Loose lips sink ships.
That’s what WWII propaganda posters in the US warned in an effort to keep people from unguarded talk about secure information that might be of use to the enemy.
The modern version, published by the US Air Force on Friday, holds a very similar sentiment – loose tweets destroy fleets.
Keeping quiet about operational information is “vital to ensure military members stay safe on a daily basis,” according to the advisory, which was datelined Al Udeid Air Base, in Qatar.
This digital update for operation security (OPSEC) is timely. Cyber intruders affiliated with the Islamic State in the Levant (ISIL), also known as the Islamic State of Iraq and al-Shams (ISIS), have proved adept at prying open vulnerabilities.
For example, the FBI warned in April that affiliates to such terrorist groups had begun defacing WordPress-based sites, making it imperative to keep the publishing platform updated.
Twitter, for its part, recently shut down 10,000 ISIS-linked accounts in just one day.
So while social media can be a useful tool to be entertained or to stay connected to friends and family – particularly when they’re serving overseas – the Air Force has stressed that there’s “a fine line between letting your friends see what you’re up to and providing an adversary with critical information about your connection to the military and its mission.”
The release quotes Capt. Jonathan McDonald, US Air Forces Central Command Force Protection chief:
As social media keeps evolving, there are more and more avenues to let your friends and family know what you are up to. Those same avenues can be used by ISIS sympathizers -‘lone wolves’ - to track down and hurt our military members outside the safety of the base.
So not only is it important to not post vital mission related information, but it’s also important to not post detailed personal information to keep yourself and your loved ones safe.
Senior Airman Anthony Bolton, 609th Air Operations Center OPSEC manager, said that the best way to keep OPSEC is to look over the Air Force’s Critical Information List (CIL) and be sure to protect the information within and destroy it accordingly.
The Air Force defines critical information as “information about friendly activities, intentions, capabilities or limitations that an adversary needs in order to gain a military, political, diplomatic, or technological advantage”.
If released to an adversary, CIL could thwart or compromise a mission, lead to resources being damaged, or even contribute to troops getting killed, the Air Force says.
Its CIL includes, things like specific locations of facilities and key personnel and their activities – as well as specific mission itineraries, objectives, and status.
The list also includes the same types of digital information that we all want to keep out of intruders’ hands, such as passwords and user IDs.
The military also doesn’t want adversaries to have intimate knowledge of its computer networks, including line speed, IP addresses, connection points, or network connectivity diagrams on either classified or unclassified systems.
One thing the list doesn’t include but probably should: automatic geotagging applied to photos by mobile phones.
Geotagging’s risk to OPSEC was exemplified in 2007, when a fleet of US Army helicopters flew into a base in Iraq.
Soldiers took pictures on the flight and then uploaded them to the internet.
Based on the photos’ geotags, the enemy determined the exact location of the helicopters inside the compound and launched a mortar attack that destroyed four AH-64 Apaches.
The Army subsequently posed this question: “Is a badge on Foursquare worth your life?”
The Air Force has a number of recommendations to keep OPSEC, and it’s good advice for any of us who care about digital security.
We added a few more tips to the list:
- Check security settings on your social media accounts to make sure that just your friends are able to see what you post. It also pays to be smart about what you post and share – if you don’t want a potential sextortionist, SWATter or terrorist to see it, rethink posting it.
- Go secure whenever possible, whether by using a secure phone line, encrypting email or making sure to shred paper that includes sensitive information.
- Consider carefully whether you want to share your location, and with whom. Bear in mind that most geotagging-enabled applications allow users to limit who can see their check-ins to friends or friends of friends. It’s wise to take advantage of that security feature.
- Consider disabling the geotagging feature on your phone.
- Be careful about who you let into your social media circle.
- Note that even if there’s nothing classified about an individual’s location, a series of locations posted online over the course of a month can create a pattern that criminals can use.
Image of ‘Loose tweets destroy fleets‘ courtesy of Staff Sgt. Emerson Nuñez