[ISN] Army Reports Brass, Not Bloggers, Breach Security

From: InfoSec News (alerts@private)
Date: Fri Aug 17 2007 - 01:02:39 PDT


http://www.wired.com/politics/onlinerights/news/2007/08/milbloggers

By Noah Shachtman   
Wired.com
08.17.07

For years, the military has been warning that soldiers' blogs could pose 
a security threat by leaking sensitive wartime information. But a series 
of online audits, conducted by the Army, suggests that official Defense 
Department websites post material that's far more potentially harmful 
than blogs do.

The audits, performed by the Army Web Risk Assessment Cell between 
January 2006 and January 2007, found at least 1,813 violations of 
operational security policy on 878 official military websites. In 
contrast, the 10-man, Manassas, Virginia, unit discovered 28 breaches, 
at most, on 594 individual blogs during the same period.

The results were obtained by the Electronic Frontier Foundation, after 
the digital rights group filed a lawsuit under the Freedom of 
Information Act.

"It's clear that official Army websites are the real security problem, 
not blogs," said EFF staff attorney Marcia Hofmann. "Bloggers, on the 
whole, have been very careful and conscientious. It's a pretty major 
disparity."

The findings stand in stark contrast to Army statements about the risks 
that blogs pose.

"Some soldiers continue to post sensitive information to internet 
websites and blogs," then-Army Chief of Staff Peter Schoomaker wrote in 
a 2005 memo. "Such OPSEC (operational security) violations needlessly 
place lives at risk." That same year, commanders in Iraq ordered (.pdf) 
troops to register their blogs "with the unit chain of command."

Originally formed in 2002 to police official Defense Department websites 
(.mil), the Army Web Risk Assessment Cell, or AWRAC, expanded its 
mission in 2005. A handful of military bloggers, including then-Spec. 
Colby Buzzell, were seen as providing too many details of firefights in 
Iraq. Buzzell, for one, was banned from patrols and confined to base 
after one such incident, and AWRAC began looking for others like him on 
blogs and .com sites.

But AWRAC hunted for more than overly vivid battle descriptions. It 
scoured pages for all kinds of information: personal data, like home 
addresses and Social Security numbers; restricted and classified 
documents; even pictures of weapons. When these violations were found, 
AWRAC contacted the webmaster or blog editor, and asked that they change 
their sites.

"Big Brother is not watching you, but 10 members of a Virginia National 
Guard unit might be," an official Army news story warned bloggers.

Within the Army, some worried that the blog-monitoring had compromised 
AWRAC's original goal.

"My suspicion ... is that the AWRAC's attention is being diverted by the 
new mission of reviewing all the Army blogs," reads an e-mail (.pdf) 
from the office of the Army Chief Information Officer obtained in EFF's 
FOIA lawsuit. "In the past they did a good job of detecting and 
correcting (website policy compliance) violations, but that is currently 
not the case."

On one blog, AWRAC found photos showing bomb damage to a Humvee; on 
another, a description of a mountain near a base in Afghanistan; on a 
third, a video about "morale concerning incoming mortar." AWRAC 
discovered a secret presentation on the official, unclassified Army 
Knowledge Online network. It found a map of an Army training center in 
Texas on a second .mil site. A "colonel's wife's maiden name" was caught 
on a third.

The documents unearthed by the EFF also show that AWRAC's investigations 
may have been meant to discourage any Army blogging -- not just correct 
security flaws. One soldier-blogger noted that "The DoD (Department of 
Defense) is cracking down ... and I wouldn't be able to continue 
blogging." AWRAC's internal response: "The word is getting out."

"I won't be blogging anything cool probably while we're here," another 
soldier wrote. "I remember really enjoying a few blogs at the beginning 
of the war, but they were pushing the limits a little bit on OPSEC and I 
don't plan to get anywhere near those limits." AWRAC's answer: "GO 
ARMY!"

The AWRAC monitoring is part of an ongoing struggle in the military over 
digital media. To some, these new forms of communications are security 
risks waiting to happen. Others welcome soldiers posting to blogs, 
online video sites and social networks as information warfare, combating 
a wave of Islamist propaganda online.

This spring, the Army released stringent new rules (.pdf) telling 
soldiers to stop posting to blogs without first clearing the content 
with a superior officer. "Personal websites of individual Soldiers (to 
include web logs or 'blogs') are a potentially significant 
vulnerability," Army Regulation 530-1 noted.

The guidelines' author, Major Ray Ceralde, cited the Pentagon's take-out 
pizza orders as an example of potentially damaging information that a 
blog might leak. Days later, the Army issued a "fact sheet" which seemed 
to back away from the rules -- without officially retracting them.

The overlapping guidelines created a climate of confusion for 
soldier-bloggers. Sgt. Edward Watson, a blogger currently deployed with 
the 82nd Airborne Division in Baghdad, was threatened by his company's 
commander for perceived transgressions of the blog policies.

"They wanted to give me an Article 15 (non-judicial punishment) for a 
regulation I was clueless about, and they never brief anyone about 
starting or running blogs," Sgt. Watson told Wired News in an e-mail. He 
was eventually allowed to keep his website -- after removing some of the 
more detailed entries.

Overall, the new documents reveal, AWRAC found few security breaches on 
soldiers' sites -- at most, 28 in more than a year. That's a fraction of 
the thousands of violations found on official sites.

(The precise number of breaches is unclear. In AWRAC's presentations, 
numbers contradict one another, or are transposed from one month to the 
next. For example, AWRAC came up at different points with five separate 
figures for the number of .mil pages scanned in September 2006. The 
documents show that the number of breaches may have been as high as 
4,052 on official military sites, and as low as 14 on blogs.)

To D.J. Elliott, a blogger and former intelligence officer, the 
statistics -- however uneven -- are proof that "the milblogs (military 
blogs) are policing their own far tighter than officialdom is."

"Most of the milblog(er)s are there or have people close to them there," 
he wrote in an e-mail to Wired News. "They maintain OPSEC because it is 
personal to them. Self-preservation. It is risking them and/or theirs."

Army spokesman Gordon Van Vleet seemed to agree with that assessment. 
One "factor that contributes to fewer violations being found on blogs is 
that in general the blogger is conscientious about their duty to not 
provide information that could be considered an OPSEC violation," he 
wrote. "Often these bloggers are stationed in the combat areas and they 
more than anyone understand the importance of security and the potential 
impact any OPSEC violations could have on themselves and their fellow 
Soldiers, Airmen and Marines."


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Fri Aug 17 2007 - 01:08:58 PDT