Marines can’t use Twitter or Facebook on duty, but soldiers and sailors can. For airmen, it depends on the base.
As for YouTube, the Air Force has created its own channel – which can’t be accessed from work computers.

A lot of people in favor of social media use (including yours truly) view it as an important communication and PR tool, providing some much needed openness and transparency in a time of record low recruitment and mistrust. It is also viewed as a weapon for the military to take back the narrative regarding the wars in Iraq and Afghanistan from the hype-driven media. The rate at which information can be gleaned from these media makes them effective early-warning systems on all manner of critical events – from earthquakes to civil war and revolutions. And don’t forget how incredibly useful it is as a tool for our troops to stay in contact with friends and loved ones. For a much better, insider take on how critical the use of social media is to our national security, read this extremely well-written article in the Federal Times.

I shared the story on twitter, along with my opinion that the ban was the wrong approach for the military to be taking. Brad Tumy challenged me to explain why I thought it was the wrong approach, and what I think they should be doing instead. I promised I would address his question in a blog post soon, so here goes.

Lets take a look at some of the main reasons given for banning social media.

1) Bandwidth Issues

The amount of bandwidth sucked up by YouTube, Facebook and the like puts a strain on limited DoD resources. But today, network tools that monitor bandwidth usage and throttle the traffic based on conditions are quite common. And using geolocation and device identification to cut off access on machines being used in the field (that use extremely limited satellite-based bandwidth) is technically possible (and as someone I met at Catalyst told me in a different context, is being done every day).

2) Spread of Malware

Highly publicized incidents like the Koobface worm spreading via Facebook have led some of the security experts to consider these sites to be tremendously dangerous to the integrity of the DoD networks. But the malware threat from social media is nothing compared to the attacks the DoD has to fend off on a daily basis via sanctioned channels, namely email and so called “good” websites. And the tools to protect against the malware attacks are well understood and widely deployed. Most folks learn pretty quickly to identify and ignore malware messages, no matter what the medium. And cloud-based social media sites will do a much better job of cutting an attack off at the knees than thousands of distributed email systems ever will.

3) Information Leakage

In providing their reason for banning social media, the Marine Corps said

the very nature of social networking sites creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage.

This is probably the most serious cause for concern, and one where IAM and Security technologies can play a crucial role. In many cases, the challenge here is similar to the one faced when dealing with any communication channel, whether it be email or ftp. Many enterprises rely on Security Information Management to protect their most sensitive resources – their data. A well established Identity Management infrastructure provides the first layer of protection by ensuring that only authorized individuals have access to sensitive information, and then providing a complete audit trail around the access of that data. This has been shown to have a deterrent effect in information protection, and can assist in tracing back the source of a data leak. DLP (Data Leakage Protection) tools provide data security by enabling data identification, classification, usage and wrapping controls around it all. Firewalls are getting increasingly sophisticated (take a look at Palo Alto Networks, which is getting traction with a content inspection engine that can “accurately identify applications … and scan content to stop threats and prevent data leakage“). The fact that Facebook and Twitter have APIs that allow the creation of custom clients means that users can be given access in a secure way through apps developed by the military. And there is commercial software out there that does much the same.

Now, the way I see it, the armed forces are facing the exact same dilemma that most enterprises are facing when considering how to tackle the use of social media in the workplace. The only difference is in the amplification of the potential consequences. Exploitation of the attack window that social media use creates could lead an enterprise to lose a lot of money, but in the case of the armed forces it could lead to serious loss of life. That does mean that while the issues are the same, the risks are vastly different. This would necessitate a completely different risk mitigation strategy. But does that mean that the solutions that can help would change too?

A blanket ban such as the one being discussed would lead you to believe that there exists no ability to handle what are essentially security and access control issues in the system, and that simply is not the case. I’m not saying that it is perfect, but a combination of tools, policies and guidelines can make it possible for social media to be leveraged by the military in ways that serves their (and our) national cause without harming their mission. And that would be to everyone’s benefit.

If you ever saw the movie “Breach” about how Robert Hanssen leaked national secrets by photocopying files and carrying them out in his bag, just think of how much more quickly he might have been caught if he had been sending those files over a social media connection. USB drives and email are far bigger threats (right now) than social media. and by being proactive, the military can turn these tools to their advantage. On the other hand, by not playing in one of the emerging technologies in the market, the US military risks becoming outdated, outmoded and outplayed by our adversaries.

Tags: Data Leakage Protection, DLP, Facebook, Firewall, Identity Management, Military, Oracle_IDM, Social Media, Social Networking, Twitter

TechCrunch blogged about Michael Arrington’s twitter account getting verified without appearing to be verified (no one contacted him). This Mashable post may explain how this happened:

…Twitter will look to see if an official channel of the person in question links to his or her Twitter account from a place like an official website.

This is a good model for verifying a channel -  to look at a known official channel to see if it (officially) links to the channel being verified. However, it doesn’t scale beyond the celebrity use case, because the vast majority of users (like me) do not have anything that Twitter will recognize as an official channel. And Twitter will never have the manpower necessary to run an in-person verification program. But is there a clue buried in how Twitter is approaching this to how we could potentially do this at scale?

An emerging discussion in the identity space has been the topic of reputation as the basis of trust (which is what verified accounts are ultimately about). In the Twitter model, the reputation of the account is enhanced 100% because of it being cited on a well-known, officially recognized website. I recently read a Wired article about a new system for ranking/rating scientists based on number of citations as opposed to publications. Twitter has multiple (similar) variables that could potentially be used to calculate the reputation of a twitter account – number of followers, number of retweets, number/nature/participants of conversations (replies).

If these could be used to calculate the reputation of a twitter account, then you could get to the point where you could calculate the trustworthiness of an account. And then the whole “log in with your twitter account” feature that for now is only getting used in blog commenting systems could take on a much more significant role in the identity metasystem.

Tags: Identity Proofing, Personal Identity Management, Reputation Management, Twitter, Twitter Verified Accounts

Twitter Search will also get a “reputation” ranking system soon, Jayaram told me. When you do a search on a “trending” topic–a topic that is so big it gets its own link in the Twitter.com sidebar–Twitter will take into account the reputation of the person who wrote each tweet and rank the search results in part based on that.

The article does mention that the engineering team at Twitter is still trying to figure out how to do this. But no more than a day later, Stan Schroeder of Mashable pointed out one of the key aspects to making reputation work – it has to be context-sensitive with respect to the identity of the source and their authority on the subject.

Thinking about it, it seems that this reputation ranking system is far more complex than a simple combination of factors such as followers and retweets. The system needs to be contextual; it needs to recognize which tweeple are important for a certain keyword or phrase. For example, tweets from the White House, Barack Obama and politicians aren’t that useful in the context of a Gmail outage, but they’re crucial during some political event.

In other words, the reputation engine (if it is to be done right) can’t just look at the number of followers, the number of retweets and hashtags. It also can’t rely purely on the 140 character biography that all the tweeples have posted on their twitter profiles. No, to really do this thing justice, Twitter (or some other company that could step in) would need to navigate the semantic, social and identity web in a way that builds up an accurate picture of a persons authority regarding a particular subject. And it is not just based on what we put out there, but even more so on what others put out there in response.

If this feels like somebody is about to start building a credit score of our online lives, it isn’t too far off the mark. The implications in the area of personal identity management and privacy could be huge!

This highlights a change we are seeing in the personal identity space. Since there are no secrets any more (as Bob Blakley is wont to remind us every now and then), relationships and reputation are likely to become the primary variables in the identity equation. The question therefore is, what tools do we need to manage and control our online identity in light of this new perspective on identity? Is it simply about having an OpenID and clean living? What tools do the social networks like Facebook and LinkedIn need to incorporate that give us control over not just what we put out there, but what others put out there about us? It’s a tough nut to crack, and should make for some interesting discussions at IIW next week. Maybe I’ll throw it up there on the board as a topic.

Tags: Personal Identity Management, Relationship Management, Reputation Management, Twitter, Twitter Search, User-Centric Identity