The Coast Guard has been a big user of Web 2.0. But its employees will never access Facebook, Twitter or any other social media tool through its network.
But Coast Guard Commandant Adm. Thad Allen knows the growing impact of these tools on his service’s mission. So Allen has asked his staff to figure out in a matter of weeks how to give employees secure access to these tools through the .com domain.
“The question I most often get at all hands meetings is ‘when can we access Facebook or other sites from their desktops?'” Allen says. “My answer is can’t, won’t and never will. But that doesn’t mean we can’t engage. We pretty much have to have a presence in other domain where we can interact.”
The Coast Guard will set up a stand-alone presence on the .com domain and hire up to three people to work on these social media issues, including policy, standards and security.
This security issue that the Coast Guard is trying to overcome is one many agencies are facing as well. The Defense Department, for instance, issued a memo asking for a review of how it uses social media, and will come up with a new policy by Sept. 30.
Linton Wells, a distinguished research professor and force transformation chairman at the National Defense University, says DoD should use Web 2.0 tools in three ways. It should
Have a secure enclave where they can use these tools, similar to what the intelligence community has done with Intellipeida and A-Space
Have outside connections, similar to what Allen hopes to set up;
Figure out what their social media boundaries are and work within them.
Wells, Allen and others spoke Wednesday at a Web 2.0 conference in Washington sponsored by the Potomac Forum.
Along with what DoD is doing, the Chief Information Officer’s Council also is working on how best to meld Web 2.0 and cybersecurity.
Brian Burns, a deputy CIO for the Navy and the co-chairman of the network and infrastructure subcommittee of the council’s Identity Management and Security committee, says the Web 2.0 working group, led by Earl Crane, is trying to address this complicated issue.
Burns says the threat landscape of social media is similar to common attacks from e-mail or the Internet-phishing, malware and Trojans. But the risk tends to be higher because the tools bring together many more people.
“There are new techniques of spear phishing because of the circle of friends,” he says. “There also are Web application security concerns where hackers deploy key stroke loggers or high-jack personal accounts and send out wrong information.”
Burns would not say whether the council work on Web 2.0 and security will end up as guidance or what. But several sources say the Office of Management and Budget and the General Services Administration are working on Web 2.0 guidance and the council’s work likely will be part of it or compliment it.
Burns says many of the security practices for Web 2.0 are no different than any other technology.
He says education and training of employees is among the most important things agencies can do.
“Should federal employees have separate work and personal sites?” he asks. “How should they identify themselves online?”
The Coast Guard’s Allen says the issue of work versus personal came up when he first started using Facebook.
Allen says he ended up talking to lawyers and because of specific federal rules, such as the Sunshine Act, he ended up having two pages–a personal one for his friends and family, and a Coast Guard Commandant page for work.
Burns says agencies should consider whether white lists, or approved Web site lists, are necessary, and how federal IT security policy and regulations can be applied to these social media sites.
In March, GSA worked with several of the most popular Web 2.0 sites, including MySpace, Ning and Flickr, to develop a standard set of terms and conditions for agencies to use the sites.
But security is based on how much risk each agency is willing to absorb so these terms and conditions do not cover these issues.
Burns says the Web 2.0 working group is looking at network controls including Web content filtering, intrusion detection and prevention technologies and creating trust zones.
“These trust zones are hosted in certain locations and the data may be segmented,” he says. “We need to go from a server with data set up to one where information is managed.”
Burns says agencies also should consider logical access control and other forms of protection at the desktop.
“A lot of time innovation occurs rapidly and security lags behind it,” Burns says. “There are a lot of efforts to bring the network operations together with social media. We have to figure out where to draw the boundaries and how best to create trust zones.”