January 15, 2015 | Commentary on National Security and Defense, Cyber Security

Why CENTCOM Was Cyber Stupid

On Monday, U.S. Central Command lost control of its Twitter and YouTube accounts. It serves as yet another reminder of irresponsible social networking practices by federal agencies. The Internet is used for everything from downloading Taylor Swift to waging war, yet Washington seems hopelessly inept at finding its way in the cyber world.

The Central Command (CENTCOM) is responsible for the operations of U.S. armed forces in about 20 countries across the Middle East and North Africa. It has managed our two most recent wars in the region, and today it is handling hot spots from Libya to Syria. It conducts vital national security business, and its social media presence should do the same.

A CENTCOM news release acknowledges that on Jan. 12, its “Twitter and YouTube sites were compromised for approximately 30 minutes.” Reuters and other press outlets were a bit more descriptive, reporting that the hackers who took over the accounts posted materials lauding ISIS. 

Cybersecurity experts rightfully note that these hacks don’t constitute serious cyberattacks. The hackers never gained access to government networks or classified information.

Further, platforms that run social networks like Facebook, YouTube, Instagram, and Twitter are always at risk of being abused. Government entities on these services share the same risks as the rest of us. To avoid being exploited online, users can take some steps—such as properly maintaining passwords. But it is the service-provider who establishes the basic practices and features that protect against abuse. Since social networking platforms are designed in part to invite the maximum number of people to participate and engage with one another, security will always be problematic. What happened to CENTCOM could happen to any account.

On the other hand, it is hard not to argue that CENTCOM seriously dropped the ball. While the hacking incident is not a big deal in any substantive sense, not everyone in the Middle East knows that. Consequently, the hack feeds the perception that ISIS “beat” CENTCOM, handing the terrorist group a major coup in InfoOps. In a part of the world where a reputation for power is honored, the embarrassing episode is a clear blow to the credibility of the command.

A federal agency’s social networking account is an official face of the U.S. government—no different from a press release or public spokesperson.  Consequently, those accounts should be held to the same standards of professionalism applied to any other official communication.

High standards are essential, because social networking carries genuine risks. Hackers often use “hot links” as a tool for getting innocent users to download malicious software that can infect their entire computer network.  Often hackers pose as legitimate entities on social networks or create phony websites or emails that look perfectly legitimate, hoping users won’t think twice about clicking on a link.  The hijackers of the CENTCOM site might well have tried that.

But aside from exposing a vulnerability to cyber risks and dealing CENTCOM a small setback in the war of ideas, this week’s hack raises a deeper concern about how our government operates online: Does it really know what it is doing?

The most important element of governance is credibility, and maintaining credibility on social networks is no easy task. In 2010, for example, the Twitter account of a high ranking Indonesian disaster security manager was hacked and flooded with fake messages. One, a bogus Tsunami warning, sent many citizens scrambling for the hills.  Afterwards, the government struggled to figure out how to reestablish the credibility of their Tsunami early-warning alerts using social media—a dilemma that could have put real lives at risk.

Too many federal agencies treat social networks as electronic bulletin boards—a practice that opens them up to all the vulnerabilities of online activities without gaining any of the advantages of using social media.

More than a few government agencies are cyber stupid.  When the White House rolled out its vaunted social media platform in 2009, Washington Post columnist Jose Antonio Vargas at the gave the site a barely passing grade of C+.

The CIA raised eyebrows when it first opened up its Twitter account with a series of juvenile, supposedly edgy posts that had no apparent purpose other than to make the spy agency sound hip.  Sample: "No, we don’t know where Tupac is." Is that really a wise use of federal resources and the agency’s reputation?

When Russia ripped off a piece of Ukraine, the most the State Department could muster was a little hashtag diplomacy with  #UnitedForUkraine, a pretty meager response to say the least.

U.S. federal agencies should be held to a higher standard than your neighbor who likes to post pictures of tap-dancing cats on Facebook. When a U.S. government agency talks online, it should be with a purpose. As with other forms of federal communications, its social media activity should be credible, understandable, meaningful, and legitimate.

At the very least, federal agencies should be constantly monitoring their social media sites and intervening immediately whenever malicious activity is attempted.

Social networks are a powerful instrument of modern communication. Government certainly should make use of it, but it should use the technology responsibly and effectively—and it should have a plan for fending off the most predictable and damaging attacks they are likely to encounter online.

 - A Heritage Foundation Vice President, James Jay Carafano oversees the think tank’s national security and foreign policy research program.

About the Author

James Jay Carafano, Ph.D. Vice President for the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, and the E. W. Richardson Fellow

Originally appeared in The National Interest