Agencies don't need to avoid social media, experts say, but they need to prepare for possible attacks.
The mid-January attack on social media accounts operated by the U.S. military’s Central Command (CentCom) in Florida shouldn't stop government agencies from using popular social networks, experts say. But the incident is a warning that agencies need to prepare for similar threats.
The CentCom accounts appear to have been hacked by ISIL sympathizers. The cyberattack began at around 12.30 p.m. on Monday, Jan. 12, when a message was posted to CentCom’s Twitter account reading, ‘In the name of Allah, the Most Gracious, the Most Merciful, the CyberCaliphate continues its CyberJihad.’ Additional ominous messages followed, some of which read ‘American soldiers, we are coming, watch your back’ while another threatened, ‘We won't stop! We know everything about you, your wives and children.’
The Twitter hack also posted the names, telephone numbers and home addresses of four-star U.S. generals
Forty minutes after being compromised, the CentCom Twitter account and the organization's YouTube account were suspended. Two U.S. defense officials, speaking on condition of anonymity, told news outlets that while the cybercriminals claimed to have breached CentCom’s internal network, the hacking did not appear to be a security threat. Much of the documented proof the hackers offered appeared to be freely available via the Internet.
But given that CentCom handles extremely sensitive information around American military operations in the Middle East and Central Asia, the attack still raise the questions, will government social media accounts be the next target for cyberattacks? And if so, is government prepared?
Attacks on social media accounts, regardless of organization type, are nothing new. And the potential for damage has already been proven. Take for example the 2013 hack of the Associated Press Twitter account, which resulted in a bogus tweet claiming a bombing at the White House, triggering a stock market crash.
“That was perhaps the first time we saw the power of social media influence our critical infrastructure,” said Will Pelgrin, president and CEO for the Center for Internet Security. “The incident highlighted just how connected our world is, and how easily a single incident can have immediate and severe consequences. Malicious actors will look to exploit vulnerabilities wherever they can find them, and social media provides a very broad and visible platform.”
So what does the CentCom attack mean in terms of government social media accounts? Will government now shy away from the use of social media accounts because it lacks the control needed to protect them?
“The message this sends is that official accounts on non-official platforms are highly vulnerable,” said Lance Cottrell, a privacy expert and chief scientist at Ntrepid, a Virginia-based cybersecurity firm.
“Social media attacks are an interesting offshoot of cyberattacks on government in that the attacker is going after a third-party provider rather than the government’s own resources,” said Bill Greeves, CIO of Wake County, N.C. “So, to a degree, the governments are not in complete control of their defenses and as such, these kinds of attacks could very well negatively impact the use of social media in government.”
Robert Capps, senior director of customer success at security analytics company RedSeal, said that attacks on social media accounts don't generally indicate a significant security issue within the attacked organization.
Social Media and Cyberattacks: What Can Governments Do?
1. Maintain close contact with social media companies to understand their technology defenses (and limitations).
2. Maintain a strong, reliable contact point within the social media organization to speed the mitigation process if something does happen.
7. Ensure that members of your IT staff are aware of your social media activities and keep the lines of communication with them open.
“Attacks on the social media presence of an organization are intended to embarrass the targeted group and make headlines, but they are far less impactful than an intrusion into the organization’s internal network,” he said. “More troubling is the possibility of a network infiltration. The cybercriminals who perpetrated this attack are claiming that they have or had access to one or more CentCom networks. If true, it would illustrate the fact that no one is immune to cyberattack and resulting network intrusions, and that we have a lot of work ahead of us as a nation to harden our cyberdefenses against attack.”
Although high-visibility attacks on social network sites may cause government entities to be more wary of using such platforms, most don’t believe that’s enough to cause them to cease the use of social media altogether.
“I don’t think we should stop using social media per se, but we do need to understand the risks and have appropriate strategies in place,” said Pelgrin. “While there is no way to completely eliminate risk, we can implement layers of defense to minimize our exposure.”
“I don't think at this point we can go backward and not use it,” agreed Craig Younger, public information officer of Chandler, Ariz., who recently began overseeing the city’s digital/social media. “I think one of the things we have to do is make sure our city leaders understand that this can happen and that we need to take precautions. It’s easy for us sometimes to not take social media as seriously as we should.”
President Barack Obama is preparing new proposals to protect the United States from cybersecurity threats. But in the meantime, what can government entities do to protect themselves from potential attacks on their social media accounts?
“Government should be in close contact with the social media companies to understand their technology defenses (and their limitations),” suggested Greeves. “They should also have a strong, reliable contact point to speed the mitigation process if something does happen.”
Pelgrin said organizations need a policy in place regarding social media use and should provide employee training on the policy in addition to periodic awareness training about social media risks. Further, any computer used to connect to social media and the Internet needs proper security measures in place, including up-to-date anti-virus software as well as updated applications and operating systems.
“Set the configuration to ‘auto update’ so patches can be applied automatically,” he said.
Pelgrin also recommended that jurisdictions consider implementing two-factor authentication (2FA), and if more than one individual is responsible for posting to the social media sites, set 2FA as a group account, with authorized individuals able to post to the group.
“Always use strong passwords, and don't reuse passwords across multiple sites,” said Capps. “And make sure you keep your computer operating systems and security software updated with the latest updates.”
In Chandler, Younger said the city strives to make sure it's following best practices and that staff members are adhering to social media procedures and policies.
“Hopefully that will protect us enough,” he said. “Then we just have to be on our toes and if something happens, have a plan in place to respond quickly.”
Younger added that the city involves IT staff in social media activities as well.
“There can sometimes be a disconnect between people running the social media and the people with the technical expertise or at least a basic knowledge of IT security issues,” he said. “Our IT people might be able to provide us with some insight, or some guidelines on what we should do. We need to keep the communication open so that if they have concerns about what we're doing through social media, we can be aware of what their concerns are and can take steps to make sure we’re being cautious.”
And if the worst does happen?
“If our account is hacked and messages go out that are potentially embarrassing for the city," he said, "we have to acknowledge that and try to move on and re-establish trust from the public."