Operational Security Erodes in Social Media Age.

• Author: Kronisch, Zach
• Position: Policy Points

* In 2017, fitness-tracking application Strava released a map detailing all location data uploaded by app users, including U.S. service members stationed overseas. When visualized in the publicly available Strava "heat map" of user activity, this data revealed U.S. military base locations in Afghanistan.

By unwittingly disclosing this data, service members also revealed critical habit pattern information to potential attackers. Strava is not alone in collecting this sort of data. Many other networked personal devices and technologies, broadly referred to as the internet of things, or IoT, track and report on user habits.

Risks posed by social media and IoT are often neglected as Defense Department leaders focus on high-profile cyber-attacks such as NotPetya, the Office of Personnel Management data breach and attacks on major weapons systems.

And high-visibility cyberattacks continue to increase as determined hostile actors find new tactics and techniques to break through layers of security to steal sensitive data and impede U.S. operations. However, leaders must find the time and resources to focus on pervasive yet subtle cyber threats to operations security driven by high-risk use of social media platforms and the IoT. Continued lapses and penetrations demonstrate the insufficiency of existing guidance.

The Defense Department should modify or augment its social media guidelines and policies to minimize operations security breaches that could imperil current and future service members. Additionally, given the increasing use of contractors in operational environments, these guidelines should be provided to industry as a set of best practices for their employees.

The accelerating growth of social media and the IoT, characterized by increasing volume and speed of publicly shared information, presents significant consequences for operations security beyond the more well-known dangers of identity theft or other individual damages caused by personal data breaches.

For example, in 2017 a Marine Corps task force in Afghanistan opened a social media account to share updates on its reconstruction efforts. The account shut down a year later over well-founded operations security concerns. Specifically, the page operator uploaded a photo of one of the unit's local interpreters, even though showing the interpreter's face publicly could jeopardize the lives of both the interpreter and their family.

To compound the issue, Army Times ran a story featuring...