners in the management of this regulation.

d. The term “contact” means all manner of personal or impersonal
communication and includes, but is not limited to, written, telephonic,
electronic mail, text messaging, chat room discussion or other social
media, facsimile, wire, and/or amateur radio.

I'm not making this up, dude! This is publicly available material  for anyone.

On closer reading - this also makes it abundantly clear that the regs have not thought out that part about the virtual nature of social media. For example, part of the new regs says: 
All employees and contractors must report ...
(1) Unofficial contact with a national from a country with critical HUMINT threat posts listed on the Department’s Security Environment Threat List (SETL) if the employee and/or critical threat foreign national suggest, agree to, or actually have a second meeting after an initial encounter.

Does online encounter in blogs, Facebook, Flickr, YouTube, Twitter, etceeetera -- count as initial encounter? Does online encounter counts as a meeting for purposes of "second meeting" described in this section? Given the networked nature of social media, if you are in a "critical HUMINT threat posts" does that indeed means reporting all the names in your Facebook account or your spouse's Facebook account? Or your kids', or grandma's?   

Oh, how tricky is that? 

On second thought, let's say for a moment that the RSO who wanted to know about all your Facebook contacts is on the right side of the regs --- post's 100 employees have approximately 100 Facebook contacts each, not counting other social media accounts. That's 1,000 10,000 names that the RSO shall have collected at the end of the day (sorry, misplaced my brain cells last night, thanks Chris)!). So ....

Who will have time to comb through the names or process such info into understandable boxes of data. The RSO, presumably. And while he/she is doing that, who will be doing his/her non-social media police duties?

Somebody might want to ask Diplomatic Security for clarification since they wrote this policy (it looks like -- in April this year).  But really, somebody over there who actually uses the various social media and not just looks through them ought to get a red pen and go through the regs once more. 

That said -- it may not be Ana Chapman, and this RSO may not have a real good reason for asking about those contacts last month but this week, he'll have an excellent argument. On June 22, Computer World reports how a fake femme fatale shows the risks of social networks.

Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named "Robin Sage," whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking.  
Image from ComputerWorld

Researcher Thomas Ryan who conducted the experiment said that he used a few photos to portray the fictional Sage on Facebook, LinkedIn and Twitter as an attractive, somewhat flirty cybergeek, with degrees from MIT and a prestigious prep school in New Hampshire. He also said, "I wanted to see how much intel you could gather from a person just by lurking on a social networking site. I [also] wanted to see who was most susceptible to clicking. I wanted to see how fast this thing would propagate. One of the things I found was that MIT and St. Paul's [prep school] were very cliquey. If they don't remember seeing you, they are not going to click. You had less of a chance of penetrating those groups than the actual intel and security communities."

Read the whole thing here.    

Thomas Ryan will speak at the BlackHat Security Conference in Las Vegas (more eggs on the face next week) where he will point out that though his "28 day experiment, it became evident that the propagation of a false identity via social networking websites is rampant and viral. Much of the information revealed to Robin Sage violated OPSEC procedures."


Related items:

Related articles by Zemanta


Chris said...

I believe that would be 10,000 contacts to sift through, not 1,000. Even more of a task for a very ambitious RSO!

Domani Spero said...

Thanks Chris for the correction, and indeed quite an ambitious undertaking in real life.

Melissa V said...

It’s Friday, and that means that the Weekly State Department Blog Roundup is up – and you’re on it!

Here is the link:

(If I quoted your text or used your photo(s) and you would rather I had not, please let me know. Please also be sure to check the link(s) that I put up to you, in order to verify that they work properly. If you would rather that I had not referenced you, and/or do not want me to reference you in the future, please also contact me.)